[ { "id": "cf95261d-750a-4672-b42e-74825f0d421d", "name": "9altitudes - Vulnerability Disclosure Program", "company_handle": "ninealtitudes", "handle": "VDP", "url": "https://www.intigriti.com/programs/ninealtitudes/VDP/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "Old 9altitudes related domains", "description": "*.admiraldynamics.be*.admiraldynamics.eu*.bpos-live.com*.Bredanademo.dk*.Bredanasolutions.com*.Bredanasolutions.dk*.Bredana-solutions.dk*.bro-consulting.be*.cayentis.com*.cayentisxrm.nl*.cayentis.nl*.crm4utilities.com*.crmhugger.nl*.crm-trainingen.com*.crm-trainingen.nl*.crmvoorenergie.com*.crmvoorenergie.nl*.dynamicsconnector.net*.dynamicsconnector.nl*.Econocap.dk*.exarte.be*.gv-s.be*.marktanalyseonline.nl*.marktpotentieanalyse.nl*.neufaltitudes.com*.neufaltitudes.fr*.neufaltitudes.nl*.ninealtitude.com*.ninealtitudes.com*.ninealtitudes.dk*.ninealtitudes.se*.optigrator.com*.optigrator.dk*.optimate.dk*.optimateas.com*.optimatecrm.dk*.optimatetest.dk*.Pdmlink.dk*.pylades.com*.thewitnetwork.be*.Thingworx.dk*.uwmarktonline.nl*.Windchill.dk*.xrmpartner.com*.hillstarsrv.nl*.hillstar.nl", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.9altitudes.*", "description": "All data related to the main 9altitudes domains (.com, .nl, .dk, .fr, .si, and other top-level domains).", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.adultimagroup.*", "description": "All data related to the main adultimagroup domains (.com, .nl, .dk, .fr, .si, and other top-level domains).", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.birds.bi", "description": "All data related to the main birds.bi domain.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.birds.com", "description": "All data related to the main birds.com domain.", "impact": "Out of scope" }, { "type": "other", "endpoint": "*.dynamics.com", "description": "All Microsoft Dynamics portals related to 9altitudes.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.jobmanager.dk", "description": "All data related to the main jobmanager.dk domain.", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "44cacd66-4ad6-4b5f-901e-d257ee0ae989", "name": "Ada Health", "company_handle": "adahealth", "handle": "adahealth", "url": "https://www.intigriti.com/programs/adahealth/adahealth/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 10000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "1099986434", "description": "IOS Mobile Applicaton of Ada Health", "impact": "Tier 1" }, { "type": "android", "endpoint": "com.ada.app", "description": "Android Mobile Application of Ada Health", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://api.mobile.ada.com", "description": "Backend for frontend API endpoint for mobile application activities. This endpoint is protected by a Web Application Firewall.", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://id.ada.com", "description": "Ada-ID is an identity management service for end user that interacts with Ada's applications. It provides authentication and authorization. Ada-ID serves as web application and API services. Frontend is valid for password reset and account verification process. This endpoint is protected by a Web Application Firewall.", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.ada.health", "description": "All subdomains (one or multilevel) of ada.health, except the ones interacting directly in Tier 1 & 2 assets, are considered as Tier 3.", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.adahealth.ca", "description": "All subdomains (one or multilevel) of adahealth.ca, except the ones interacting directly in Tier 1 & 2 assets, are considered as Tier 3.", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://care-navigation-admin-bff.eu.enterprise.ada.com", "description": "Backend for frontend (bff) service for Care Navigation Admin interface. BFF is a variant of the API Gateway pattern which provides an additional layer between microservices.", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://care-navigation-admin-fe.eu.enterprise.ada.com", "description": "Care Navigation Admin Frontend is a visual tool for managing Connect data including:Test credentials will not be provided. Try to find broken access controls on this endpoint.", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://care-navigation-bff.eu.enterprise.ada.com", "description": "Backend for frontend (bff) service for Care Navigation Frontend service. BFF is a variant of the API Gateway pattern which provides an additional layer between microservices.", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://care-navigation-fe.eu.enterprise.ada.com", "description": "Care Navigation Frontend service represents Ada Partner care navigation option list available after assessment test is accomplished. Service includes:", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://demo-prod-assessment-bff.ada-prod-eu.prod.gcp.ada.com", "description": "Backend for frontend (bff) service for demo assessment web interface. BFF is a variant of the API Gateway pattern which provides an additional layer between microservices. Please see the all endpoints in the Open API documentation (demo_assessment_bff_openapi.json) file", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://demo-prod-hcp-report-bff.ada-prod-eu.prod.gcp.ada.com", "description": "Handover is a solution for sharing (handing over) the results of the health assessment with the user’s health care provider (HCP) or a health professional. This service has the responsibility to process the data from the hcp-report-backend for the use of handover frontend.", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://demo.enterprise.ada.com", "description": "Our web application helps millions to manage their health. This is the frontend assessment application demo domain which represents the general flow we provide with our enterprise partners. This medical AI symptom checker is trained by real doctors. This endpoint provides both guess and authenticated flow which can be combined with our SSO service.This UI is calling the BFF domain which is also in the scope.", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://demo.handover.enterprise.ada.com", "description": "Handover is a solution for sharing (handing over) the results of the health assessment with the user’s health care provider (HCP) or a health professional. This service has the responsibility to render the HCP report data received from the HCP report bff.", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://demo.sso.enterprise.ada.com", "description": "Smart-auth is Ada’s identification management and Single Sign On (SSO).This service is based on SMART on FHIR implementation and provides a standard way to integrate with other EHR (Electronic Health Record) servers. It is an optional module meaning that not all flows are authentication required.", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.ada.com", "description": "All subdomains (one or multilevel) of ada.com, except the ones interacting directly in Tier 1 & 2 are considered as Tier 3.", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.httpproxy.data.ada.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "monitoring.*.enterprise.ada.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "monitoring.*.enterprise.adahahealth.ca", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "monitoring.*.gcp.ada.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "monitoring.*.gcp.adahealth.ca", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "664b7290-6bb3-42cf-b677-a9b3724c5485", "name": "Aleacsys Online BV", "company_handle": "wimigames", "handle": "wimigames", "url": "https://www.intigriti.com/programs/wimigames/wimigames/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 10000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "https://api.the-strip.eu", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://cdn.the-strip.eu", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://en-gb.napoleoncasino.be/wimi/game/play/slug/napoleon-spinner", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://en-gb.napoleoncasino.be/wimi/game/play/slug/napoleon-spinner-deluxe", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://en-gb.napoleoncasino.be/wimi/game/play/slug/napoleon-spinner-max", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://en-gb.napoleondice.be/wimi/game/play/slug/dice-spinner", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://en-gb.napoleondice.be/wimi/game/play/slug/multi-jackpot-cards", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://en-gb.napoleondice.be/wimi/game/play/slug/pick-a-tiki", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "wss://socketcluster.the-strip.eu", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "30f445f7-ca4c-4130-9434-49add5c6ac74", "name": "Algemeen Dagblad", "company_handle": "dpgm", "handle": "algemeendagblad", "url": "https://www.intigriti.com/programs/dpgm/algemeendagblad/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "myaccount.ad.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "webwinkel.ad.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.ad.nl", "description": "excluding", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.ad.nl/abonnementen", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.ad.nl", "description": "excluding abonnement.ad.nl", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "badcb3b0-34be-4bd1-9186-7678aa5b5d17", "name": "Allegro", "company_handle": "allegro", "handle": "allegrobugbounty", "url": "https://www.intigriti.com/programs/allegro/allegrobugbounty/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 200, "currency": "EUR" }, "max_bounty": { "value": 3500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.allegro.cz.allegrosandbox.pl", "description": "This is the sandbox version that replicates the Czech version of Allegro. The main difference between .cz and .pl is the possibility to buy products using guest account.", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.allegro.pl.allegrosandbox.pl", "description": "This is our sandbox environment that replicates production. For more information please visit developer website.", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.allegro.cz", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.allegro.pl", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.allegrogroup.com", "description": "", "impact": "Out of scope" }, { "type": "other", "endpoint": "Any production website owned by Allegro not listed in Domains", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "933f224e-fbd3-4f08-a4fb-5038c2fa1a6e", "name": "Axel Springer National Media & Tech", "company_handle": "axelspringerse", "handle": "nmt", "url": "https://www.intigriti.com/programs/axelspringerse/nmt/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 15, "currency": "EUR" }, "max_bounty": { "value": 2500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "hey.bild.de", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://meinkonto.bild.de/", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://secure.mypass.de/", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://vip-club.computerbild.de/", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "sportbild.bild.de", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "Tier 1 subdomains", "description": "See attached document NMT-DomainScopeBugBounty.xlsx in \"In scope\" section", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.bild.de", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.bild.tv", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.computerbild.de", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.welt.de", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.springtools.de", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "play.bild.de", "description": "See attached document NMT-DomainScopeBugBounty.xlsx in \"In scope\" section", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.autobild.de", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.bz-berlin.de", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "Tier 3 subdomains", "description": "See attached document NMT-DomainScopeBugBounty.xlsx in \"In scope\" section", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.ein-herz-fuer-kinder.de", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.fitbook.de", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.myhomebook.de", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.petbook.de", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.stylebook.de", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.techbook.de", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.travelbook.de", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.wissen-sie-mehr.de", "description": "", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "21d92048-d4d8-4781-8f37-3209a1b60fe1", "name": "Azena", "company_handle": "azena", "handle": "azenaresponsibledisclosure", "url": "https://www.intigriti.com/programs/azena/azenaresponsibledisclosure/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.azena.com", "description": "All assets including azena.com and subdomains.Note that connect.azena.com and any subdomain of connect.azena.com is a remote connection service to devices owned and controlled by third parties. Therefore, these targets are out of scope and not covered by this program.", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "baca9d50-2fd8-427f-bd56-e67f7f058573", "name": "BMC", "company_handle": "randstad", "handle": "bmc", "url": "https://www.intigriti.com/programs/randstad/bmc/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.bmc.nl", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "61e0e37c-19cc-4abe-af51-108a78bee995", "name": "BMW Group", "company_handle": "bmw", "handle": "bmwgroup", "url": "https://www.intigriti.com/programs/bmw/bmwgroup/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 150, "currency": "EUR" }, "max_bounty": { "value": 6000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "www.bmw-motorrad.de", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.bmw.de", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.mini.de", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "configure.bmw.de", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "configure.mini.de", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "konfigurator.bmw-motorrad.de", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Other BMW Domains", "description": "Please select this asset to report vulnerabilities affecting BMW assets but not matching any of the assets stated above.Important: Note our policy regarding \"No Bounty Domains\" and a potentially deviating application of the safe harbor clause.We may award a small bonus for these assets, but only valid high, critical and exceptional severity findings - this is however, at the discretion of the BMW Group team.", "impact": "No bounty" }, { "type": "other", "endpoint": "Automotive Security", "description": "Please submit valid findings regarding Automotive assets in our public BMW Group - Automotive program.", "impact": "Out of scope" }, { "type": "other", "endpoint": "Domains from independent BMW Dealers, Resellers or Fanclubs", "description": "These domains belong to legally independent entities. We can only inform these entities. However, we have no influence on the mitigation process of the vulnerabilities in these assets.", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "7ecdd3d1-a794-4ceb-9518-f9a016dc26a6", "name": "BMW Group Automotive", "company_handle": "bmw", "handle": "bmwgroup-automotive", "url": "https://www.intigriti.com/programs/bmw/bmwgroup-automotive/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "EUR" }, "max_bounty": { "value": 15000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "device", "endpoint": "Functions dealing with vehicle access and immobilizer", "description": "", "impact": "Tier 1" }, { "type": "ios", "endpoint": "1519034860", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "de.bmw.connected.mobile20.row", "description": "", "impact": "Tier 2" }, { "type": "device", "endpoint": "Remaining functions", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "5f29e1eb-85e8-4d99-9b52-b809f06de633", "name": "Bpost", "company_handle": "bpost", "handle": "dummy", "url": "https://www.intigriti.com/programs/bpost/dummy/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 1500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "imove.bpost.cloud", "description": "Coorporate application :Make your reservation to save a spot at the office", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.acbpost.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.bpost.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.bpost.cloud", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.landmarkglobal-group.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.stbpost.be", "description": "", "impact": "No bounty" }, { "type": "android", "endpoint": "be.bpost.mobilecard", "description": "With Mobile Postcard you can send real personalized postcards based on photos and videos on your smartphone or tablet. We print them for you and ship them anywhere in the world.", "impact": "No bounty" }, { "type": "android", "endpoint": "be.bpost.mybpost", "description": "Track, receive, send. With the My bpost app you can arrange all your parcels in 1 app.", "impact": "No bounty" }, { "type": "device", "endpoint": "bpost Parcel Lockers", "description": "More info about these lockers on https://www.bpost.be/en/parcel-lockerWhe have parcel lockers with screen and screenless.You need the mybpost app to open a screenless locker.", "impact": "No bounty" }, { "type": "url", "endpoint": "career.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "dmm.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "eshop.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "maxiresponse.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "my.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "procuration.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "quickstamp-gb.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "register.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "validationlist.bpost.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "www.bpost.be", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "4afd6f0f-40a3-4f6d-a332-56b5970d12a0", "name": "Bühler Group VDP", "company_handle": "buhlergroup", "handle": "buhlergroupvdp", "url": "https://www.intigriti.com/programs/buhlergroup/buhlergroupvdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.buhler-datascience.ch", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.buhlercloud.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.buhlergroup.ai", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.buhlergroup.cn", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.buhlergroup.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.buhlergroup.io", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.buhlertest.ch", "description": "", "impact": "No bounty" }, { "type": "ip range", "endpoint": "194.9.120.0 - 194.9.123.255", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.info.buhlergroup.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.learnhub.buhlergroup.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.virtualworld-portal.buhlergroup.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.virtualworld.buhlergroup.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.webinars.buhlergroup.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "bestbuy.buhlergroup.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "channel.buhlergroup.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "imap.buhlergroup.cn", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "pop.buhlergroup.cn", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "smtp.buhlergroup.cn", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "efd8bd86-a986-4b4a-9eda-c9a6a1a6b540", "name": "CM.com", "company_handle": "cmcom", "handle": "cmcom", "url": "https://www.intigriti.com/programs/cmcom/cmcom/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 25, "currency": "EUR" }, "max_bounty": { "value": 3500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "login.cm.com", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.ticketing.cm.com", "description": "Login to your account and go to https://www.cm.com/en-gb/app/ticketing/From here you can create tickets and much more!Make sure to take a look at the user-side ticket store as well (https://store.ticketing.cm.com/..)", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.cm.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.cmtelecom.com", "description": "Some of the applications that are in our scope use our old api.If you find a bug on this api and it is from a product that is in scope, it is valid.", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "cm.com/[locale]/app/*", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "cm.com/[locale]/register", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "cm.com/app/messagingtrial/", "description": "An application that makes it possible for developers to do a limited test of sending messages using the CM.COM business messaging API.What we would like to know is:", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.cm.com", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.appmiral.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.cm.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.cmtelecom.com", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "appmiral.com", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "cmcom.atlassian.net", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "demo.globalticket.com/*", "description": "GlobalTicket is one of our integrations.Be sure to check out /cms to try and work your way into it.", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "0083a5bf-e54f-4f79-a972-12a795272c8b", "name": "Canada Post + Purolator - Responsible Disclosure Program", "company_handle": "innovapost", "handle": "innovapost", "url": "https://www.intigriti.com/programs/innovapost/innovapost/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.canadapost-postescanada.ca", "description": "Any subdomain of canadapost-postescanada.ca (eg. www.canadapost-postescanada.ca, sso-osu.canadapost-postescanada.ca and store.canadapost-postescanada.ca)", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.postescanada-canadapost.ca", "description": "Any subdomain of postescanada-canadapost.ca (eg. www.postescanada-canadapost.ca)", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.purolator.com", "description": "Any subdomain of purolator.com (eg. www.purolator.com, eshiponline.purolator.com and billingcentre.purolator.com)", "impact": "No bounty" }, { "type": "ios", "endpoint": "394391577", "description": "Canada Post's mobile application for iOS", "impact": "No bounty" }, { "type": "ios", "endpoint": "438701193", "description": "Purolator's mobile application for iOS", "impact": "No bounty" }, { "type": "android", "endpoint": "com.canadapost.android", "description": "Canada Post's mobile application for Android", "impact": "No bounty" }, { "type": "android", "endpoint": "com.purolator.mobileapp", "description": "Purolator's mobile application for Android", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*/scripts/cgiip.exe/*", "description": "XSS in any parameter on the endpoint /scripts/cgiip.exe/ (any in scope domain)", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "04aab402-3eb7-41b8-b146-b9344efc89ce", "name": "Capture Our Flag", "company_handle": "intigriti", "handle": "captureourflag", "url": "https://www.intigriti.com/programs/intigriti/captureourflag/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 51337, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "app-pwn.intigriti.rocks", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "96d3f49a-4c5f-4bc8-835a-77f734eefe4e", "name": "Citymesh Responsible Vulnerability Disclosure Program", "company_handle": "citymesh", "handle": "responsiblevulnerabilitydisclosureprogram", "url": "https://www.intigriti.com/programs/citymesh/responsiblevulnerabilitydisclosureprogram/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.citymeshinternet.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.cwave.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.hetbestenetwerk.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.lemeilleurreseau.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.luzidia.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.luzidia.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.rigmesh.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.thebestnetwork.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.thenewnetwork.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.tymnet.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.zapfi.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.citymesh.recruitee.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.digi-mobile.be", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.insky.be", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.128.128/26", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.128.192/27", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.128.64/26", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.130.0/23", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.134.0/23", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.139.0/24", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.140.0-87", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.140.92-254", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "31.31.143.0-71", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "daac218b-19c1-44ab-9d72-f49cdec5fb44", "name": "Crisp", "company_handle": "crisp", "handle": "crisp", "url": "https://www.intigriti.com/programs/crisp/crisp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "EUR" }, "max_bounty": { "value": 3000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "1416625210", "description": "React-Native built iOS app", "impact": "Tier 2" }, { "type": "android", "endpoint": "com.freshfoodventures.crisp", "description": "React-Native built Android app", "impact": "Tier 2" }, { "type": "url", "endpoint": "crisp.ninja", "description": "Code review tool behind IP-filter", "impact": "Tier 2" }, { "type": "url", "endpoint": "for-hackers.crisp.kitchen", "description": "Back-office management login page.(for-hackers.crisp.kitchen is a CNAME to crisp.kitchen; it allows us to classify traffic)", "impact": "Tier 2" }, { "type": "url", "endpoint": "for-hackers.crisp.nl", "description": "Main frontpage & landing pages.(for-hackers.crisp.nl is a CNAME to crisp.nl; it allows us to classify traffic)", "impact": "Tier 2" }, { "type": "url", "endpoint": "for-hackers.crispapp.nl", "description": "Backend host to which apps connect.(for-hackers.crispapp.nl is a CNAME to crispapp.nl; it allows us to classify traffic)", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://for-hackers.crispapp.nl/web-rn/", "description": "Hidden web build of the app. Client-side issues that do not exist in the native apps are capped to low severity.", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "4981522f-5675-4f46-b7b7-e065d30c8d79", "name": "Cross Border Fines", "company_handle": "bpost", "handle": "crossborderfines", "url": "https://www.intigriti.com/programs/bpost/crossborderfines/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "EUR" }, "max_bounty": { "value": 3000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "https://justonweb.be/fines/", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "13cfc6fe-92b2-4a56-8577-855ff0bc2f1c", "name": "Cyber Security Coalition", "company_handle": "cybersecuritycoalition", "handle": "cybersecuritycoalition", "url": "https://www.intigriti.com/programs/cybersecuritycoalition/cybersecuritycoalition/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "annualreport.cybersecuritycoalition.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "award.cybersecuritycoalition.be", "description": "Awards website", "impact": "No bounty" }, { "type": "url", "endpoint": "blog.cybersecuritycoalition.be", "description": "Blog site", "impact": "No bounty" }, { "type": "url", "endpoint": "www.cybersecuritycoalition.be", "description": "Public website", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "1cf88d51-7927-4747-af33-204f6f1c161f", "name": "DHL Group Vulnerability Disclosure Program", "company_handle": "dhlgroup", "handle": "dhlvdp", "url": "https://www.intigriti.com/programs/dhlgroup/dhlvdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.deutschepost.de", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.dhl", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.dhl.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.dhl.de", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.dpdhl.com", "description": "", "impact": "No bounty" }, { "type": "other", "endpoint": "Any other domain from DHL Group companies", "description": "", "impact": "No bounty" }, { "type": "other", "endpoint": "Mobile apps owned by DHL Group companies", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "806f54d7-a85d-40bd-82cc-f09c1a500f28", "name": "DPG Media", "company_handle": "dpgm", "handle": "dpgmedia", "url": "https://www.intigriti.com/programs/dpgm/dpgmedia/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 300, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.dpgmedia.be", "description": "excluding", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.dpgmedia.nl", "description": "excluding", "impact": "Tier 2" }, { "type": "other", "endpoint": "Any related DPG media domain", "description": "Only applicable to domains that are 100% owned by DPG.For example, projects that are partly owned by DPG and partly owned by RTL (because of a joint venture between the two) are not in scope.Whois: De Persgroep Publishing nvBrusselstesteenweg 3471730 AsseBelgiëDPG Media Services NVMediaplein 12018 AntwerpenBelgium", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "bd22f48d-633e-4b26-bf71-e4778d41b247", "name": "DataCamp", "company_handle": "datacamp", "handle": "datacamp", "url": "https://www.intigriti.com/programs/datacamp/datacamp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 25, "currency": "EUR" }, "max_bounty": { "value": 1500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "app.datacamp.com/certification", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.datacamp.com/groups", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.datacamp.com/learn", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "assessment-v2.datacamp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "assessment.datacamp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "campus.datacamp.com", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "com.datacamp", "description": "", "impact": "Tier 2" }, { "type": "ios", "endpoint": "https://apps.apple.com/au/app/datacamp-learn-data-science/id1263413087", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "practice.datacamp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "projects.datacamp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.datacamp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.datacamp.com/datalab", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.datacamp.com", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.it.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "app.datacamp.com/recruit", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "ast-viewer.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "confluence.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "intranet.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "jira.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "links.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "rdocumentation.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "signature.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "status.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "support.datacamp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "talent-jobs-api.datacamp.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "618bdc2f-9207-47cc-8c5c-71b734900359", "name": "De Lijn", "company_handle": "delijn", "handle": "delijn", "url": "https://www.intigriti.com/programs/delijn/delijn/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "456910787", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "accept.delijn.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "api-a.delijn.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "api.delijn.be", "description": "", "impact": "No bounty" }, { "type": "android", "endpoint": "com.themobilecompany.delijn", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "www.delijn.be", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "8bf1f259-cac9-4114-9b84-3b950897b1ec", "name": "De Morgen", "company_handle": "dpgm", "handle": "demorgen", "url": "https://www.intigriti.com/programs/dpgm/demorgen/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "myaccount.demorgen.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.demorgen.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.demorgen.be", "description": "excluding", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.demorgen.be/abonnementen", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.demorgen.be", "description": "excluding abonnement.demorgen.be", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "* demorgen.be/inloggen", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* demorgen.be/login", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* demorgen.be/registreren", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* demorgen.be/service", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "abonnement.demorgen.be", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "0d6d1230-beb5-489c-b306-cf9c2e06730f", "name": "De Volkskrant", "company_handle": "dpgm", "handle": "devolkskrant", "url": "https://www.intigriti.com/programs/dpgm/devolkskrant/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "myaccount.volkskrant.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.volkskrant.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "webwinkel.volkskrant.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.volkskrant.nl", "description": "excluding", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.volkskrant.nl/abonnementen", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.volkskrant.nl", "description": "excluding abonnement.volkskrant.nl", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "d14eedce-607d-4233-995d-30dbc7de8f23", "name": "Delen Private Bank", "company_handle": "delenprivatebank", "handle": "privatebankdelen", "url": "https://www.intigriti.com/programs/delenprivatebank/privatebankdelen/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "EUR" }, "max_bounty": { "value": 15000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "api.digital.delen.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.digital.delen.lu", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.delen.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.delen.ch", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.delen.lu", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "auth.digital.delen.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "auth.digital.delen.lu", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "be.delen.digital", "description": "", "impact": "Tier 2" }, { "type": "ios", "endpoint": "delen/id1064839588", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "login.delen.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "login.delen.ch", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "login.delen.lu", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "login.oyens.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "status.delen.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "sts.delen.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.cadelam.be", "description": "🇫🇷🇳🇱", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.cadelux.lu/en", "description": "🇬🇧🇫🇷🇳🇱", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.delen.bank", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.delen.be/en", "description": "🇬🇧🇫🇷🇳🇱", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "43e4eb4b-f2c8-4307-80a6-7ce739469867", "name": "Digitaal Vlaanderen", "company_handle": "vod", "handle": "digitaalvlaanderen", "url": "https://www.intigriti.com/programs/vod/digitaalvlaanderen/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.vlaanderen.be", "description": "All and any subsites of https://www.vlaanderen.be,-for which authentication is not needed-for which creation of account(s) is not neededFor some subsites, a government entity other than Digitaal Vlaanderen may be responsible. We can accept the disclosed vulnerability and relay the issue to the concerned entity, yet we then cannot guarantee they will (be able to) fix it.", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://beta.gastwebsite-acm.burgerprofiel.ext-vlaanderen.be", "description": "Authenticated demo environment for the widget platform. The website itself is just an illustrative example and should not be tested.", "impact": "No bounty" }, { "type": "url", "endpoint": "https://beta.gastwebsite.burgerprofiel.ext-vlaanderen.be", "description": "Unauthenticated demo environment for the widget platform. The website itself is just an illustrative example and should not be tested.", "impact": "No bounty" }, { "type": "url", "endpoint": "https://beta.widgets.burgerprofiel.dev-vlaanderen.be/", "description": "Embeddable portion of My Citizen Profile", "impact": "No bounty" }, { "type": "url", "endpoint": "https://burgerprofiel.beta-vlaanderen.be", "description": "My Citizen Profile (Mijn Burgerprofiel in Dutch) is the go-to spot for citizens to manage their affairs digitally with the government. Citizens can access their personal data, consult status reports, download certificates, and request new government services such as a permit of subsidy. My Citizen Profile is a plug-in that can be integrated into different official government websites, be it on a Flemish or local level.Available in Dutch - More information can also be found on https://www.vlaanderen.be/uw-overheid/mijn-burgerprofiel (only in Dutch).This beta environment is equiped with a mock authentication (OpenID) service, which can generate tokens for different kinds of accounts. As such, the authentication flow of this mocked service is not in scope.", "impact": "No bounty" }, { "type": "url", "endpoint": "https://vo-gebruikersbeheer.vlaanderen.be/", "description": "User Management (IDM) is a platform with which you can manage the inflow and outflow of people and their rights to applications.It is a central rights management for different applications within the entire Flemish administration. It controls the inflow and outflow of employees and their rights and is editable to be tailored to the tasks of each employee.More information is available on www.vlaanderen.be/gebruikersbeheer. There is detailed product and technical information available for download (in Dutch only).To be able to test the platform, you will need to create a (dummy) account in our test environment. You can only do this with your intigriti.me e-mail account via a self-registering system available at https://zelfregistratie-gebruikersbeheer-ti.vlaanderen.be/user/aanvraag_werkrelatie?dg=EA&oc=0415928179. You can register with “Kinepolis Group” as a \"Hoofd Lokale Beheerder\". When you do so, please send an e-mail to webidm@hbplus.be with in the subject line \"Project Intigriti\". We will inform you when the right has been given.The application is also available in English via this link: https://gebruikersbeheer-ti.vlaanderen.be/webidm/?lang=en.", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "_* _ .naric . *.onderwijs*.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* naric*.onderwijs*.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "apigee.naric.onderwijs*.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "archiefoverdracht*.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "bibis*.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "cdn.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "codex.opendata.api.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "data-onderwijs.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "ets*.omgeving.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "natura2000.vlaanderen.be", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "opibus*.onderwijs*.vlaanderen.be", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "dd9dba85-e047-42f3-b59e-9328c7d49672", "name": "DigitalOcean", "company_handle": "digitalocean", "handle": "digitalocean", "url": "https://www.intigriti.com/programs/digitalocean/digitalocean/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "USD" }, "max_bounty": { "value": 10000, "currency": "USD" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.digitalocean.com", "description": "Public IPs belonging to AS14061(DigitalOcean, LLC) are assigned to DigitalOcean customers and should be considered out of scope.The following subdomains are out of scope:", "impact": "Tier 2" }, { "type": "ip range", "endpoint": "169.254.169.254", "description": "Metadata service available at http://169.254.169.254/ from Droplets", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.digitalocean.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "cloud.digitalocean.com", "description": "Findings against resources owned by your account should be filed underneath this asset.", "impact": "Tier 2" }, { "type": "url", "endpoint": "css-tricks.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "digitaloceanmirrors.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "digitaloceanpartners.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "digitaloceanstatus.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "digitaloceantest.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "do.co", "description": "Company shortlink service", "impact": "Tier 2" }, { "type": "url", "endpoint": "dointernal.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "hackathon-tracker.digitalocean.com", "description": "API for hacktoberfest.com", "impact": "Tier 2" }, { "type": "url", "endpoint": "hacktoberfest.com", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/digitalocean/do-agent", "description": "A daemon that helps collect system metrics from droplets.", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/digitalocean/do-markdownit", "description": "Markdown plugin run against all user-submitted content on https://digitalocean.com/community.", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/digitalocean/doctl", "description": "The official command line interface for the DigitalOcean API.", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/digitalocean/droplet-agent", "description": "A daemon that enables web console access on droplets", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/digitalocean/terraform-provider-digitalocean", "description": "DigitalOcean's official Terraform provider.", "impact": "Tier 2" }, { "type": "url", "endpoint": "marketplace.digitalocean.com", "description": "Note that marketplace 1-click apps and add-ons are maintained by our partnered vendors and are out of scope. Security issues against these components of the marketplace are not in the scope of this program and ineligible for bounty rewards, but we are happy to help facilitate communications to the application owners.Please reach out to us at security@digitalocean.com for facilitation.", "impact": "Tier 2" }, { "type": "url", "endpoint": "uatdo.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.digitalocean.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.db.ondigitalocean.com", "description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.Any database created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.digitaloceanspaces.com", "description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.Any Spaces buckets created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.doserverless.co", "description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.Any Functions created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.k8s.ondigitalocean.com", "description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.Any Kubernetes clusters created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.ondigitalocean.app", "description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.Any Apps created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.", "impact": "Out of scope" }, { "type": "other", "endpoint": "Assets created by other DigitalOcean customers", "description": "Any asset (Droplet, Space, or otherwise) created by other DigitalOcean customers are not to be tested under any circumstances.", "impact": "Out of scope" }, { "type": "other", "endpoint": "Marketplace Apps and Add-Ons", "description": "The marketplace applications and add-ons are maintained by our partnered vendors. Security issues are not in the scope of this program and ineligible for bounty rewards, but we are happy to help facilitate communications to the application owners.Please reach out to us at security@digitalocean.com for facilitation.", "impact": "Out of scope" }, { "type": "other", "endpoint": "Other DigitalOcean open source projects not listed", "description": "All open source projects hosted by DigitalOcean not otherwise listed as in-scope are out-of-scope.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "registry.digitalocean.com/*", "description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.Any container registries created inside your own account on this domain are considered in-scope. Use the cloud.digitalocean.com asset in that case.", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "e8b2e8ca-1fb2-4c17-933f-2a1f5cfb7da7", "name": "Driessen Vulnerability Disclosure Program", "company_handle": "driessengroep", "handle": "driessenvdp", "url": "https://www.intigriti.com/programs/driessengroep/driessenvdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "www.driessen.nl/*", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "www.driessen.nl/contact", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "www.driessen.nl/mijn/solliciteren/", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "d5c4e966-a80a-44f5-91c9-2bb9487b8762", "name": "EURid", "company_handle": "eurid", "handle": "eurid", "url": "https://www.intigriti.com/programs/eurid/eurid/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 6000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "my.eurid.eu", "description": "My .eu is the registrant or domain holder portal and requires a registered domain name in one of our supported scripts to access.", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.das.eu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.dns.eu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.eurid.eu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.nic.eu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.registry.eu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.whois.eu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.yadifa.eu", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "YADIFA authoritative name server", "description": "YADIFA is EURid's authoritative name server software which can be downloaded from the yadifa.eu website.", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "0bcc2455-bd63-490b-b725-890a93a1c678", "name": "Fing", "company_handle": "lansweeper", "handle": "fing", "url": "https://www.intigriti.com/programs/lansweeper/fing/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 3500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "service.fing.com", "description": "Our public cloud API for Device Recognition which can be requested on our website: https://app.fing.com/internet/business/devrecog/trial.", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.fing.com", "description": "The Fing web application that gives you an overview of all monitored networks", "impact": "Tier 3" }, { "type": "url", "endpoint": "Fing desktop", "description": "The free Fing App to identify connected devices, troubleshoot network and device issues, detect network intruders and run Wi-Fi and internet speed tests anywhere. It can be downloaded here: http://app.fing.com/app", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.fing.com", "description": "Always use \"intigriti.me\" address for any web form", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "acb632b9-2605-47ec-9195-3ffb2f0fcae6", "name": "GULP", "company_handle": "randstad", "handle": "gulp", "url": "https://www.intigriti.com/programs/randstad/gulp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.gulp.ch", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.gulp.de", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "demo.tendertracker.de", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.gulp-shop.de", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "www.gulp.ch/forum/*", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "www.gulp.de/forum/*", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "59af45f8-edaf-436c-8649-fbd88702468a", "name": "GlobalSign", "company_handle": "globalsign", "handle": "globalsign", "url": "https://www.intigriti.com/programs/globalsign/globalsign/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 3000, "currency": "EUR" }, "targets": { "in_scope": [ ], "out_of_scope": [ ] } }, { "id": "f70ab87e-e3a5-4c33-81b3-55771420e71d", "name": "Henchman", "company_handle": "henchman", "handle": "henchmanio", "url": "https://www.intigriti.com/programs/henchman/henchmanio/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 4000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "https://api-dashboard.stag.henchman.io", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://api-search.stag.henchman.io", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://add-in.stag.henchman.io", "description": "This is our add-in.CredentialsTo access the add-in, you are required to obtain credentials through the credential tool provided. This tool offers two distinct types of credentials. Specifically, for interacting with this endpoint, you will need to use the user credentials, which are identical to those utilized for the dashboard.Here you can search for the analyzed data. You will see this data after your integration is finished.https://youtu.be/BF1bsN2JpBY", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://auth.stag.henchman.io", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://dashboard.stag.henchman.io", "description": "This is our dashboard, which you can use to add an integration.We've created an Intigriti tenant.CredentialsTo access the dashboard, you are required to obtain credentials through the credential tool provided. This tool offers two distinct types of credentials. Specifically, for interacting with this endpoint, you will need to use the user credentials, which are identical to those utilized for the add-in.https://youtu.be/BF1bsN2JpBY", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://ops-dashboard.stag.henchman.io", "description": "This is our operations dashboard, you will need this to make sure the integration flow goes as smooth as possible. Integration connections that have been made by the customer/tenant on the dashboard will need to be approved here first. Also, this platform will give you extra information about the state of the integration. An integration can only be deleted on the operations dashboard.CredentialsTo access the dashboard, you are required to obtain credentials through the credential tool provided. This tool offers two distinct types of credentials. Specifically, for interacting with this endpoint, you will need to use the user credentials, which are identical to those utilized for the add-in.https://youtu.be/BF1bsN2JpBY⚠️ It's important that you use this ops-dashboard only for you own integration flow. ⚠️", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.henchman.io", "description": "For the Dashboard, Auth, Add-in and API endpoints - Do NOT test these on production. Please use the staging environments listed in the above domains section.", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "e85b4b33-7785-43b5-a5aa-5bcd226688b4", "name": "Here Technologies", "company_handle": "heretechnologies", "handle": "heretechnologies", "url": "https://www.intigriti.com/programs/heretechnologies/heretechnologies/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.account.api.here.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.account.here.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.mobilitygraph.hereapi.com", "description": "Including, but not limited to, following applications:https://predictor.mobilitygraph.hereapi.com/https://profile.mobilitygraph.hereapi.com/https://subscription.mobilitygraph.hereapi.com/", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.router.hereapi.com", "description": "Including, but not limited to, following applications:https://matrix.router.hereapi.com/https://subp-als.matrix.router.hereapi.com/v8/matrixhttps://transit.router.hereapi.com/https://intermodal.router.hereapi.com/", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.scbe.api.here.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.subp-router.hereapi.com", "description": "Including, but not limited to, following application:https://vip-als.subp-router.hereapi.com/", "impact": "Tier 2" }, { "type": "ios", "endpoint": "955837609", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "com.here.app.maps", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.here.com", "description": "This scope (*.here.com) is for Log4J and Spring4Shell RCE vulnerabilities only.", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.hereapi.com", "description": "This scope (*.hereapi.com) is for Log4J and Spring4Shell RCE vulnerabilities only.", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "5c7a8f79-a23b-4367-a2c6-63a2d48586ee", "name": "Het Laatste Nieuws", "company_handle": "dpgm", "handle": "hetlaatstenieuws", "url": "https://www.intigriti.com/programs/dpgm/hetlaatstenieuws/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "* hln.be/inloggen", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "* hln.be/login", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "* hln.be/registreren", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "hln.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "myaccount.hln.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.hln.be", "description": "excluding", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.hln.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "* hln.be/service", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "406fd572-83b2-49de-9200-594c484d5bb9", "name": "Het Parool", "company_handle": "dpgm", "handle": "hetparool", "url": "https://www.intigriti.com/programs/dpgm/hetparool/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "myaccount.parool.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.parool.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "webwinkel.parool.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.parool.nl", "description": "excluding", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.parool.nl/abonnementen", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.parool.nl", "description": "excluding abonnement.parool.nl", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "* parool.nl/inloggen", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* parool.nl/login", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* parool.nl/registreren", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* parool.nl/service", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "abonnement.parool.nl", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "c7272420-0cef-4366-87d2-278c06591799", "name": "House of HR Vulnerability Disclosure Program", "company_handle": "houseofhr", "handle": "houseofhrvulnerabilitydisclosureprogram", "url": "https://www.intigriti.com/programs/houseofhr/houseofhrvulnerabilitydisclosureprogram/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.houseofhr.com/*", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.swop.com/*", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "houseofhr.com/contact-us", "description": "This contact form is out of scope", "impact": "Out of scope" }, { "type": "url", "endpoint": "houseofhr.com/your-career/jobs", "description": "Applying for jobs is out of scope", "impact": "Out of scope" }, { "type": "url", "endpoint": "rebel.houseofhr.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "a78e0210-4de1-4ced-8895-48ac98c3166d", "name": "Housing Application (huisvestingsapp) Bug Bounty Program", "company_handle": "kuleuven", "handle": "huisvesting", "url": "https://www.intigriti.com/programs/kuleuven/huisvesting/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "https://www.kuleuven.be/sapredir/huisvesting", "description": "!! You can create an account with your @intigriti.me address and name 'Intigriti Test' (as explained in the FAQ), but the registration process itself is not in scope for the bug bounty programme !!The scope includes all assets that are reasonably related to the housing application app (except for authentication like login or registration process).", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "67d5a491-4baa-4565-bdc9-962bcd5f5ddd", "name": "Humo", "company_handle": "dpgm", "handle": "humo", "url": "https://www.intigriti.com/programs/dpgm/humo/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "* humo.be/registreren", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "myaccount.humo.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.humo.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.humo.be", "description": "excluding", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.humo.be/abonnementen", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.humo.be", "description": "excluding abonnement.humo.be", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "* humo.be/inloggen", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* humo.be/login", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* humo.be/service", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "abonnement.humo.be", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "540e04bb-ae56-49cd-8e05-311a08ba44f7", "name": "ING Responsible Disclosure", "company_handle": "ing", "handle": "ing-responsible-disclosure", "url": "https://www.intigriti.com/programs/ing/ing-responsible-disclosure/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "Any ING (sub)domain", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "b084e962-1d83-4bec-9d46-0f02c0f7bf88", "name": "InnoGames", "company_handle": "innogames", "handle": "innogames", "url": "https://www.intigriti.com/programs/innogames/innogames/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "EUR" }, "max_bounty": { "value": 4000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.igpayment.com", "description": "This is our payment environment used in all of our games.Note for automated-scanning:We are happy that you are as enthusiastic as we are about this program!To not impact our live-systems and other researchers too much, we ask you to keep your automated scanners on a scan rate of 1 request/s.", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.innogames.de", "description": "Notes for login.innogames.deThis is our central login and account management tool. We do not provide accounts for this service and there are no registration pages available. Note for automated-scanning:We are happy that you are as enthusiastic as we are about this program!To not impact our live-systems and other researchers too much, we ask you to keep your automated scanners on a scan rate of 1 request/s.", "impact": "Tier 1" }, { "type": "url", "endpoint": "support.innogames.com", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.innogames.com", "description": "Note for automated-scanning:We are happy that you are as enthusiastic as we are about this program!To not impact our live-systems and other researchers too much, we ask you to keep your automated scanners on a scan rate of 1 request/s.", "impact": "Tier 2" }, { "type": "other", "endpoint": "com.innogames.elvenar - Android", "description": "Sign up on Microsoft AppCenter and download the special app for BugBounty testing:https://install.appcenter.ms/orgs/innogames-gmbh/apps/elvenar-bugbounty-android/distribution_groups/bugbounty", "impact": "Tier 2" }, { "type": "other", "endpoint": "com.innogames.foeandroid", "description": "Sign up on AppCenter and download the special app for BugBounty testing:https://install.appcenter.ms/orgs/innogames-gmbh/apps/foe-bugbounty-android/distribution_groups/bugbounty", "impact": "Tier 2" }, { "type": "url", "endpoint": "innogames.com", "description": "Please do not send applications through the application form. This is a 3rd party tool and out-of-scope.", "impact": "Tier 2" }, { "type": "url", "endpoint": "tribalwars.cash", "description": "This is our game master server which stores information about all worlds available. Here: xs1.", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs.elvenar.com", "description": "This is our game landing page system which is used to signup, login and get news about the game", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs.forgeofempires.com", "description": "This is our game landing page system which is used to signup, login and get news about the game", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs.grepolis.com", "description": "This is our game landing page system which is used to signup, login and get news about the game", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs0.elvenar.com", "description": "This is our game master server which stores information about all worlds available. Here: xs1.", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs0.forgeofempires.com", "description": "This is our game master server which stores information about all worlds available. Here: xs1.", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs0.grepolis.com", "description": "This is our game master server which stores information about all worlds available. Here: xs1.", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs1.elvenar.com", "description": "This is the actual game world where all the game logic resides and the player gets redirected to", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs1.forgeofempires.com", "description": "This is the actual game world where all the game logic resides and the player gets redirected to", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs1.grepolis.com", "description": "This is the actual game world where all the game logic resides and the player gets redirected to", "impact": "Tier 2" }, { "type": "url", "endpoint": "xs1.tribalwars.cash", "description": "This is the actual game world where all the game logic resides and the player gets redirected to", "impact": "Tier 2" }, { "type": "url", "endpoint": "autodiscover.innogames.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "call.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "conferencing.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "exchange.innogames.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "igjam.eu", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "jamf.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "lyncdiscover.innogames.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "mail.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "mail.innogames.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "mailout.innogames.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "meet.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "mra.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "newsroom.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "om-cdn.innogames.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "pn.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "sip.innogames.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "sip.innogames.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "slack.innogames.de", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "10eb5e95-08e2-4f4e-8d22-f8c600a7acff", "name": "Intel®", "company_handle": "intel", "handle": "intel", "url": "https://www.intigriti.com/programs/intel/intel/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 500, "currency": "USD" }, "max_bounty": { "value": 100000, "currency": "USD" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "Hardware", "description": "", "impact": "Tier 1" }, { "type": "other", "endpoint": "Firmware", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Software", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.intel.com", "description": "Intel's Web Infrastructure, i.e.*.intel.comIntel’s web infrastructure, i.e., website domains owned and/or operated by Intel, fall Out of Scope. These reports are not eligible for rewards of any kind.Please send security vulnerability reports against intel.com and/or related web presence to external.security.research@intel.comPlease select this domain when submitting credentials of any kind.", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "ee2612e7-e188-492f-9bb2-ba48651523de", "name": "Intergamma", "company_handle": "intergamma", "handle": "intergamma", "url": "https://www.intigriti.com/programs/intergamma/intergamma/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 10, "currency": "EUR" }, "max_bounty": { "value": 4000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "949829216", "description": "iOS app of GAMMA NL", "impact": "Tier 1" }, { "type": "ios", "endpoint": "950680989", "description": "iOS app of Karwei", "impact": "Tier 1" }, { "type": "ios", "endpoint": "950693949", "description": "iOS app of GAMMA BE", "impact": "Tier 1" }, { "type": "android", "endpoint": "be.gamma.app.android", "description": "Android app of GAMMA BE", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "kassa.gamma.be/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "kassa.gamma.nl/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "kassa.karwei.nl/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "mijn.gamma.be/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "mijn.gamma.nl/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "mijn.karwei.nl/*", "description": "", "impact": "Tier 1" }, { "type": "android", "endpoint": "nl.gamma.app.android", "description": "Android app of GAMMA NL", "impact": "Tier 1" }, { "type": "android", "endpoint": "nl.karwei.app.android", "description": "Android app of Karwei", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "www.gamma.be/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "www.gamma.nl/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "www.karwei.nl/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.gamma.be/*", "description": "Out of scope: raamdecoratieconfigurator.gamma.beOut of scope: mail.gamma.beThis covers all subdomains of gamma.be not listed in Tier 1", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.gamma.nl/*", "description": "Out of scope: mail.gamma.nlOut of scope: raamdecoratieconfigurator.gamma.nlThis covers all subdomains of gamma.nl not listed in Tier 1", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.intergamma.nl/*", "description": "Corporate website", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.karwei.nl/*", "description": "Out of scope: mail.karwei.nlapi.maakafspraak.karwei.nl and maakafspraak.karwei.nl are listed seperatelyThis covers all subdomains of Karwei.nl not listed in Tier 1", "impact": "Tier 2" }, { "type": "ios", "endpoint": "1558129454", "description": "Our brand new iOS app fully dedicated to paint, with nice features to use AR and see how the paint looks on your own wall.Shares various web views with our website.Technically equal to the Android version", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "https://zabbix.intergamma.nl/*", "description": "Zabbix installation", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.intergamma-test.nl", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.intergamma.cloud", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.restintergamma.nl", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.werkenbijgamma.be", "description": "Recruiting website", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.werkenbijgamma.nl", "description": "Recruiting website", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.werkenbijkarwei.nl", "description": "Recruiting website", "impact": "Tier 3" }, { "type": "android", "endpoint": "nl.gamma.verf", "description": "Our brand new Android app fully dedicated to paint, with nice features to use AR and see how the paint looks on your own wall.Shares various web views with our website.Technically equal to the iOS version", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.karweioutletstore.nl", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "afspraakmaken.gamma.nl", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "api.afspraakmaken.gamma.be", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "api.afspraakmaken.gamma.nl", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "api.maakafspraak.karwei.nl", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "karwei-2018.hetmooistegordijn.nl", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "maakafspraak.karwei.nl", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "mail.gamma.be", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "mail.gamma.nl", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "mail.karwei.nl", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "raamdecoratieconfigurator.gamma.be", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "raamdecoratieconfigurator.gamma.nl", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "3f6b3170-afd4-411c-84fc-24113a562ecf", "name": "KU Leuven Responsible Disclosure Program", "company_handle": "kuleuven", "handle": "kuleuvenrdp", "url": "https://www.intigriti.com/programs/kuleuven/kuleuvenrdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ip range", "endpoint": "IPv4: 134.58.0.0/16", "description": "", "impact": "No bounty" }, { "type": "ip range", "endpoint": "IPv6: 2a02:2c40::/32", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "www.trismegistos.org", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "768ad323-335b-4710-9370-6b81925c122f", "name": "Kinepolis Group", "company_handle": "kinepolis", "handle": "website", "url": "https://www.intigriti.com/programs/kinepolis/website/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 5000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.klubcinema.fr", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.megatix.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "booking.mjrtheatres.com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "extras.landmarkcinemas.com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "ferrero.kinepolis.lu", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "identityserver.landmarkcinemas.com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "kinepolis.megatix.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "luxfilmfestfilms.megatix.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "luxfilmfestproducts.megatix.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "luxfilmfesttickets.megatix.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "movieapi.kinepolis.megatix.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "tickets.kinepolis.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "tickets.kinepolis.ch", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "tickets.kinepolis.es", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "tickets.kinepolis.fr", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "tickets.kinepolis.lu", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "tickets.kinepolis.nl", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "userprofile-ui.landmarkcinemas.com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.kinepolis.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.kinepolis.ch", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.kinepolis.com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.kinepolis.es", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.kinepolis.fr", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.kinepolis.lu", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.kinepolis.nl", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.landmarkcinemas.com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.mjrtheatres.com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "business.kinepolis.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "business.kinepolis.lu", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "business.kinepolis.nl", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "com.inthepocket.kinepolis", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "extras-acc.landmarkcinemas.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://movieclub-int.kinepolis.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://movienow-int.kinepolis.be/admin", "description": "We are planning on using a new way to authenticate our INT/UAT testers, and it's active on this URL. Are there weaknesses on this page?", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://shop-acc.kinepolis.be/", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "identityserver-acc.landmarkcinemas.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "kinepolis-studio.be", "description": "", "impact": "Tier 2" }, { "type": "ios", "endpoint": "kinepolis/id368204284", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "nz.co.vista.android.movie.mjrtheatres", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.kinepolis.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.kinepolis.es", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.kinepolis.fr", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.kinepolis.lu", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "stage.landmarkcinemas.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "userprofile-acc.landmarkcinemas.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.kinepolis.biz", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.kinepolis.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.kinepolis.ch", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.kinepolis.com", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.kinepolis.fr", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.kinepolis.lu", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.kinepolis.nl", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.landmarkcinemas.com", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.mjrtheatres.com", "description": "", "impact": "Tier 3" }, { "type": "ios", "endpoint": "522089287", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.kinepolisempresas.com/", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "egaming.kinepolis.es", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.cineramabios.nl", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "dev.kinepolis.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "jobs.kinepolis.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "l.kinepolis.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "openx.kinepolis.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "b98261a6-2339-4325-b00b-008e24b28e88", "name": "Kiwa Vulnerability Disclosure Program", "company_handle": "kiwa", "handle": "kiwavdp", "url": "https://www.intigriti.com/programs/kiwa/kiwavdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.kiwa.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.kiwa.nl", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "https://careers.kiwa.com/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://qr.kiwa.com/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://www.kiwa.com/en/contact/", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "06ea3a06-58d5-4173-af0e-c2f1f98714c6", "name": "Lansweeper", "company_handle": "lansweeper", "handle": "lansweeper1", "url": "https://www.intigriti.com/programs/lansweeper/lansweeper1/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 6000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "edge.lansweeper.com", "description": "Domain used during the two-way sync process between the local web console (on-premises software) and the cloud platform. You can request your trial on our website: https://www.lansweeper.com/download/ but always use \"intigriti.me\" address for any user accountWith this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.lansweeper.com", "description": "API used for integrations with our cloud platform (app.lansweeper.com).More information about our API: https://docs.lansweeper.com/docs", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.lansweeper.com", "description": "The cloud Platform, this also includes lecstaticcontent.lansweeper.comYou can request your trial on our website: https://www.lansweeper.com/download/ but always use \"intigriti.me\" address for any user accountWith this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.", "impact": "Tier 2" }, { "type": "url", "endpoint": "backoffice.lansweeper.com", "description": "Internal backoffice portal for cloud platformNo authorisation will be given", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://lsagentrelay.lansweeper.com/", "description": "Our cloud relay server connection using LsAgent. If the computers you're scanning do not have a direct connection to your Lansweeper installation, scanned LsAgent data can be sent to our relay server in the cloud. Our LsAgent is a cross-platform scanning agent that can scan computers both inside and outside of your network. It automatically collects an inventory from the computer it's installed on and sends the data back to the Lansweeper installation, this can be done through our relay server in the cloud.For this, you must enable relay access in your Lansweeper installation.Scanned LsAgent data is sent securely over HTTPS (TLS 1.2) to the relay server in Microsoft Azure, where it is encrypted as well. Your Lansweeper scanning server can retrieve the scanned data from the relay server, after which it is deleted from the relay. In order to use the relay server, make sure outbound traffic is allowed on your Lansweeper scanning server. Specifically, the scanning server must be able to make an outbound connection to port 443 of lsagentrelay.lansweeper.com, the cloud relay server. More information about LsAgent can be found on our website: https://community.lansweeper.com/t5/scanning-your-network/introduction-to-lsagent-for-windows-linux-and-mac/ta-p/64473The use of the relay server must explicitly be enabled in the Lansweeper web console. It is not enabled by default!", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.lansweeper.com/trial", "description": "Demo site with demo data to test the cloud platformAlways use \"intigriti.me\" address for any web form", "impact": "Tier 3" }, { "type": "url", "endpoint": "autoupdateapi.lansweeper.com", "description": "API for updating on-premise software", "impact": "Tier 3" }, { "type": "url", "endpoint": "docs.lansweeper.com", "description": "Lansweeper's technical documentation", "impact": "Tier 3" }, { "type": "url", "endpoint": "login.lansweeper.com", "description": "Auth0 identitiy provider for cloud platform.Always use \"intigriti.me\" address for any user account", "impact": "Tier 3" }, { "type": "url", "endpoint": "on-premises software", "description": "The on-premises software is the latest available version on our website (www.lansweeper.com/changelog).You can request your trial on our website: https://www.lansweeper.com/download/ but always use \"intigriti.me\" address for any user accountWith this trial you get access to our cloud platform (app.lansweeper.com), our on-premises software and the sync process (edge.lansweeper.com) between these two. You have to install our on-premises software somewhere locally and this will allow you to scan your local network and push the results to the cloud platform via the sync process.", "impact": "Tier 3" }, { "type": "url", "endpoint": "OT scanner", "description": "Scanner to discover OT devices.", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.lansweeper.com", "description": "Always use \"intigriti.me\" address for any web formOut of scope for this domain:Store.lansweeper.comwww.lansweeper.com/forumThird-party plug-ins (e.g. Pardot - CleverBridge - Botpress)", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.lansweeper.com", "description": "Any other public-facing Lansweeper related URL", "impact": "No bounty" }, { "type": "other", "endpoint": "lsrunase2.0 and lsencrypt2.0", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "careers.lansweeper.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "www.lansweeper.com/forum", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "43c4b274-ccbd-4ea2-8047-d40b0b4205ac", "name": "Libelle", "company_handle": "dpgm", "handle": "libelle", "url": "https://www.intigriti.com/programs/dpgm/libelle/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "www.libelle.nl", "description": "excluding", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.libelle.nl", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "* libelle.nl/inloggen", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* libelle.nl/login", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* libelle.nl/registreren", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* libelle.nl/service", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "5ae71f99-d61e-42d2-b74e-b218530bb3b5", "name": "Mobile Vikings", "company_handle": "mv", "handle": "mobilevikings", "url": "https://www.intigriti.com/programs/mv/mobilevikings/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 5000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "mobilevikings.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.unleashed.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "jimmobile.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "uwa.mobilevikings.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "vpn.mobilevikings.be", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.mas.mobilevikings.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.mobilevikings.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.prd-pub.mobilevikings.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.prd.mobilevikings.be", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "mgm.mobilevikings.be", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "vikingco.be", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "vikingdeals.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.acc-pub.mobilevikings.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.acc.mobilevikings.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.dev-pub.mobilevikings.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.dev.mobilevikings.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "vikinglab.be", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "e6a4bd31-e2bf-402d-ad0c-7492bffc3f6c", "name": "Monster Worldwide", "company_handle": "randstad", "handle": "monsterworldwide", "url": "https://www.intigriti.com/programs/randstad/monsterworldwide/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.military.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.at", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.be", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.ca", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.ch", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.co.uk", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.de", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.dk", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.es", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.eu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.fr", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.hu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.ie", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.it", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.lu", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.no", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.pt", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.se", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monsterboard.nl", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monsterpolska.pl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "fastweb.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.monster.cz", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.monster.fi", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.monsterindia.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "Any endpoints which are not owned by Monster & third party systems", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "ff0f8e99-99b3-453a-a80c-fe9644bd1f01", "name": "Monzo Vulnerability Disclosure Program", "company_handle": "monzobank", "handle": "monzo-vdp", "url": "https://www.intigriti.com/programs/monzobank/monzo-vdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "GBP" }, "max_bounty": { "value": 0, "currency": "GBP" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.monzo.com", "description": "The crux of Monzo where the APIs live as well as Monzo Business and the main web site", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.monzo.me", "description": "Houses the services for the pay me / request payment feature", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.prod-ffs.io", "description": "Where our internal tooling lives... hopefully it isn't exposed!", "impact": "Tier 1" }, { "type": "ios", "endpoint": "1052238659", "description": "The public seed of the Monzo app on iOS", "impact": "Tier 2" }, { "type": "android", "endpoint": "co.uk.getmondo", "description": "The public seed of the Monzo app on Android", "impact": "Tier 2" }, { "type": "url", "endpoint": "community.monzo.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "developers.monzo.com/env.js", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "56339d19-36cc-49a0-8e8f-b2502e00d165", "name": "Moralis VDP", "company_handle": "moralis", "handle": "moralisio", "url": "https://www.intigriti.com/programs/moralis/moralisio/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.bigmoralis.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.grandmoralis.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.moralis-internal.io", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.moralis-streams.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.moralis.io", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.moralisapp.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.moralishost.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.moralismoney.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.moralisweb3.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.usemoralis.com", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "academy.moralis.io", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "docs.moralis.io", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "forum.moralis.io", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "merch.moralis.io", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "roadmap.moralis.io", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "status.moralis.io", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "studygroup.moralis.io", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "talent.moralis.io", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "67f303d5-5c5b-44ec-a278-874f818fbc48", "name": "Nestlé VDP", "company_handle": "nestlé", "handle": "nestlévdp", "url": "https://www.intigriti.com/programs/nestl%C3%A9/nestl%C3%A9vdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.nestle.com", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "Any domain related to Nestlé brands", "description": "You can find the Nestlé brands in scope in this link.", "impact": "No bounty" }, { "type": "device", "endpoint": "Any IoT device sold by Nestlé Brands", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "670f183e-aca8-4bc1-87d7-5341c552d006", "name": "Nexuzhealth", "company_handle": "uz leuven", "handle": "mobile apps", "url": "https://www.intigriti.com/programs/uz%20leuven/mobile%20apps/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 4000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "134.58.179.82", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "be.nexuzhealth.mobile.cpv", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "be.nexuzhealth.mobile.kws", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "be.nexuzhealth.mobile.mynexuz", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "forms.nexuzhealth.be", "description": "Registration for code cards used to authenticate on the mynexuzhealth application", "impact": "Tier 2" }, { "type": "url", "endpoint": "idp-mobile.nexuzhealth.be", "description": "", "impact": "Tier 2" }, { "type": "ios", "endpoint": "kws-companion/id1342124012", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "mobile.nexuzhealth.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "mynexuz.be", "description": "🇬🇧🇫🇷🇳🇱", "impact": "Tier 2" }, { "type": "url", "endpoint": "mynexuz.be/myUZ/", "description": "🇬🇧🇫🇷🇳🇱", "impact": "Tier 2" }, { "type": "ios", "endpoint": "mynexuzhealth/id1459856321", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://www.nexuzhealth.com/nl/mynexuzhealthpro", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "ecf9c610-36eb-47df-8b25-bb496aff8015", "name": "Nexuzhealth Web PACS", "company_handle": "uz leuven", "handle": "nexuzhealthwebpacs", "url": "https://www.intigriti.com/programs/uz%20leuven/nexuzhealthwebpacs/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 1000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "idp-contact.nexuzhealth.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "media.nexuzhealth.be/patient/", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "0fd1d85b-2d33-4966-b5a0-caabfda5108e", "name": "Ninja Kiwi Games", "company_handle": "ninjakiwigames", "handle": "ninjakiwigames", "url": "https://www.intigriti.com/programs/ninjakiwigames/ninjakiwigames/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 55, "currency": "EUR" }, "max_bounty": { "value": 4125, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "analytics.ninjakiwi.com", "description": "This domain hosts the API that consumed analytics events from our game clients", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.ninjakiwi.com", "description": "This domain hosts the API for our mobile and PC games. Monitoring traffic through one of our game clients is the easiest method to investigate our main API. Most of our applications are available for free on Steam. Please carefully read the in-scope section regarding what sorts of exploits will be considering in-scope for this domain.", "impact": "Tier 1" }, { "type": "url", "endpoint": "builds-auckland.ninja.kiwi", "description": "This domain hosts builds of Ninja Kiwi games for iOS devices.Areas of focus:", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.ninjakiwi.me", "description": "ninjakiwi.me is a domain which hosts many of Ninja Kiwi's employtee only services. Any subdomain is eligible for the program.", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.nkstatic.com", "description": "This domain hosts static content for Ninja Kiwi games and website.", "impact": "Tier 2" }, { "type": "url", "endpoint": "battles.tv", "description": "Battles.tv is used to share replays from our Bloons TD Battles game.", "impact": "Tier 2" }, { "type": "url", "endpoint": "data.ninjakiwi.com", "description": "This domain hosts our public data API which grants open access to in-game data from our biggest games. For example player profiles, leaderboards and event information is available through this domain.", "impact": "Tier 2" }, { "type": "url", "endpoint": "guts.ninjakiwi.com", "description": "This is the backend services for certain BTD6 in-game features such as Contested Territories and the Map Creator.", "impact": "Tier 2" }, { "type": "url", "endpoint": "ninja.kiwi", "description": "This domain is used by Ninja Kiwi for our URL shortener service, ie https://ninja.kiwi/intigriti.", "impact": "Tier 2" }, { "type": "url", "endpoint": "ninjakiwi.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.ninjakiwi.com", "description": "This covers any subdomains of ninjakiwi.com other than sub-domains which are managed by authorized third-party services or included in the list below.Third Party ServicesThe following domains are explicitly excluded", "impact": "Tier 3" }, { "type": "url", "endpoint": "ct.ninjakiwi.com", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "mynk.ninjakiwi.com", "description": "This is a legacy domain which powers our Flash games. Uses Flash AMF.", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.souparea.com", "description": "This domain will be considered out of scope unless it can be shown to allow an exploit on one of our Tier 1-3 domains.", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "188976b1-e8b3-4132-a6f6-e96113599474", "name": "Oda", "company_handle": "oda", "handle": "oda", "url": "https://www.intigriti.com/programs/oda/oda/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 75, "currency": "EUR" }, "max_bounty": { "value": 4000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "1079537578", "description": "Oda android app", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://oda.com", "description": "The main shop used in Norway.", "impact": "Tier 2" }, { "type": "android", "endpoint": "no.kolonial.tienda", "description": "The Oda android app", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.oda.com", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.prod.nube.tech", "description": "Should mostly be internal services", "impact": "Tier 3" }, { "type": "ios", "endpoint": "1076840480", "description": "Mathem iOS app", "impact": "Tier 3" }, { "type": "url", "endpoint": "https://mathem.se", "description": "The main shop and brand in Sweden.", "impact": "Tier 3" }, { "type": "android", "endpoint": "se.mathem.mathem", "description": "", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "2f8db691-ed2b-4796-9b31-d808efb80dfa", "name": "Online enrollment for students Bug Bounty Program", "company_handle": "kuleuven", "handle": "onlineinschrijvingenbetalingstoepassing", "url": "https://www.intigriti.com/programs/kuleuven/onlineinschrijvingenbetalingstoepassing/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "https://associatie.kuleuven.be/inschrijvingen/oli_login_50000050", "description": "🇬🇧🇳🇱 the registration/login part on idp.kuleuven.be itself is out of scope for the program", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://webwsp.aps.kuleuven.be/sap/bc/ui5_ui5/sap/zc_oi_appl/", "description": "🇬🇧🇳🇱", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "ecc515cc-c0c1-4a72-966a-ba2baef4d35f", "name": "Orbia Responsible Disclosure", "company_handle": "orbia", "handle": "orbiavdp", "url": "https://www.intigriti.com/programs/orbia/orbiavdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "USD" }, "max_bounty": { "value": 0, "currency": "USD" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.alphagary.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.alphagarycompuestos.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.amanco.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.biarrinetworks.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.bow-group.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.duraline.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.klea.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.kouraglobal.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.metropolder.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.mexichem.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.naiad.cloud", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.naiad.ninja", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.netafim.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.orbia.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.orbiaglobal.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.plastigama.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.polderroof.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.silatronix.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.sylvin.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.vestolit.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.wavin.com", "description": "Multiple geo top level domain (e.g. wavin.nl) re-directing to wavin.com", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.wavin.io", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.zephex.com", "description": "", "impact": "No bounty" }, { "type": "ios", "endpoint": "1383688497", "description": "", "impact": "No bounty" }, { "type": "ios", "endpoint": "1517825382", "description": "", "impact": "No bounty" }, { "type": "ios", "endpoint": "1584170510", "description": "", "impact": "No bounty" }, { "type": "ios", "endpoint": "1616009566", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "aqora.*", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "aqora.naiad.*", "description": "", "impact": "No bounty" }, { "type": "android", "endpoint": "br.com.ideia2001.CatalogoWavin", "description": "", "impact": "No bounty" }, { "type": "android", "endpoint": "com.instalsoft.wavinsmartinstalsystem", "description": "", "impact": "No bounty" }, { "type": "android", "endpoint": "com.loyaltyworks.wavinapp", "description": "", "impact": "No bounty" }, { "type": "android", "endpoint": "com.RD3Digital.AmancoWavinRA", "description": "", "impact": "No bounty" }, { "type": "android", "endpoint": "com.wavin.sentio", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.vectus.in", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "9ef59fe8-d021-4d23-9521-0d7d01da03ee", "name": "PeopleCert VDP", "company_handle": "peoplecert", "handle": "peoplecert", "url": "https://www.intigriti.com/programs/peoplecert/peoplecert/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "selt.languagecert.org", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "www.languagecert.org", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "www.peoplecert.org", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "694f3e58-f408-4a3f-8e2a-1b562650399a", "name": "Personio", "company_handle": "personio", "handle": "personio", "url": "https://www.intigriti.com/programs/personio/personio/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 7500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "https://api.personio.de/v2/webhooks/*", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.personio-internal.de", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.personio.tools", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "https://*.personio.de", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://hug.personio.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://sec-test--.personio.de", "description": "Please see FAQ for creation instructions", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://www.personio.com/free-trial/", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "https://www.personio.de/kostenlos-testen/", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "Other assets owned by Personio", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.personio.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "personio.slack.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "statuspage.personio.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "support.personio.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "www.personio.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "www.personio.es", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "0f05f9cd-03e1-4f90-a449-2f43cdaf879a", "name": "Port of Antwerp-Bruges", "company_handle": "portofantwerp", "handle": "portofantwerp", "url": "https://www.intigriti.com/programs/portofantwerp/portofantwerp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.c-point.be", "description": "", "impact": "Tier 2" }, { "type": "ip range", "endpoint": "188.118.8.0/25", "description": "", "impact": "Tier 2" }, { "type": "ip range", "endpoint": "94.107.237.192/26", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "apps-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "apps-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "apps.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "apps.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "as2-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "as2-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "as2.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "as2.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "digitalspecs.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "login-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "login.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "maximo-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "maximo-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "maximo.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "maximo.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "maximo.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "my-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "my-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "my.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "my.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "oprc.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "register-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "register-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "servicedesk-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "servicedesk-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "servicedesk.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "servicedesk.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "share-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "share-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "share.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "share.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "webapps-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "webapps-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "webapps.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "webapps.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "wiki-accpt.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "wiki-accpt.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "wiki.portofantwerp.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "wiki.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.oursustainableport.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.portofantwerpbruges.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.portofantwerp.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.portofantwerpbruges.com", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "future.portofantwerp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "future.portofantwerpbruges.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "jobs.portofantwerp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "jobs.portofantwerpbruges.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "media.portofantwerp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "media.portofantwerpbruges.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "register.portofantwerp.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "register.portofantwerpbruges.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "201f8ade-4d93-4d8b-b371-af5ed9d8b837", "name": "RIPE NCC", "company_handle": "ripencc", "handle": "ripencc", "url": "https://www.intigriti.com/programs/ripencc/ripencc/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "access.ripe.net", "description": "This is the authentication service for our membership and community, mostly used for all of our membership (e.g. LIR) applications.We strongly suggest you to adjust your scanners to the limit where we mentioned in the req/sec.Please adhere to the out of scope rules below.", "impact": "Tier 1" }, { "type": "other", "endpoint": "https://github.com/RIPE-NCC/rpki-commons", "description": "This library contains an implementation of an X.509 v3 certificate extension which binds a list of IP address blocks or prefixes to the subject of a certificate (IP Address Delegation Extension).", "impact": "Tier 1" }, { "type": "other", "endpoint": "https://github.com/RIPE-NCC/rpki-core", "description": "This repository contains the source code for the RIPE NCC certification. We strive to publish as many components as possible with reasonable effort. Some elements or information are not included, either because of our threat model or because we can not publish them.", "impact": "Tier 1" }, { "type": "other", "endpoint": "https://github.com/RIPE-NCC/whois", "description": "RIPE Database whois code repository.", "impact": "Tier 1" }, { "type": "url", "endpoint": "lirportal.ripe.net", "description": "Our portal page for LIR's where they can access their information and more.Since this portal designed to give access only to LIR's, you can't create an account.Until then;", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.ripe.net", "description": "Our main domain.We suggest you to check out of scope section of our program if you discover any vulnerabilities on this domain or it's subdomains.To make your reports better, we suggest you to check the IP address of the asset you've found so you can understand the address if in scope or out of scope.", "impact": "Tier 2" }, { "type": "ip range", "endpoint": "193.0.0.0/19 and 2001:67c:2e8::/48", "description": "This is our IP Range.Since we are letting some people to host their content, there are some exclusions.", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/RIPE-NCC/rpki-monitoring", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/RIPE-NCC/rpki-publication-server", "description": "This is the RIPE NCC's implementation of RFC 8182 - The RPKI Repository Delta Protocol and a draft of RFC 8181 - A Publication Protocol for the Resource Public Key Infrastructure.", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/RIPE-NCC/rpki-ta-0", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "https://github.com/RIPE-NCC/rsyncit", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "Assets owned by RIPE NCC", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.anchors.atlas.ripe.net", "description": "These probes and anchors are not hosted in networks managed by the RIPE NCC, but in networks participating in the RIPE Atlas project. If you find any vulnerabilities for IP addresses associated with RIPE Atlas probes/anchors, you will need to report them to the security teams of the responsible network operators.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.probes.atlas.ripe.net", "description": "These probes and anchors are not hosted in networks managed by the RIPE NCC, but in networks participating in the RIPE Atlas project. If you find any vulnerabilities for IP addresses associated with RIPE Atlas probes/anchors, you will need to report them to the security teams of the responsible network operators.", "impact": "Out of scope" }, { "type": "url", "endpoint": "193.0.0.160/27", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "2001:67c:2e8:3::/64", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "Any *.ripe.net host that is located outside of the in-scope IP ranges", "description": "The RIPE NCC uses a number of SaaS provider where a *.ripe.net record may point to. However, these services are not maintained by the RIPE NCC and are not part of this Bug Bounty program. If you think a specific host may be in scope, please contact Intigriti Support", "impact": "Out of scope" }, { "type": "url", "endpoint": "Any of the beta/dev environments", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "exams.ripe.net", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "RIPE Meeting network (2001:67c:64::/48 and 193.0.24.0/21)", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "ripe(1to87).ripe.net", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "b2049472-b637-49c3-b9cc-077c676f093c", "name": "Randstad", "company_handle": "randstad", "handle": "randstad", "url": "https://www.intigriti.com/programs/randstad/randstad/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.randstad.*", "description": "Out of Scope: workplace.randstad.in & apps.randstad.in", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.randstadrisesmart.*", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.risesmart.*", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Any related Randstad domain", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "apps.randstad.in", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "cz.randstad.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "workplace.randstad.in", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "e1dc7326-0466-4c06-bd52-3c6df82370be", "name": "Red Bull", "company_handle": "redbull", "handle": "redbull", "url": "https://www.intigriti.com/programs/redbull/redbull/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "https://gist.github.com/RedBullSecurity/3eb88debcb01759eccf65ec2b799b340", "description": "Domains that are related to Red Bull and can be found on this list. Any subdomain not mentioned in this list, will be considered as out of scope.", "impact": "No bounty" }, { "type": "other", "endpoint": "IOS and Android apps related to Red Bull", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.newyorkredbulls.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "9a3f850e-4387-4434-98c7-dba2827b727b", "name": "Revolut VDP", "company_handle": "revolut", "handle": "revolutvdp", "url": "https://www.intigriti.com/programs/revolut/revolutvdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "GBP" }, "max_bounty": { "value": 0, "currency": "GBP" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "All domains of Revolut", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "d0ff1339-f0c4-4733-a648-1b06b79125e6", "name": "Robinhood Bug Bounty Program", "company_handle": "robinhood", "handle": "robinhoodbbp", "url": "https://www.intigriti.com/programs/robinhood/robinhoodbbp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "USD" }, "max_bounty": { "value": 50000, "currency": "USD" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.rhinternal.net", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.robinhood.com", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.robinhood.net", "description": "robinhood.net contains internal Robinhood services. You shouldn’t be able to log into anything here.", "impact": "Tier 1" }, { "type": "ios", "endpoint": "938003185", "description": "", "impact": "Tier 1" }, { "type": "android", "endpoint": "com.robinhood.android", "description": "", "impact": "Tier 1" } ], "out_of_scope": [ ] } }, { "id": "196fa177-ac2d-41b0-91bb-07bc9db43b7a", "name": "SBB - Swiss Federal Railways", "company_handle": "sbb", "handle": "sbbglobal", "url": "https://www.intigriti.com/programs/sbb/sbbglobal/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 4000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.swisspass.ch", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.sbb.ch", "description": "", "impact": "Tier 1" }, { "type": "other", "endpoint": "Mobile Apps", "description": "SBB Mobile - your personal travel companion for public transport.SBB Mobile IOSSBB Mobile AndroidSBB Preview - always be among the first to test the latest features.SBB Preview IOSSBB Preview AndroidPlease find more details about the apps in theFAQ for SBB Mobile and SBB Preview", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.sbb.ch", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.elvetino.ch", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.sbbcargo.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.transsicura.ch", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "44c50318-5fc3-4314-b9ee-6b0065605a99", "name": "Say Technologies Bug Bounty Program", "company_handle": "robinhood", "handle": "saytechnologiesbbp", "url": "https://www.intigriti.com/programs/robinhood/saytechnologiesbbp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "USD" }, "max_bounty": { "value": 10000, "currency": "USD" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "https://*.saytechnologies.com", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "https://*.say.rocks", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://www.saytechnologies.com/contact/sales", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "e1845bab-be93-43d9-b040-462f886235ef", "name": "Sentiance", "company_handle": "sentiance", "handle": "sentiance", "url": "https://www.intigriti.com/programs/sentiance/sentiance/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 3500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "api.sentiance.com", "description": "Main API", "impact": "Tier 1" }, { "type": "android", "endpoint": "com.sentiance.journeys2", "description": "Insights Google Store link", "impact": "Tier 1" }, { "type": "url", "endpoint": "controltower.sentiance.com", "description": "Insights dashboard", "impact": "Tier 1" }, { "type": "ios", "endpoint": "https://apps.apple.com/us/app/rac-go/id6444858115", "description": "RAC Go Apple store link", "impact": "Tier 1" }, { "type": "android", "endpoint": "https://play.google.com/store/apps/details?id=com.sentiance.saferdriver", "description": "RAC Go Google store link", "impact": "Tier 1" }, { "type": "ios", "endpoint": "insights-by-sentiance/id1608074635", "description": "Insights Apple Store link", "impact": "Tier 1" }, { "type": "url", "endpoint": "journeys-api.sentiance.com/v2", "description": "Insights app base API", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.sentiance.com", "description": "IMPORTANT! Please read the out of scope section. Not all subdomains are in scope", "impact": "Tier 2" }, { "type": "android", "endpoint": "com.sentiance.journeys", "description": "Journeys Google Store link", "impact": "Tier 2" }, { "type": "ios", "endpoint": "journeys-2/id984087229?mt=8", "description": "Journeys Apple Store link", "impact": "Tier 2" }, { "type": "url", "endpoint": "docs.sentiance.com", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "graphqldocs.sentiance.com", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "legacy-docs.sentiance.com", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "jobs.sentiance.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "www.sentiance.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "0d585f25-b705-4141-a961-66d6ade8942e", "name": "SimScale", "company_handle": "simscale", "handle": "simscale", "url": "https://www.intigriti.com/programs/simscale/simscale/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 6000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "SimScale API", "description": "API URL: https://api.simscale.comThe API doc is available at https://api.simscale.com.API keys can be managed in the API keys page.", "impact": "Tier 2" }, { "type": "other", "endpoint": "SimScale Platform", "description": "The following areas and paths under domain https://www.simscale.com:Paths: /signup/*, /signin/*, /onboarding/*Examples:Paths: /dashboardExamples (login required):Paths: /workbench/*Examples (login required):Paths: /projects/*Examples:All API endpoints used by UIs listed above.Paths: /api/*, /csm/*, /postprocessing/*", "impact": "Tier 2" }, { "type": "other", "endpoint": "SimScale Website", "description": "Domain https://www.simscale.com and the remaining paths not listed under SimScale Platform.Examples:", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "https://www.simscale.com/api/v1/projects/*", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "www.simscale.com/forum/users/*.json", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "b0de5cde-9841-464a-9d6b-642824f00dc6", "name": "Sixt", "company_handle": "sixt", "handle": "sixt", "url": "https://www.intigriti.com/programs/sixt/sixt/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.sixt.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.sixt.de", "description": "", "impact": "No bounty" }, { "type": "ios", "endpoint": "295079411", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "Any related sixt domain", "description": "Please find a full list of in scope domains see the attachment in scope section", "impact": "No bounty" }, { "type": "android", "endpoint": "com.sixt.reservation", "description": "", "impact": "No bounty" }, { "type": "ip range", "endpoint": "185.97.224.12", "description": "", "impact": "Out of scope" }, { "type": "ip range", "endpoint": "185.97.224.13", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "app.rental-images.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "b2cleasing.typo3.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "corporate.typo3.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "domainparking.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "drying-little-tears.org", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "fleetcheck.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://p001-slweb-px.p001.slweb.smc.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://s004-px01.s004.smc.sixt.com/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://s004-px02.s004.smc.sixt.com/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://siemens.smc.sixt.com/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://sixt-leasing", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "intranet.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "lacb2c.typo3.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "lkw.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "lkw.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "logistics.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "partner.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "partner.typo3.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "promo.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "promo.typo3.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "reporting.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "rproxy-firenze1.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "rproxy-firenze2.sixt.de", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "s002-lb-siemens-test.s002.smc.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "s003-lb-siemens-stage.s003.smc.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "s004-lb-siemens.s004.smc.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "sixtbook.sixt.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "webservices.sixt.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "152bc833-04a4-40d2-bdaa-0b31f6161449", "name": "Social Deal", "company_handle": "socialdeal", "handle": "socialdeal", "url": "https://www.intigriti.com/programs/socialdeal/socialdeal/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 25, "currency": "EUR" }, "max_bounty": { "value": 750, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "910898851", "description": "We expect that issued items are including print-screen of the version of the app. Flow to get to version number", "impact": "Tier 2" }, { "type": "android", "endpoint": "app.nl.socialdeal", "description": "We expect that issued items are including print-screen of the version of the app. Flow to get to version number", "impact": "Tier 2" }, { "type": "url", "endpoint": "http://socialdeal.nl/inspirations/bluemonday/", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "http://www.whynot.com/", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "https://www.socialdeal.nl/orderlist/5e834ae0bed5c/63d772e2ed277/", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.socialdeal.nl", "description": "Our main website.www.socialdeal.be and www.socialdeal.de are the same websites, with different Locale.", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "18058413-5255-4f5c-a9db-c6ac027bb5d6", "name": "Soundtrack Your Brand", "company_handle": "syb", "handle": "soundtrackyourbrand", "url": "https://www.intigriti.com/programs/syb/soundtrackyourbrand/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 3500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "1114799709", "description": "The iOS Player app that allows you to browse and play music.In order to use the iOS Player you will need a pairing code that you can obtain through https://business.soundtrackyourbrand.com using the test credentials.https://www.youtube.com/watch?v=y7HGAtsB6Tg", "impact": "Tier 1" }, { "type": "ios", "endpoint": "1114800186", "description": "The iOS Remote that allows you to remotely control your Soundtrack Players.In order to use the iOS Remote you will need a remote code that you can obtain through https://business.soundtrackyourbrand.com using the test credentials.https://www.youtube.com/watch?v=cmAe1kRvOeY", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.soundtrackyourbrand.com", "description": "Our public API. Used by us as well as third parties. You can use your regular login token to authenticate.Docs: https://developer.soundtrackyourbrand.com/apiGraphQL Explorer: https://api.soundtrackyourbrand.com/v2/explorePlease use one of the claimed test credentials. In order to use the API you can login using your claimed credentials (via loginUser) and use the token you get back to issue API calls.", "impact": "Tier 1" }, { "type": "url", "endpoint": "billing.api.soundtrackyourbrand.com", "description": "Our billing service. Handles payments (one time and recurring), price and product management and subscription renewals.", "impact": "Tier 1" }, { "type": "url", "endpoint": "builds.soundtrackyourbrand.com", "description": "Our service which does gradual rollout of our player software to our Windows client and hardware players.", "impact": "Tier 1" }, { "type": "url", "endpoint": "business.soundtrackyourbrand.com", "description": "Our web based management console that allows users to administer their players, music and their account.To claim bounties for this domain you need to use one of the claimed test credentials.", "impact": "Tier 1" }, { "type": "android", "endpoint": "com.soundtrackyourbrand.soundtrack.player", "description": "The Android Player app that allows you to browse and play music.In order to use the Android Player you will need a pairing code that you can obtain through https://business.soundtrackyourbrand.com using the test credentials.https://www.youtube.com/watch?v=y7HGAtsB6Tg", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://auth.api.soundtrackyourbrand.com/", "description": "Our authentication service.", "impact": "Tier 1" }, { "type": "other", "endpoint": "https://builds.soundtrackyourbrand.com/download/WIN32SOUNDTRACK/latest", "description": "The Windows Player that allows you to play music. No user interface except for a tray icon.In order to use the Windows Player you will need a pairing code that you can obtain through https://business.soundtrackyourbrand.com using the test credentials.https://www.youtube.com/watch?v=HjFfXcjSEmM", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://radio.api.soundtrackyourbrand.com/", "description": "Our playlisting service.", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://www.soundtrackyourbrand.com", "description": "Our public website.", "impact": "Tier 1" }, { "type": "other", "endpoint": "macOS app", "description": "The macOS Player app allows you to browse and play music. You can find it in the App Store: https://apps.apple.com/se/app/soundtrack-player/id1114799709?l=enIn order to use the macOS you will need a pairing code that you can obtain through https://business.soundtrackyourbrand.com using the test credentials.https://www.youtube.com/watch?v=y7HGAtsB6Tg", "impact": "Tier 1" } ], "out_of_scope": [ ] } }, { "id": "5ed6962a-7017-4d60-8805-e169b638528d", "name": "Sqills", "company_handle": "sqills", "handle": "sqillscorporatewebsite", "url": "https://www.intigriti.com/programs/sqills/sqillscorporatewebsite/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.sqills.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.sqills.team", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.red.sqills.team", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "booking.*.cloud.sqills.com", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "booking.*.sqills.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "careers.sqills.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "e56d6838-a1da-46d4-9d89-8154e017ae89", "name": "Submit your research - Fast lane", "company_handle": "intigriti", "handle": "fastlane", "url": "https://www.intigriti.com/programs/intigriti/fastlane/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "Research", "description": "", "impact": "Tier 1" } ], "out_of_scope": [ ] } }, { "id": "87a468af-75ac-4e99-b061-0c40517a784c", "name": "Suivo", "company_handle": "suivo", "handle": "suivoweb", "url": "https://www.intigriti.com/programs/suivo/suivoweb/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "aweb.suivo.com", "description": "For this domain, you can self-register. More information see FAQ", "impact": "Tier 2" }, { "type": "url", "endpoint": "asupport.suivo.com", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "495935c2-44bf-4eb5-81b4-dac0daa38b79", "name": "Telenet - Base - Wyre - Tadaam", "company_handle": "telenet", "handle": "telenetgroup", "url": "https://www.intigriti.com/programs/telenet/telenetgroup/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 2500, "currency": "EUR" }, "targets": { "in_scope": [ ], "out_of_scope": [ ] } }, { "id": "82be1e9b-f9ab-45e7-82fd-9ba65be37645", "name": "Tempo-Team ", "company_handle": "randstad", "handle": "tempo-team", "url": "https://www.intigriti.com/programs/randstad/tempo-team/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.tempo-team.*", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "Any related Tempo-Team domain", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.tempo-team.be", "description": "🇳🇱🇫🇷", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.tempo-team.com", "description": "🇩🇪", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.tempo-team.nl", "description": "🇳🇱", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.tempo-team.de", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "025558a4-e74e-41eb-9bf6-a01dbe8e5a7a", "name": "The Coca-Cola Company Vulnerability Disclosure Program", "company_handle": "tccc", "handle": "coca-cola", "url": "https://www.intigriti.com/programs/tccc/coca-cola/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "USD" }, "max_bounty": { "value": 0, "currency": "USD" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "Brand Sites", "description": "Brand sites owned by The Coca-Cola Company.", "impact": "Tier 2" }, { "type": "other", "endpoint": "Corporate Sites", "description": "*.us.coca-cola.com*.coca-cola.com*.ko.com*.testko.com*.coca-colacompany.com*.coke.com*.cokeurl.com*.tccc-aem.com", "impact": "Tier 2" }, { "type": "other", "endpoint": "Mobile Applications", "description": "Coca-Cola iOS AppCoca-Cola Android App", "impact": "Tier 2" }, { "type": "other", "endpoint": "Publicly Facing Assets Related to The Coca-Cola Company", "description": "Researchers are welcome to submit reports on any publicly facing asset(s) attributed to The Coca-Cola Company.", "impact": "Tier 2" }, { "type": "other", "endpoint": "*.cn", "description": "All assets located in or related to China are out of scope and reports will not be accepted.", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.na.ko.com", "description": "", "impact": "Out of scope" }, { "type": "other", "endpoint": "Coke One North America (CONA)", "description": "Any application or asset owned by Coke One North America (CONA)", "impact": "Out of scope" }, { "type": "other", "endpoint": "Coke Store", "description": "Any application or asset related to the Coke Store.", "impact": "Out of scope" }, { "type": "other", "endpoint": "Food and Beverage Dispensing Devices", "description": "Due to the unique nature of these devices (usually present on networks operated by 3rd parties), we do not authorize testing against them.", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "2e52d6d3-da18-467f-836e-7a22b82bef5f", "name": "Tomorrowland", "company_handle": "tomorrowland", "handle": "tomorrowland", "url": "https://www.intigriti.com/programs/tomorrowland/tomorrowland/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.aroundtheworld.tomorrowland.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "artists.tomorrowland.com/production-website/33117", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "cognito-idp.eu-west-1.amazonaws.com", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "com.tomorrowland.oneworldradio", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "globaljourney.tomorrowland.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "mdm.weareone.world", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "my.tomorrowland.com", "description": "", "impact": "Tier 2" }, { "type": "ios", "endpoint": "one-world-radio-tomorrowland/id1485778856", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "oneworldradio.tomorrowland.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "sp1y1tpaf1.execute-api.eu-west-1.amazonaws.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "winterpackages.tomorrowland.com", "description": "Out of Scope: bypassing payment process", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.tomorrowland.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.tomorrowland.com", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "components.stag.tomorrowland.com", "description": "Vulnerabilities found on either components.stag.tomorrowland.com or components.tomorrowland.com will be considered duplicate.", "impact": "Tier 3" }, { "type": "url", "endpoint": "components.tomorrowland.com", "description": "Vulnerabilities found on either components.stag.tomorrowland.com or components.tomorrowland.com will be considered duplicate.", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "0d0034de-b53e-47b8-9a9d-41c302c49b5a", "name": "Torfs", "company_handle": "torfs", "handle": "torfs", "url": "https://www.intigriti.com/programs/torfs/torfs/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 25, "currency": "EUR" }, "max_bounty": { "value": 6500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "winkels.torfs.be", "description": "🇫🇷🇳🇱", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.schoenentorfs.be", "description": "🇫🇷🇳🇱", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.schoenentorfs.nl", "description": "🇳🇱", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.torfs.be", "description": "🇫🇷🇳🇱", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.torfs.nl", "description": "🇳🇱", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.samenfittorfs.be", "description": "🇳🇱", "impact": "Tier 3" }, { "type": "other", "endpoint": "Any related Torfs domain", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "efa92aaa-d683-4cf9-8834-a03cf864cc80", "name": "Trouw", "company_handle": "dpgm", "handle": "trouw", "url": "https://www.intigriti.com/programs/dpgm/trouw/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "myaccount.trouw.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shop.trouw.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "webwinkel.trouw.nl", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.trouw.nl", "description": "excluding", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.trouw.nl/abonnementen", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.trouw.nl", "description": "excluding abonnement.trouw.nl", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "* trouw.nl/inloggen", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* trouw.nl/login", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* trouw.nl/registreren", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* trouw.nl/service", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "abonnement.trouw.nl", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "ed04d1ef-1aa3-49dd-92f1-06f50f9756b9", "name": "TrueLayer", "company_handle": "truelayer", "handle": "truelayer", "url": "https://www.intigriti.com/programs/truelayer/truelayer/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 75, "currency": "EUR" }, "max_bounty": { "value": 6000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "api.truelayer[-sandbox].com", "description": "The majority of our API endpoints live here", "impact": "Tier 1" }, { "type": "url", "endpoint": "auth.truelayer[-sandbox].com", "description": "Our service for getting OAuth access tokens to access our APIs", "impact": "Tier 1" }, { "type": "url", "endpoint": "login-api.truelayer[-sandbox].com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "login.truelayer[-sandbox].com", "description": "Where you can connect your bank account and use Open Banking to pull data such as transactions", "impact": "Tier 1" }, { "type": "url", "endpoint": "onboarding-api.truelayer.com", "description": "Used in the developer console", "impact": "Tier 1" }, { "type": "url", "endpoint": "pay-api.truelayer[-sandbox].com", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "pay.truelayer[-sandbox].com", "description": "Some of our older payment API endpoints live here rather than on api.truelayer.com", "impact": "Tier 1" }, { "type": "url", "endpoint": "paydirect.truelayer[-sandbox].com", "description": "Some of our older payment API endpoints live here rather than on api.truelayer.com", "impact": "Tier 1" }, { "type": "url", "endpoint": "payment.truelayer[-sandbox].com", "description": "Our hosted payments page for merchants that want us to manage the UI screens for making payments", "impact": "Tier 1" }, { "type": "url", "endpoint": "payouts.truelayer[-sandbox].com", "description": "Our Payouts API", "impact": "Tier 1" }, { "type": "url", "endpoint": "users-api.truelayer.com", "description": "Internal service for managing users", "impact": "Tier 1" }, { "type": "other", "endpoint": "C# SDK", "description": "https://github.com/TrueLayer/truelayer-dotnet", "impact": "Tier 2" }, { "type": "url", "endpoint": "console-backend.truelayer[-sandbox].com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "console.truelayer[-sandbox].com", "description": "Our developer console where you can login, create applications, manage your OAuth client ID/secret, upload public keys for request signing, view transactions", "impact": "Tier 2" }, { "type": "url", "endpoint": "hpp.truelayer[-sandbox].com", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Java SDK", "description": "https://github.com/TrueLayer/truelayer-java", "impact": "Tier 2" }, { "type": "other", "endpoint": "PHP SDK", "description": "https://github.com/TrueLayer/truelayer-php", "impact": "Tier 2" }, { "type": "other", "endpoint": "TrueLayer for Magento (Magento plugin)", "description": "https://github.com/TrueLayer/magento2", "impact": "Tier 2" }, { "type": "other", "endpoint": "TrueLayer for WooCommerce (WordPress plugin)", "description": "https://wordpress.org/plugins/truelayer-for-woocommerce/ is our WordPress plugin allowing you to use TrueLayer as a checkout option in your WooCommerce store. The source code is also available on GitHub.", "impact": "Tier 2" }, { "type": "other", "endpoint": "truelayer-signing", "description": "https://github.com/TrueLayer/truelayer-signing is our open source library for generating signed requests for calling TrueLayer APIs. Many languages are supported including Rust, C#, NodeJS, Go, Java and PHP.", "impact": "Tier 2" }, { "type": "url", "endpoint": "webhooks.truelayer[-sandbox].com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.truelayer.cloud", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.truelayer.com", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.truelayer.io", "description": "", "impact": "Tier 3" }, { "type": "other", "endpoint": "iOS SDK", "description": "https://github.com/TrueLayer/TrueLayer-iOS-SDK", "impact": "Tier 3" }, { "type": "other", "endpoint": "React Native SDK", "description": "https://github.com/TrueLayer/truelayer-react-native-sdk", "impact": "Tier 3" }, { "type": "other", "endpoint": "Rust SDK", "description": "https://github.com/TrueLayer/truelayer-rustCurrently we are not paying bounties for this asset as it's still in alpha.", "impact": "No bounty" }, { "type": "url", "endpoint": "banks.truelayer.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "careers.truelayer.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "docs.truelayer.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://truelayer.com/contact/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "index.truelayer.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "info.truelayer.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "signin.truelayer.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "statuspage.truelayer.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "support.truelayer.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "truelayer.zendesk.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "51bde6cd-ee7e-4236-98f0-60166bea28e3", "name": "Twago", "company_handle": "randstad", "handle": "twago", "url": "https://www.intigriti.com/programs/randstad/twago/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.itprojects.talent-community.com", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "e6386eb8-ce59-43b5-98b6-f1590cafdceb", "name": "Tweakers", "company_handle": "dpgm", "handle": "tweakers", "url": "https://www.intigriti.com/programs/dpgm/tweakers/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.tweakblogs.net", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.tweakers.net", "description": "Out of scope: elect.tweakers.net", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.tweakimg.net", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "elect.tweakers.net", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "2cf03670-6a2d-4ac7-8b1e-2e0d84338204", "name": "UZ Leuven", "company_handle": "uz leuven", "handle": "uzleuven", "url": "https://www.intigriti.com/programs/uz%20leuven/uzleuven/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 5000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ip range", "endpoint": "134.58.179.102-103", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "autodiscover.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "ecrf.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "extranet-asa.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "extranet.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "liquidfiles.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "mx1.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "mx2.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "pcrstudioruzb.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "prddsplunkhf.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "sts.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "www.uzleuven.be", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "dns1.uzleuven.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "dns2.uzleuven.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "liquidfilestest.uzleuven.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "random.uzleuven.be/random/", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "teststs.uzleuven.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "uzlcm12cmg1.uzleuven.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "w1.uzleuven.be", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.kwsdose.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.playuzleuven.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.uzleuven.*", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.contactallerg(y|ie).uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.mir.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*dev.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*idp*.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*stag*.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "files.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "kumulus.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "mijnacc.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "mirc.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "prddnighting01.uzleuven.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "w1.uzleuven.be/random", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "ziekenhuisschool.be", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "jobs.uzleuven.be", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "vacatures.uzleuven.be", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "eb340a46-b5b8-4165-b8d8-bc032493e8a6", "name": "Ubisoft VDP", "company_handle": "ubisoft", "handle": "ubisoftvdp", "url": "https://www.intigriti.com/programs/ubisoft/ubisoftvdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 3000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "Ubisoft", "description": "Ubisoft services available from the internet and any software developed by Ubisoft that is not listed as Out of Scope. This includes our web applications, servers, and all our game(s) within 1 year of the last patch/update.", "impact": "Tier 2" }, { "type": "url", "endpoint": "ivalua.ubisoft.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "suppliers-ivalua.ubisoft.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "a5158346-5add-4916-bd31-d8a5fe1e805f", "name": "Universitätsspital Zürich VDP", "company_handle": "universitatsspitalzurich", "handle": "usz-vdp", "url": "https://www.intigriti.com/programs/universitatsspitalzurich/usz-vdp/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.unispital.ch", "description": "forwarding to usz.ch", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.usz.ch", "description": "this is our Main Website.You are welcome to check it all around for security Issues.", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "28e0de63-e932-43cf-8a23-5ea24dabd48f", "name": "Uphold.com", "company_handle": "Uphold", "handle": "upholdcom", "url": "https://www.intigriti.com/programs/Uphold/upholdcom/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 6000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "1101145849", "description": "Uphold Wallet - iOS application. This is currently installable on Jailbroken devices, please read the out-of-scope findings.", "impact": "Tier 1" }, { "type": "ios", "endpoint": "6444005221", "description": "UpHODL - iOS application. This is currently installable on Jailbroken devices, but we don't allow the user to proceed with creating a wallet. Please read the out-of-scope findings.", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.uphold.com", "description": "Production Web Wallet API. Do not test service degradation attacks or horizontal privilege here.On the business app side, we allow you to create apps in sandbox, but you shouldn't be able to create them in Production.More information available here.", "impact": "Tier 1" }, { "type": "android", "endpoint": "com.uphold.labs.uphodl.android", "description": "UpHODL - Android application. This is currently installable on Jailbroken devices, but we don't allow the user to proceed with creating a wallet. Please read the out-of-scope findings.", "impact": "Tier 1" }, { "type": "android", "endpoint": "com.uphold.wallet", "description": "Uphold Wallet - Android application. This is currently installable on Jailbroken devices, please read the out-of-scope findings.", "impact": "Tier 1" }, { "type": "url", "endpoint": "graphql.topperpay.com/graphql", "description": "Production GraphQL API for Topper. Do not test service degradation attacks or horizontal privilege here.More information available here.", "impact": "Tier 1" }, { "type": "url", "endpoint": "wallet.uphold.com", "description": "Production Web Wallet Application. Do not test service degradation attacks or horizontal privilege here.", "impact": "Tier 1" }, { "type": "url", "endpoint": "api-sandbox.uphold.com", "description": "Sandbox Web Wallet API. Use this environment for financial transaction testing, degradation attacks, or horizontal privilege attacks. Fund with Crypto Testnet Faucet (e.g. https://coinfaucet.eu/en/btc-testnet/ for Bitcoin).On the business app side, we allow you to create apps in sandbox, but you shouldn't be able to create them in Production.More information available here.", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.sandbox.topperpay.com", "description": "Sandbox Rest API for Topper. Use this environment for financial transaction testing, degradation attacks, or horizontal privilege attacks.More information available here.", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.topperpay.com", "description": "Production Rest API for Topper. Do not test service degradation attacks or horizontal privilege here.More information available here.", "impact": "Tier 2" }, { "type": "url", "endpoint": "graphql.sandbox.topperpay.com/graphql", "description": "Sandbox GraphQL API for Topper. Use this environment for financial transaction testing, degradation attacks, or horizontal privilege attacks.More information available here.", "impact": "Tier 2" }, { "type": "url", "endpoint": "wallet-sandbox.uphold.com", "description": "Sandbox Web Wallet Application. Use this environment for financial transaction testing, degradation attacks, or horizontal privilege attacks. Fund with Crypto Testnet Faucet (e.g. https://coinfaucet.eu/en/btc-testnet/ for Bitcoin)", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.uphold.com", "description": "Our institutional website. We're looking for issues that could impact our image and our users (defacement, XSS, etc.)", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.uphold.com", "description": "We are willing to give bonuses on anything you find and we agree is impactful, in the rest of our domain. Please note that third party services are out of scope unless the issue is caused due to a misconfiguration by Uphold.", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "3219ed72-e563-458d-aafd-9ce8ca4e3087", "name": "VRT", "company_handle": "vrtnv", "handle": "vrtnv", "url": "https://www.intigriti.com/programs/vrtnv/vrtnv/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 25, "currency": "EUR" }, "max_bounty": { "value": 1500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "vrtnws-api.vrt.be", "description": "A collection of API's used for the VRT NWS product", "impact": "Tier 2" }, { "type": "ios", "endpoint": "1001982587", "description": "", "impact": "Tier 2" }, { "type": "ios", "endpoint": "1337574835", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "4ever.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.sporza.be", "description": "A collection of different API endpoints used on the sporza.be website.", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.vrt.radio", "description": "the api domain for VRT radio sites", "impact": "Tier 2" }, { "type": "android", "endpoint": "be.vrt.ketnet.ketnetjr", "description": "", "impact": "Tier 2" }, { "type": "android", "endpoint": "be.vrt.vrtnu", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "bff.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "cds.vrt.radio", "description": "the cds domain for VRT radio sites", "impact": "Tier 2" }, { "type": "url", "endpoint": "content.ketnet.be", "description": "Please keep automated scans at max 3 requests/second here at the moment, we're aware of performance issues leading to outages on this domain if amount of 400's gets too high in a short time period.", "impact": "Tier 2" }, { "type": "url", "endpoint": "data.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "dedokterbeashow.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "juniormusical.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "kaatje.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "live-cf-vrt.akamaized.net", "description": "This Akamai CDN subdomain delivers part of our video content. We want to know about CDN misconfiguration, but we will not accept issues that are unsolvable by VRT.", "impact": "Tier 2" }, { "type": "url", "endpoint": "login.vrt.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "magazine.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "media-services-public.vrt.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "ondemand-vrt.akamaized.net", "description": "This Akamai CDN subdomain delivers part of our video content. We want to know about CDN misconfiguration, but we will not accept issues that are unsolvable by VRT.", "impact": "Tier 2" }, { "type": "url", "endpoint": "player.vrt.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "privacy.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "profiel.vrt.be", "description": "VRT-profile with Single Sign On implementation", "impact": "Tier 2" }, { "type": "url", "endpoint": "remix-cf-vrt.akamaized.net", "description": "This Akamai CDN subdomain delivers part of our video content. We want to know about CDN misconfiguration, but we will not accept issues that are unsolvable by VRT.", "impact": "Tier 2" }, { "type": "url", "endpoint": "senior-bff.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "sport-components.sporza.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "sporza.be", "description": "Sporza is the brand of VRT used for sports.", "impact": "Tier 2" }, { "type": "url", "endpoint": "stubru.be/luister/select", "description": "Studio Brussel is a Dutch-speaking radio station in Belgium, owned by the VRT. This select scope is a first start, and will be extended in the future.", "impact": "Tier 2" }, { "type": "url", "endpoint": "vrt.be/vrtnu", "description": "VRT's online video platform. It allows its users to (re-)watch television programs of its brands één, Canvas and Ketnet on the internet. To be able to fully use VRT NU, you have to register for a VRT profile. Using all of VRT NU's content is only possible for users with a Belgian residential address. Without the login, you can still watch the live channels.", "impact": "Tier 2" }, { "type": "url", "endpoint": "vrt.be/vrtnws", "description": "VRT NWS is the news brand of VRT. Informing the Flemish citizen is an essential part of it's job.", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.ketnet.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "innovatie.vrt.be", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "shop.*.be", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "a5033edb-65a5-4e9f-8e4d-af548e42e647", "name": "VRT responsible disclosure", "company_handle": "vrtnv", "handle": "vrt", "url": "https://www.intigriti.com/programs/vrtnv/vrt/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.canvas.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.dewarmsteweek.be", "description": "Out of scope: shop.dewarmsteweek.be - no testing allowed", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.ketnet.be", "description": "Out of scope: shop.ketnet.be - no testing allowed", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.klara.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.mnm.be", "description": "Out of scope: shop.mnm.be - no testing allowed", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.radio1.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.radio2.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.radioplus.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.sporza.be", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.stubru.be", "description": "Out of scope: shop.stubru.be - no testing allowed", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.vrt.be", "description": "Out of scope: shop.vrt.be - no testing allowedOut of scope: innovatie.vrt.be", "impact": "No bounty" }, { "type": "ios", "endpoint": "1001982587", "description": "Ketnet Junior", "impact": "No bounty" }, { "type": "ios", "endpoint": "1001983790", "description": "Ketnet", "impact": "No bounty" }, { "type": "ios", "endpoint": "1041369236", "description": "Wall of Moments", "impact": "No bounty" }, { "type": "ios", "endpoint": "1116046348", "description": "Radio 1", "impact": "No bounty" }, { "type": "ios", "endpoint": "1116049623", "description": "Radio 2", "impact": "No bounty" }, { "type": "ios", "endpoint": "1116054448", "description": "MNM", "impact": "No bounty" }, { "type": "ios", "endpoint": "1116054765", "description": "Klara", "impact": "No bounty" }, { "type": "ios", "endpoint": "1337574835", "description": "VRT NU", "impact": "No bounty" }, { "type": "ios", "endpoint": "388159251", "description": "Studio Brussel", "impact": "No bounty" }, { "type": "ios", "endpoint": "878339906", "description": "Sporza", "impact": "No bounty" }, { "type": "ios", "endpoint": "927943978", "description": "Kaatje van Ketnet", "impact": "No bounty" }, { "type": "ios", "endpoint": "952769219", "description": "VRT NWS", "impact": "No bounty" }, { "type": "ios", "endpoint": "959958329", "description": "Sporza Voetbal", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.ketnet.ketnet", "description": "Ketnet", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.ketnet.ketnetjr", "description": "Ketnet Junior", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.mobile.android.deredactie", "description": "VRT NWS", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.mobile.android.sporza.voetbal", "description": "Sporza voetbal", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.radioplus.klara", "description": "Klara", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.radioplus.mnm", "description": "MNM", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.radioplus.radio1", "description": "Radio 1", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.radioplus.radio2", "description": "Radio 2", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.radioplus.stubru", "description": "Studio Brussel", "impact": "No bounty" }, { "type": "android", "endpoint": "be.vrt.vrtnu", "description": "VRT NU", "impact": "No bounty" }, { "type": "android", "endpoint": "com.fwc2014.vrt.and", "description": "Sporza", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "981f8ca2-8ddd-48e8-b710-b6a00fba35cc", "name": "VTM GO", "company_handle": "dpgm", "handle": "vtmgo", "url": "https://www.intigriti.com/programs/dpgm/vtmgo/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "myaccount.vtm.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "vtm.be/vtmgo", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "vtmgo.be", "description": "excluding", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.vtm.be", "description": "Out of scope: shop.vtm.be", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.vtmgo.be", "description": "", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "* vtmgo.be/inloggen", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* vtmgo.be/login", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* vtmgo.be/registreren", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "* vtmgo.be/service", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "shop.vtm.be", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "c5a9bbd6-2139-4ec9-bdcc-8e2a5082fd7e", "name": "Venly", "company_handle": "arkane", "handle": "arkanenetwork", "url": "https://www.intigriti.com/programs/arkane/arkanenetwork/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 5000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "api-wallet.venly.io", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.arkane.network", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.venly.market", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "connect.arkane.network", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "connect.venly.io", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "events.venly.market", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "login.arkane.network", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "login.venly.io", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "venly.market", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "wallet.venly.io", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "api-staging.venly.market", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "events-staging.venly.market", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "staging.venly.market", "description": "", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "acb142c1-ffeb-41c3-a9e7-1624054f42e4", "name": "Veriff Bug Bounty", "company_handle": "veriff", "handle": "veriffbugbounty", "url": "https://www.intigriti.com/programs/veriff/veriffbugbounty/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 5, "currency": "EUR" }, "max_bounty": { "value": 6000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "1467907532", "description": "An iOS application for demoing our product.", "impact": "Tier 1" }, { "type": "url", "endpoint": "alchemy.veriff.com", "description": "This is an end user (internal) API endpoint.", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.flamingo-eu.veriff.com", "description": "This is a public API endpoint.", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.us.veriff.me", "description": "This is a public API endpoint.", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.veriff.me", "description": "This is a public API endpoint.", "impact": "Tier 1" }, { "type": "android", "endpoint": "com.veriff.demo", "description": "An Android application for demoing our product.", "impact": "Tier 1" }, { "type": "url", "endpoint": "louvre.veriff.me", "description": "This is an end user (internal) API endpoint.", "impact": "Tier 1" }, { "type": "url", "endpoint": "magic.veriff.me", "description": "This is an end user (internal) API endpoint.", "impact": "Tier 1" }, { "type": "url", "endpoint": "station.veriff.com", "description": "Here you can find our Veriff Station application.", "impact": "Tier 1" }, { "type": "url", "endpoint": "stationapi.veriff.com", "description": "This is the backend for our Station application.", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.veriff.com", "description": "Please note that third party services are out of scope unless the issue is caused due to a misconfiguration by Veriff.", "impact": "Tier 3" }, { "type": "url", "endpoint": "developers.veriff.me", "description": "You can find our developers documentation here.", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.veriff.com", "description": "This is our marketing website.", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "0f95dabb-d299-4574-befc-bb96a3bafb42", "name": "Visma", "company_handle": "visma", "handle": "visma", "url": "https://www.intigriti.com/programs/visma/visma/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "EUR" }, "max_bounty": { "value": 7500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "564141518", "description": "Visma ScannerVisma Scanner is a mobile app used for sending receipts and invoices to your Visma accounting system.The iOS version of the app can be found here:https://apps.apple.com/us/app/visma-scanner/id564141518Please read and follow the steps in the Startup guide to create an account and start hacking: https://vismabugbountyprod.z16.web.core.windows.net/VismaScanner-getting-started.pdfOut of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "accountsettings.connect.identity.stagaws.visma.com", "description": "ConnectSee instructions for domain \"connect.identity.stagaws.visma.com\".Out of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "admin.stage.vismaonline.com", "description": "Visma OnlineThis is the old interface for the customer's administrators to administrate the company, where we still have some functionality that has not been moved to the new interface. For example invoicing information and everything regarding collaborations with AO. The collaboration part is out of scope as long as the use of student companies.Please read the Getting Started Instructions in the \"myservices.stage.vismaonline.com\" asset description.Out of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "ai-testing.maventa.com", "description": "AutoInvoiceThis is the main UI for Visma AutoInvoice. AutoInvoice is Visma's automated and fully ERP integrated service for sending, receiving and handling invoices. AutoInvoice converts and exchanges electronic invoices, optionally prints invoices that can't be sent electronically, receives and interpret PDF invoices and offers services for scanning and interpretation of paper invoices. AutoInvoice handles both Business to Business (B2B) and Business to Consumer (B2C) invoices.Uses partially the embeddable user interface from autointerface-embeddable-stage.maventa.comCreate a test account on https://ai-testing.maventa.com/registrations, or use one of the demo accounts in the getting started instructions below:https://vismabugbountyprod.z16.web.core.windows.net/VismaAutoinvoice-getting-started.pdfOut of scope or works as expected (accepted risk):Note! ai-testing.maventa.com and testing.maventa.com point to the same application but have different branding on the UI. Authentication to the user interface is handled using the Visma Connect service.", "impact": "Tier 2" }, { "type": "url", "endpoint": "api.workbox.dk", "description": "DineroThis is Dinero's Public API.See instructions for \"app.workbox.dk\"", "impact": "Tier 2" }, { "type": "url", "endpoint": "app.workbox.dk", "description": "DineroDinero is an accounting software for sole traders and micro businesses based out of Denmark. Our only target group is danish companies and therefore the interface is in danish only. The application is a SaaS application hosted in the cloud and consists of a main application and a number of supportive microservices.See the getting started document here: https://vismabugbountyprod.z16.web.core.windows.net/VismaDinero-getting-started.pdfOut of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "authz.workbox.dk", "description": "DineroUsed for Authorization (OAuth). See instructions for \"app.workbox.dk\"", "impact": "Tier 2" }, { "type": "url", "endpoint": "autointerface.stag.visma.net", "description": "AutoInvoiceSee instructions for domain 'ai-testing.maventa.com' to get user credentials.The same resource can be accessed through the URL autointerface-embeddable-stage.maventa.comAll data processing is done through the REST API at ax-stage.maventa.comOut of scope or works as expected (accepted risk):", "impact": "Tier 2" }, { "type": "url", "endpoint": "ax-stage.maventa.com", "description": "AutoInvoicehttps://ax-stage.maventa.com is a REST API connected to Visma AutoInvoice.API documentation is available on https://documentation.maventa.com/rest-api/ and https://ax-stage.maventa.com/swagger/#/See instructions for domain 'ai-testing.maventa.com' to get user credentials.Out of scope or works as expected (accepted risk):", "impact": "Tier 2" }, { "type": "android", "endpoint": "com.visma.blue", "description": "Visma ScannerVisma Scanner is a mobile app used for sending receipts and invoices to your Visma accounting system.The Andriod version of the app can be found here:https://play.google.com/store/apps/details?id=com.visma.blue&hl=enPlease read and follow the steps in the Startup guide to create an account and start hacking: https://vismabugbountyprod.z16.web.core.windows.net/VismaScanner-getting-started.pdfOut of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "connect.identity.stagaws.visma.com", "description": "ConnectVisma Connect is featurewise a small but critical component in the Visma portfolio. It is a single sign-on solution used by many Visma services. It is also the place where users manage security preferences such as passwords, MFA, 2FA, email and other account settings.User accounts for testing can be created on https://connect.identity.stagaws.visma.com (this signup flow is not available in production).The test accounts will not have access to any other services right now, so testing is limited to the login portal itself.Out of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "eaccounting.stage.vismaonline.com", "description": "eAccountingThis is \"Visma eAccounting\" (aka Visma eEkonomi / Visma ePasseli) which is an ERP system available in Sweden, Norway, Finland and The Netherlands.We've added into scope also the eEkonomi \"Visma Lön Smart\" which is a subservice of eAccounting. This can be found after you activate your account (check out the instructions bellow).You can read more on https://www.visma.no/eaccounting/english/You need to register an user to test this system. The sign-up up process is described in this document:https://vismabugbountyprod.z16.web.core.windows.net/Visma-eAccounting-getting-started.pdfThis video also shows the entire setup (only Swedish audio) https://www.youtube.com/watch?v=kVr_CXgfhi0&t=4sTLDR: Goto https://admin.stage.vismaonline.com/Customer/StudentSignup.aspx and sign up with the training code \"04h2v\"Out of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "eaccountingprinting.stage.vismaonline.com", "description": "eAccountingYou reach this asset by creating and viewing a report under the Accounting/Reports menu as a logged on user in asset \"eaccounting.stage.vismaonline.com\"", "impact": "Tier 2" }, { "type": "url", "endpoint": "identity.stage.vismaonline.com", "description": "Visma OnlineVisma Connect is used as identity provider, but an own identity server is used to provide JWT tokens that are used by MyServices (and others).Please read the Getting Started instructions document in the \"myservices.stage.vismaonline.com\" asset description.Out of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "myservices-api.stage.vismaonline.com", "description": "Visma OnlineThis is the API behind \"myservices.stage.vismaonline.com\".Please read the Getting Started instructions document in the asset description \"myservices.stage.vismaonline.com\".", "impact": "Tier 2" }, { "type": "url", "endpoint": "myservices.stage.vismaonline.com", "description": "Visma OnlineThis is an interface where the customer's users can access all their services, and customer's administrators can manage users on the company and manage users' access to services that the company has.More information about the service and test accounts creation can be found here:https://vismabugbountyprod.z16.web.core.windows.net/VismaOnline-getting-started.pdfOut of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "oauth.developers.stagaws.visma.com", "description": "Visma Developer PortalVisma Developer Portal is used both internally and externally by developers for registering OAuth 2.0/OpenID Connect applications for Single-Sign-On with Visma (Visma Connect) and/or API integration.Existing Visma Connect users accounts can be used for testing. We also allow registration of new users if needed.Users need to register an organization as part of the sign-in or to be added (invite) to an existing organization by organization's manager. The user which registers the organization also gets manager role assigned.Each organization has its own set of OAuth 2.0/OpenID Connect applications.Please read the Getting Started Instructions here: https://vismabugbountyprod.z16.web.core.windows.net/VismaDeveloperPortal-getting-started.pdfOut of scope:", "impact": "Tier 2" }, { "type": "url", "endpoint": "testing.maventa.com", "description": "AutoInvoicehttps://testing.maventa.com/apis/v1.1/wsdl is a SOAP API connected to Visma AutoInvoice.API documentation is available on https://documentation.maventa.com/soap-api/See instructions for domain 'ai-testing.maventa.com' to get user credentials.", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "3e51fb18-7082-4ce5-85d0-2bd889b5ed4e", "name": "Visma Responsible Disclosure", "company_handle": "visma", "handle": "VismaResponsibleDisclosure", "url": "https://www.intigriti.com/programs/visma/VismaResponsibleDisclosure/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "all", "description": "This program covers all Visma services, products or web properties.We do not offer money rewards for this program, but as a small token of appreciation for all researchers that submit a previously unknown vulnerability that triggers a code or configuration change, we will offer a place on our Security Hall of Fame (HoF).Also for all valid Medium+ reports, we will offer swags.For money rewards, the only exceptions are the specific assets listed in our Public Bug Bounty Program, see https://app.intigriti.com/programs/visma/visma/detail. Please note that we will only accept reports for the explicitly listed assets under our Public program.", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "f64faa66-b7e6-4ad7-bf56-b64a885d682a", "name": "Vlerick Business School", "company_handle": "vlerickbusinessschool", "handle": "vlerickbusinessschool", "url": "https://www.intigriti.com/programs/vlerickbusinessschool/vlerickbusinessschool/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.vlerick.com", "description": "When you start testing www.vlerick.com, visit www.vlerick.com/en?internal first. In this way, your testing is not taken into account in our web stats.", "impact": "No bounty" }, { "type": "ip range", "endpoint": "193.190.150.0/24", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "https://viper.uat.vlerick.com/", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "https://www-tst.vlerick.com/en/", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "https://enterprise.vlerick.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://enterprise2.vlerick.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://mastersblog.vlerick.com/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://repository.vlerick.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://spoc.myshopify.com/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://vlerick.myshopify.com/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://webform.vlerick.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "92431bf9-ab3e-4e69-9619-c59f8e5193b1", "name": "Voi Scooters", "company_handle": "voi", "handle": "voiscooters", "url": "https://www.intigriti.com/programs/voi/voiscooters/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 3500, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "1395921017", "description": "iOS Mobile Application", "impact": "Tier 1" }, { "type": "url", "endpoint": "https://api.voiapp.io/", "description": "Backend REST API", "impact": "Tier 1" }, { "type": "android", "endpoint": "io.voiapp.voi", "description": "Android Mobile Application", "impact": "Tier 1" }, { "type": "url", "endpoint": "mds.voiapp.io", "description": "Partner API as documented at https://docs.voiscooters.com/", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.voiscooters.com", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "report.voi.com", "description": "Website to report badly parked scooters.", "impact": "Tier 3" }, { "type": "url", "endpoint": "voi.com", "description": "Informational Website", "impact": "Tier 3" }, { "type": "url", "endpoint": "www.voiscooters.com", "description": "Informational Website", "impact": "Tier 3" } ], "out_of_scope": [ ] } }, { "id": "1e325f65-37de-4094-9079-217e27cab00b", "name": "WP Engine", "company_handle": "wpengine", "handle": "wpengine", "url": "https://www.intigriti.com/programs/wpengine/wpengine/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*. advancedcustomfields.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*. bettersearchreplace.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.deliciousbrains.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.studiopress.com", "description": "The studiopress.com, www.studiopress.com, and my.studiopress.com sites are public facing marketing and WordPress theme e-commerce sites. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.wpengine.io", "description": "This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be \"internal\" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpengine.io", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "*.wpesvc.net", "description": "This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be \"internal\" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpesvc.net", "impact": "No bounty" }, { "type": "url", "endpoint": "app.getflywheel.com", "description": "This is the primary site for researchers to register and test both the Flywheel App as well as the Flywheel Platform. We will not provide credentials or bypass verification controls (i.e, a researcher will need to either provide a valid phone number or credit card to have a live site), but a researcher may register a demo site that matches the platform's functionality without verification. Please use your Intigriti credentials to register. Please note that any issues regarding an individual WordPress installation on the Flywheel platform, outside of plugins owned by WP Engine/Flywheel, will be considered out of scope as we do not monitor or manage customer content. We are, however, very interested in issues that may compromise customer isolation on the platform or cause data to be leaked from either a host or an unrelated customer site.", "impact": "No bounty" }, { "type": "url", "endpoint": "getflywheel.com", "description": "This site is the landing page for Flywheel-branded services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality or https://getflywheel.com/schedule-a-demo/. No testing should be done against these targets or any 3rd party services. Please do not contact Live Chat agents.", "impact": "No bounty" }, { "type": "url", "endpoint": "my.wpengine.com", "description": "The User Portal for WP Engine. Customers manage their WordPress sites, addons, and billing details through this portal. No credentials will be provided. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.", "impact": "No bounty" }, { "type": "url", "endpoint": "spressforumstg.wpengine.com", "description": "the staging environment for the StudioPress community forum, built on WordPress. Researchers are welcome to register an account using their @intigriti.me email address, but should refrain from interacting with the community, making public posts, or performing automated testing which may cause disruption. Do not attempt to gain access to any user accounts not under your control.", "impact": "No bounty" }, { "type": "url", "endpoint": "studiopress.blog", "description": "This is a public-facing marketing site built on WordPress. Most of the content on this site consists of static blog posts.", "impact": "No bounty" }, { "type": "other", "endpoint": "WP Engine-developed WordPress Plugins and Themes", "description": "We accept any reports of vulnerabilities in plugins or themes managed or developed by WP Engine, with the exception of any application-level vulnerabilities in the Out of Scope section below. These free versions closely mirror their paid counterparts, so any vulnerabilities discovered should be applicable to both the paid or free plugins.We also accept reports for the following Delicious Brains plugins:https://wordpress.org/plugins/advanced-custom-fields", "impact": "No bounty" }, { "type": "url", "endpoint": "wpengine.com", "description": "This the landing page for the main WP Engine website. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.", "impact": "No bounty" }, { "type": "url", "endpoint": "https://getflywheel.com/schedule-a-demo/", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "https://wpengine.com/contact/", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "bbc2d49d-6b11-40af-9746-aefa64756928", "name": "Yacht", "company_handle": "randstad", "handle": "yacht", "url": "https://www.intigriti.com/programs/randstad/yacht/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*.yacht.nl", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "d89a3560-be5c-406c-8a73-e4c72b0ca4c4", "name": "Yahoo Bug Bounty", "company_handle": "yahoo", "handle": "yahoobugbounty", "url": "https://www.intigriti.com/programs/yahoo/yahoobugbounty/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 100, "currency": "USD" }, "max_bounty": { "value": 15000, "currency": "USD" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*ensemble*.yahoo.com", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*omega*.yahoo.com", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "7 News", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "AOL (misc)", "description": "Only use this asset when nothing else can be reasonably selected.Bugs with AOL that are not listed in scope of our other AOL-related assets can still be submitted to this asset and might be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.", "impact": "Tier 2" }, { "type": "other", "endpoint": "AOL Help", "description": "Any bugs found in non-production environments will not be eligible for the Same Bug Different Host bonus if the issue also exists in production.", "impact": "Tier 2" }, { "type": "other", "endpoint": "AOL Homepage", "description": "First Party Things:", "impact": "Tier 2" }, { "type": "other", "endpoint": "AOL Mail", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "AOL Search", "description": "Any bugs found in non-production environments will not be eligible for the Same Bug Different Host bonus if the issue also exists in production.", "impact": "Tier 2" }, { "type": "url", "endpoint": "apis.mail.yahoo.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "Autoblog", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "data.mail.yahoo.com", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Engadget", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Gemini", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Low Cost Access", "description": "##Other places to look##Notes", "impact": "Tier 2" }, { "type": "other", "endpoint": "Membership", "description": "##In ScopeSome documentation that may help:https://developer.yahoo.com/oauth2/guide/Specific paths to target….For login.*.comFor api.login.*.com##Out of Scope##Limits", "impact": "Tier 2" }, { "type": "url", "endpoint": "onepush.query.yahoo.com", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Online Marketplace", "description": "Online Marketplace (MyAccount) supports many AOL properties and can be accessed by a variety of CNAME records.Please consolidate your reports.Note: Reporting the same issue separately for multiple CNAMEs will result in reports being marked as Duplicate at best.", "impact": "Tier 2" }, { "type": "other", "endpoint": "Other (Misc)", "description": "Only use this asset when nothing else can be reasonably selected. Bugs with Yahoo products that are not listed in scope of our Public Program can still be submitted to this asset and might be eligible for award, at the sole discretion of the Yahoo Bug Bounty team .Use this asset for:", "impact": "Tier 2" }, { "type": "url", "endpoint": "proddata.xobni.yahoo.com", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Social Media Accounts", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Techcrunch", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "TW eCommerce: Auctions", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "TW eCommerce: Shopping", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "TW eCommerce: Used Car", "description": "Refer to the ## Notes ## section in the TW eCommerce: Auctions listing.", "impact": "Tier 2" }, { "type": "other", "endpoint": "TW Media: Front Page", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "TW Media: News", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "TW Media: Stock", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Calendar", "description": "Specific paths to look at:Limit traffic against our services to < 10/second when probing or testing.", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Finance", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo HK News", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Mail", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo News", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Open Source Projects", "description": "Select open source projects are now eligible for bounties.The rest of our open source projects are technically in scope, but at a reduced rate for the time being.", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Search", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Best Ball", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Daily Fantasy", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Editorial", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Fantasy Games", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Fantasy Slate/PicknWin", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Fantasy Sports", "description": "The betting feature in Fantasy is provided by a third party, BetMGM. https://sports.yahoo.com/odds/, is the page from where it redirects the user to the BetMGM. This is geographically restricted.", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Fantasy Wallet", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Mobile", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Rivals", "description": "All testing against rivals is to be MANUAL only. ZERO automated tools are allowed. This notice is your warning.", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Sports: Rivals Forums", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Video", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo Weather", "description": "", "impact": "Tier 2" }, { "type": "other", "endpoint": "Yahoo! (Misc)", "description": "Only use this asset when nothing else can be reasonably selected.Bugs with Yahoo! that are not listed in scope of our other Yahoo-related assets can still be submitted to this asset and might be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.", "impact": "Tier 2" }, { "type": "url", "endpoint": "yimg.com", "description": "yimg is a resource storage and content distribution network (CDN).What does that mean for my report?", "impact": "Tier 2" }, { "type": "other", "endpoint": "Flurry", "description": "", "impact": "Out of scope" }, { "type": "other", "endpoint": "TW eCommerce: Store", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "190ed8f0-4412-4b6d-9415-6114da409600", "name": "Zero-day Bug Bounty", "company_handle": "intigriti", "handle": "zerodays", "url": "https://www.intigriti.com/programs/intigriti/zerodays/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 3000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "other", "endpoint": "Zero days that affect Intigriti or participating customers (listed below)", "description": "", "impact": "Tier 2" } ], "out_of_scope": [ ] } }, { "id": "a09e497e-fd75-4b56-afa0-7a6689389b76", "name": "e-tracker", "company_handle": "bpost", "handle": "e-tracker", "url": "https://www.intigriti.com/programs/bpost/e-tracker/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 0, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "https://etracker.bpost.cloud/pro", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "cefc1013-9927-4e4a-b306-e5d57f06d34a", "name": "eHealth Hub VZN KUL", "company_handle": "uz leuven", "handle": "ehealthhub&meta-hubvznkul", "url": "https://www.intigriti.com/programs/uz%20leuven/ehealthhub%26meta-hubvznkul/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "hub.vznkul.be/*", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "hub.vznkul.be/services/interhub/InterHubService", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "hub.vznkul.be/services/intrahub/IntraHubService", "description": "", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "hubacc.vznkul.be/*", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "hubacc.vznkul.be/services/acceptance/interhub/InterHubService", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "hubacc.vznkul.be/services/acceptance/intrahub/IntraHubService", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.vznkul.be", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "fdbe663a-c398-4f89-8182-9ab912470931", "name": "iBOOD.com", "company_handle": "iboodcom", "handle": "iboodcom", "url": "https://www.intigriti.com/programs/iboodcom/iboodcom/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "ios", "endpoint": "1135288773", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "api.ibood.com", "description": "", "impact": "Tier 1" }, { "type": "android", "endpoint": "com.ibood.app", "description": "", "impact": "Tier 1" }, { "type": "url", "endpoint": "my.ibood.com", "description": "", "impact": "Tier 1" }, { "type": "wildcard", "endpoint": "*.ibood.io", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.ibood.com", "description": "Many pages contain a section for comments. Please use this page for testing: https://www.ibood.com/contents/pages/intigriti", "impact": "Tier 2" }, { "type": "wildcard", "endpoint": "*.ibood.com", "description": "Many subdomains point to 3rd party services, which can often be recognized because they are CNAME records to out of scope domains.Please check the out of scope section to verify what is in / out of scope regarding these.", "impact": "Tier 3" }, { "type": "url", "endpoint": "beta.ibood.com", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "feeds.ibood.com", "description": "", "impact": "No bounty" }, { "type": "url", "endpoint": "img.ibood.com", "description": "", "impact": "No bounty" }, { "type": "wildcard", "endpoint": "service-*.ibood.com", "description": "", "impact": "No bounty" } ], "out_of_scope": [ ] } }, { "id": "6558543a-236f-4e98-91a3-4536e39b9c1e", "name": "intigriti", "company_handle": "intigriti", "handle": "intigriti", "url": "https://www.intigriti.com/programs/intigriti/intigriti/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 50, "currency": "EUR" }, "max_bounty": { "value": 13337, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "wildcard", "endpoint": "*pwn.intigriti.rocks", "description": "This is our test (PWN) environment that replicates production.", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.intigriti.com", "description": "This is our marketing website.", "impact": "Tier 3" }, { "type": "wildcard", "endpoint": "*.intigriti.io", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.intigriti.me", "description": "", "impact": "Out of scope" }, { "type": "wildcard", "endpoint": "*.intigriti.net", "description": "", "impact": "Out of scope" }, { "type": "other", "endpoint": "any intigriti CTF or challenge", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "api.intercom.io", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "autodiscover.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "blog.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "careers.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "click.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "go.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "kb.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "mail.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "newsletter.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "other", "endpoint": "our hubspot pages (/hs-fs/, /hubfs/, /hs/, /_hcms/, landing/, report/, webinar/, /datasheet, /customer/, /video/...)", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "status.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "swag.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "t.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "trust.intigriti.com", "description": "", "impact": "Out of scope" }, { "type": "url", "endpoint": "welcome.intigriti.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } }, { "id": "bc3017b6-f657-4519-bf8f-00009d85bc47", "name": "vidaXL", "company_handle": "vidaxl", "handle": "vidaxlpublic", "url": "https://www.intigriti.com/programs/vidaxl/vidaxlpublic/detail", "status": "open", "confidentiality_level": "public", "min_bounty": { "value": 0, "currency": "EUR" }, "max_bounty": { "value": 2000, "currency": "EUR" }, "targets": { "in_scope": [ { "type": "url", "endpoint": "api.vidaxl.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "ar.vidaxl.sa.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "b2b.vidaxl.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "cms.woger-cdn.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "customer-services.vidaxl.org", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "en.vidaxl.ae", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "en.vidaxl.ca", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "fps-extr-services.vidaxl.org", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "fr.vidaxl.ch", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "is.vidaxl.is", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "nexus.vidaxl.org", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "nl.vidaxl.be", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "serviceportal.vidaxl.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "shops-services.vidaxl.org", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "tracking.vidaxl.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "uk.vidaxl.com.ua", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "vidaxl.zendesk.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.dropshippingxl.com", "description": "", "impact": "Tier 2" }, { "type": "url", "endpoint": "www.vidaxl.", "description": "Our TLDs for vidaxl are: .at, .bg, .com.uk, .com, .com.au, .cz, .de, .dk, .ee, .es, .fi, .fr, .gr, .hr, .hu, .ie, .it, .jp, .lt, .lv, .nl, .no, .pl, .pt, .ro, .se, .si, and .sk.", "impact": "Tier 2" }, { "type": "url", "endpoint": "apigateway.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "app.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "corporate.vidaxl.com", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "drone.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "qa-db.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "qa.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "qa1-apigateway.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "staging-apigateway.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "staging-db.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "staging.vidaxl.io", "description": "", "impact": "Tier 3" }, { "type": "url", "endpoint": "partners.vidaxl.com", "description": "", "impact": "Out of scope" } ], "out_of_scope": [ ] } } ]