[
{
"id": "e67941f1-2087-4681-8718-3e3f4dc51798",
"name": "AMD Product Security Bug Bounty Program",
"company_handle": "amd",
"handle": "amd",
"url": "https://www.intigriti.com/programs/amd/amd/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 500,
"currency": "USD"
},
"max_bounty": {
"value": 30000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Hardware",
"description": "Vulnerabilities in the physical hardware of **in scope** products and technologies",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "Firmware",
"description": "Vulnerabilities in the firmware of **in scope** products and technologies",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Software",
"description": "Vulnerabilities in drivers or other software required to operate **in scope** products and technologies",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "Out of Scope",
"description": "* Optional tools\n* Installer issues\n* Product-independent software\n* Software for products and technologies for out of scope products\n",
"impact": "Out of scope"
}
]
}
},
{
"id": "554fc6c5-4ffa-4682-a3ba-7e86696e9b17",
"name": "Aikido Security: Bug Bounty Program",
"company_handle": "aikido",
"handle": "aikido",
"url": "https://www.intigriti.com/programs/aikido/aikido/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 2500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "https://marketplace.visualstudio.com/items?itemName=AikidoSecurity.aikido",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.aikido.dev",
"description": "This is our main application, which hosts the API as well as the front-end application.\n\nOur public API is also accessible via this host. Documentation is available here: https://apidocs.aikido.dev/.",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.aikido.dev",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "30f445f7-ca4c-4130-9434-49add5c6ac74",
"name": "Algemeen Dagblad",
"company_handle": "dpgm",
"handle": "algemeendagblad",
"url": "https://www.intigriti.com/programs/dpgm/algemeendagblad/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "myaccount.ad.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webwinkel.ad.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.ad.nl",
"description": "excluding\n* ad.nl/service\n* ad.nl/inloggen\n* ad.nl/login\n* ad.nl/registreren",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.ad.nl/abonnementen",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.ad.nl",
"description": "excluding abonnement.ad.nl",
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "badcb3b0-34be-4bd1-9186-7678aa5b5d17",
"name": "Allegro",
"company_handle": "allegro",
"handle": "allegrobugbounty",
"url": "https://www.intigriti.com/programs/allegro/allegrobugbounty/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "EUR"
},
"max_bounty": {
"value": 4000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.allegro.cz.allegrosandbox.pl",
"description": "Allegro sandbox environment for the Czech Republic.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.allegro.pl.allegrosandbox.pl",
"description": "The main sandbox environment that replicates Allegro production. For more information please visit [developer website](https://developer.allegro.pl/tutorials/basic-information-VL6YelvVKTn#test-environment).",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.allegro.sk.allegrosandbox.pl",
"description": "Allegro sandbox environment for Slovakia.",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.allegro.cz",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.allegro.pl",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.allegro.sk",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.allegrogroup.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Any production website owned by Allegro not listed in Domains",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "611efbaa-333e-4b7c-a3c0-89665abd3fe3",
"name": "Altera",
"company_handle": "altera",
"handle": "altera",
"url": "https://www.intigriti.com/programs/altera/altera/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 500,
"currency": "USD"
},
"max_bounty": {
"value": 30000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "device",
"endpoint": "Firmware",
"description": "Firmware developed by Altera that executes within our FPGA products regardless of the storage media. Excludes any software that executes the Hard Processor Subsystem, or any software that executes on an embedded processor instantiated in soft-logic within the FPGA by a customer.",
"impact": "Tier 1"
},
{
"type": "device",
"endpoint": "Hardware",
"description": "FPGA Integrated Circuit hardware. This may includes both a base FPGA and any associated co-packaged integrated circuits. ",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "FPGA Solution Development Tools and Utilities",
"description": "Tools developed by Altera such as the Quartus Tool Suite used by customers to develop a solution that may comprise software, soft-logic that is hosted within an Altera FPGA device. Also includes various Altera authored supporting utilities used to manage deployment of customer designs to Altera FPGAs.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Software",
"description": "Altera Developed Device Drivers that execute on a host computer that is connected to an Altera FPGA, used to manage or control the FPGA or any functions implemented by the customer within the FPGA.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Non Altera Products",
"description": "Any elements of a complete customer solution developed by entities other than Altera that may be included in a final customer solution. Reports relating to such entities may be reported via the Altera Bug Bounty Program, but are not eligible for bounty payments. ",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "e2a235f3-6a95-4134-a165-aa48e9632f47",
"name": "Anaconda Vulnerability Disclosure Program",
"company_handle": "anacondainc",
"handle": "anacondavdp",
"url": "https://www.intigriti.com/programs/anacondainc/anacondavdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "anaconda.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "f2a437ca-68cb-455c-81ba-3b8cd1b21cb2",
"name": "Arbonia VDP program",
"company_handle": "arbonia",
"handle": "arboniavdpprogram",
"url": "https://www.intigriti.com/programs/arbonia/arboniavdpprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://invado.pl",
"description": "Homepage of a subsidiary",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://pruem-digital.de",
"description": "Homepage of a subsidiary",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://tpo-holz.de",
"description": "Homepage of a subsidiary",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://garant.de",
"description": "Homepage of a subsidiary",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://joro.de",
"description": "Homepage of a subsidiary",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://rwdschlatter.ch",
"description": "Homepage of a subsidiary",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://tuer.de",
"description": "Homepage of a subsidiary",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://tuerenhandbuch.garant.de",
"description": "Manual of several door products",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "0acb1a74-c545-4941-ae57-7ca5fad9d449",
"name": "Arm",
"company_handle": "arm",
"handle": "arm",
"url": "https://www.intigriti.com/programs/arm/arm/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 500,
"currency": "USD"
},
"max_bounty": {
"value": 20000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Firmware: Mali Command Stream Frontend (CSF) Firmware",
"description": "#### Arm GPU Firmware running on the Command Stream Frontend (CSF): 'CSFFW' (`mali_csffw.bin`)\n\nOnly vulnerabilities that are exploitable through userspace mapped Command Buffers, and/or Kbase syscalls available to unprivileged userspace attackers (in EL0) are in scope.\n\nNote: the version of 'CSFFW' used must be matched to your device:\n- Its version must match the Kbase driver version in use.\n- It must be the correct variant of CSFFW for the device's GPU.\n\nThe version of CSFFW that comes on a compatible device will satisfy this, providing the device has the latest available security updates installed.\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Software: Mali GPU Kernel Driver",
"description": "#### Arm Mali GPU Kernel Driver 'Kbase' (`mali_kbase.ko`)\n\nIn scope versions of the Arm Kbase driver version are:\n- The latest Arm Bifrost, Valhall, or 5th Gen GPU Kernel driver versions, as found on or, \n- Arm Bifrost, Valhall, or 5th Gen GPU Kernel driver versions r49p1 and above that are running on devices supported by the OEM and have latest available security patches applied.\n\nOnly vulnerabilities that are exploitable through syscalls available to unprivileged userspace attackers (in EL0) are in scope.\n\nUse of the following configuration options is allowed. The use of other options is out of scope and may only be used during investigation.\n\n#### Kbase Build Configuration\nMali Kbase Default KConfig Build Options are used.\n\nThe following must specifically be set:\n- `CONFIG_MALI_DEBUG=n`\n\nAdditionally, the following options may be changed:\n- `CONFIG_MALI_CSF_SUPPORT=y` or `n` (please refer to FAQ for which setting must be used)\n- `CONFIG_MALI_EXPERT=y` or `n`\n- `CONFIG_LARGE_PAGE_SUPPORT=y` or `n`\n- `CONFIG_MALI_TRACE_POWER_GPU_WORK_PERIOD=y` or `n`\n- `CONFIG_MALI_NO_MALI`, either:\n - `=n` (default)\n - `=y`, (excludes vulnerabilities in the \"dummy model\" code itself)\n\n#### Kbase Dynamic Configuration\nThe default module parameter settings must be used.\n\nAdditionally, the following option(s) may be changed (chosen at 'insmod' time) :\n- `kbase_page_migration_enabled`\n",
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "933f224e-fbd3-4f08-a4fb-5038c2fa1a6e",
"name": "Axel Springer National Media & Tech",
"company_handle": "axelspringerse",
"handle": "nmt",
"url": "https://www.intigriti.com/programs/axelspringerse/nmt/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 15,
"currency": "EUR"
},
"max_bounty": {
"value": 2500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "politico.eu",
"description": "politico.eu covers politics with a European lens, featuring Berlin Playbook briefings and POLITICO Pro analysis.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "adtechnology.axelspringer.com",
"description": "technical domain used for advertising management on our brand websites.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.asadcdn.com",
"description": "technical domain used for advertising management on our brand websites.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "bild.de",
"description": "BILD is Germany's largest tabloid newspaper.\nYou can find Tier 1 subdomains, as well as a Tier 2 wildcard subdomain.\nYou are welcome to create your own account and test our system.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "welt.de",
"description": "Large german broadsheet newspaper. \n\nYou can find Tier 1 subdomains, as well as a Tier 2 wildcard subdomain.\nYou are welcome to create your own account and test our system.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "epaper.welt.de",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "cancellation.prod.ps.welt.de",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "digital.welt.de",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "signin.auth.welt.de",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "m.bild.de",
"description": "The mobile version of BILD.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.hey.bild.de",
"description": "Hey_ is a Chat Assistent offered by BILD.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "go.welt.de",
"description": "Welt Go a Chat Assistent offered by WELT.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.auth.bild.de",
"description": "Login/registration for BILD.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.sportbild.de",
"description": "German sports magazine from BILD.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "meinkonto.bild.de",
"description": "The account setting of a BILD user.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.bild.tv",
"description": "This is the livestream of the Bild television channel.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.computerbild.de",
"description": "Is a magazine with the topic computer from Bild. \nSome examples of subdomains are\n- vip-club.computerbild.de (VIP club)\n- signin.auth.computerbild.de (login) \n\nother interesting paths \n- computerbild.de/download (download center)\n\nYou are also welcome to create your own account to test our system.",
"impact": "Tier 1"
},
{
"type": "iprange",
"endpoint": "18.184.198.198, 18.185.214.59, 18.194.109.179, 3.121.117.72, 3.121.138.10, 3.121.138.128, 3.121.138.134, 3.121.138.170, 3.121.138.33, 3.121.138.43, 3.124.248.208, 35.156.137.39",
"description": "IP addresses of our backend systems, comma separated.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "dealer.prod.ps.axelspringer.de/purchases/*",
"description": "Documentation: https://dealer-docs.prod.ps.axelspringer.de/",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.germany.politico.eu",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.welt.de",
"description": "Large german broadsheet newspaper. \n\nYou are also welcome to create your own account to test our system.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.bild.de",
"description": "Bild is the largest German tabloid newspaper. \nSome examples of subdomains are \n- angebot.bild.de (offers)\n\nYou are also welcome to create your own account to test our system.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.bild.design",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.autobild.de",
"description": "Is a magazine with the topic cars from Bild. \nSome examples of subdomains\n- club.autobild.de\n\nYou are also welcome to create your own account to test our system.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.bz-berlin.de",
"description": "Berlin based tabloid newspaper. \nSome examples of subdomains \n- backend.bz-berlin.de",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.spring-media.de",
"description": "Used for internal tools, mostly behind a VPN.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.springtools.de",
"description": "Used for internal tools, mostly behind a VPN.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "editorial.one",
"description": "Used for internal tools, mostly behind a VPN.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.as-nmt.de",
"description": "Used for internal api's and websites, mostly behind a VPN.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.ein-herz-fuer-kinder.de",
"description": "Charity organisation for children in Germany.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.fitbook.de",
"description": "Magazine focusing on fitness topics.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.myhomebook.de",
"description": "Magazine focusing on home and garden topics.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.petbook-magazine.com/",
"description": "English version of the petbook.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.petbook.de",
"description": "Magazine focusing on pet topics.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.stylebook.de",
"description": "Magazine focusing on style topics.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.techbook.de",
"description": "Magazine focusing on tech topics.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.travelbook.de",
"description": "Magazine focusing on travel topics.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.wissen-sie-mehr.de",
"description": "Whistleblower form from BILD.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "technik.autobild.de",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "technik.beta.autobild.de",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.axelspringer.com",
"description": "This domain is covered by our partner program. \nhttps://app.intigriti.com/programs/axelspringerse/axelspringersevulnerabilitydisclosureprogram/detail",
"impact": "Out of scope"
}
]
}
},
{
"id": "bdbdcb88-3242-4d0b-8926-38775bd262bf",
"name": "Axel Springer SE Vulnerability Disclosure Program",
"company_handle": "axelspringerse",
"handle": "axelspringersevulnerabilitydisclosureprogram",
"url": "https://www.intigriti.com/programs/axelspringerse/axelspringersevulnerabilitydisclosureprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.axelspringer.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "adtechnology.axelspringer.com",
"description": "This asset falls under the Axel Springer National Media & Tech bug bounty program. We kindly ask that you report any findings related to this asset through that program.",
"impact": "Out of scope"
}
]
}
},
{
"id": "baca9d50-2fd8-427f-bd56-e67f7f058573",
"name": "BMC",
"company_handle": "randstad",
"handle": "bmc",
"url": "https://www.intigriti.com/programs/randstad/bmc/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.bmc.nl",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "61e0e37c-19cc-4abe-af51-108a78bee995",
"name": "BMW Group",
"company_handle": "bmw",
"handle": "bmwgroup",
"url": "https://www.intigriti.com/programs/bmw/bmwgroup/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 150,
"currency": "EUR"
},
"max_bounty": {
"value": 6000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.bmw-motorrad.de",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.bmw.de",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.mini.de",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "configure.bmw.de",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "configure.mini.de",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "konfigurator.bmw-motorrad.de",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Other BMW Domains",
"description": "Please select this asset to report vulnerabilities affecting BMW assets but not matching any of the assets stated above.\n\n**Important:** Note our policy regarding \"No Bounty Domains\" and a potentially deviating application of the **safe harbor clause**.\nWe may award a small bonus for these assets, but only valid high, critical and exceptional severity findings - this is however, at the discretion of the BMW Group team.",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "Automotive Security",
"description": "Please submit valid findings regarding Automotive assets in our public [BMW Group - Automotive program](https://app.intigriti.com/programs/bmw/bmwgroup-automotive).",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Domains from independent BMW Dealers, Resellers or Fanclubs",
"description": "These domains belong to legally independent entities. We can only inform these entities. However, we have no influence on the mitigation process of the vulnerabilities in these assets.",
"impact": "Out of scope"
}
]
}
},
{
"id": "7ecdd3d1-a794-4ceb-9518-f9a016dc26a6",
"name": "BMW Group Automotive",
"company_handle": "bmw",
"handle": "bmwgroup-automotive",
"url": "https://www.intigriti.com/programs/bmw/bmwgroup-automotive/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "EUR"
},
"max_bounty": {
"value": 15000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "device",
"endpoint": "Functions dealing with vehicle access and immobilizer",
"description": null,
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "1519034860",
"description": null,
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "de.bmw.connected.mobile20.row",
"description": null,
"impact": "Tier 2"
},
{
"type": "device",
"endpoint": "Remaining functions",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "2de0c513-e7e8-4e4f-b0d9-885e45c1f767",
"name": "Bitvavo VDP",
"company_handle": "bitvavo",
"handle": "bitvavovdp",
"url": "https://www.intigriti.com/programs/bitvavo/bitvavovdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "ios",
"endpoint": "1483903423",
"description": null,
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "com.bitvavo.android",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "https://api.bitvavo.com/v2/*",
"description": "This is the base REST API endpoint for Bitvavo. For the full list of available methods, endpoints, schema definition, and auth requirement consult the canonical API documentation: \n\nhttps://docs.bitvavo.com/docs/rest-api/\n\nBitvavo offers two protocols for interacting with its platform: **REST** and **WebSocket**. Both protocols return JSON-encoded responses, and use standard HTTP status codes. However, each protocol is optimized for different use cases:\n\n**REST API**\n* Best suited for synchronous, request-response interactions.\n* Client initiates every call, and the server responds with the requested data.\n\nFor more details, read carefully our API docs at https://docs.bitvavo.com/docs/get-started/",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "wss://ws.bitvavo.com/v2 *",
"description": "This is the base WebSocket API endpoint for Bitvavo. For the full list of available methods, endpoints, schema definition, and auth requirement consult the canonical API documentation: \n\nhttps://docs.bitvavo.com/docs/websocket-api/\n\nBitvavo offers two protocols for interacting with its platform: **REST** and **WebSocket**. Both protocols return JSON-encoded responses, and use standard HTTP status codes. However, each protocol is optimized for different use cases:\n\n**WebSocket API**\n* Ideal for real-time, event-driven communication.\n* Once connected, the server continuously pushes updates to the client without requiring repeated requests.\n\nFor more details, read carefully our API docs at https://docs.bitvavo.com/docs/get-started/",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://bitvavo.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "5f29e1eb-85e8-4d99-9b52-b809f06de633",
"name": "Bpost",
"company_handle": "bpost",
"handle": "dummy",
"url": "https://www.intigriti.com/programs/bpost/dummy/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 1500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.bpost2.be",
"description": "Some of the entry points :\n\nac2 versions of bpi & bpostinternational T&T\thttps://www.bpost2.be/ac2/bpi/track_trace/find.php\nInternational T&T\thttps://www.bpost2.be/bpi/track_trace/find.php \nInternational T&T\thttp://www.bpost2.be/bpostinternational/track_trace/find.php?lng=en & http://www.bpost2.be/bpostinternational/track_trace/find.php?search=s&lng=en&trackcode=1000\n\tCollect & stamp demo's\thttps://www.bpost2.be/collectandstamp/demo/nl/story_html5.html?lms=1\n\tStatic html library of Drupal components\thttp://bpost2.be/components/\n\tPOS locator - Still active : POS by ID & MP/HMP centres\thttps://www.bpost2.be/locations/etr/nl/map_id.php?id=002500 & https://www.bpost2.be/locations/business/nl/both.php\n\tOnline version of MP guide\thttps://www.bpost2.be/masspost/guide/nl/",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "imove.bpost.cloud",
"description": "Coorporate application :\nMake your reservation to save a spot at the office",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.acbpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.bpost.cloud",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.landmarkglobal-group.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.stbpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "be.bpost.mobilecard",
"description": "With Mobile Postcard you can send real personalized postcards based on photos and videos on your smartphone or tablet. We print them for you and ship them anywhere in the world.",
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "be.bpost.mybpost",
"description": "Track, receive, send. With the My bpost app you can arrange all your parcels in 1 app.",
"impact": "No Bounty"
},
{
"type": "device",
"endpoint": "bpost Parcel Lockers",
"description": "More info about these lockers on https://www.bpost.be/en/parcel-locker\n\nWhe have parcel lockers with screen and screenless.\nYou need the mybpost app to open a screenless locker.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "career.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "dmm.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "eshop.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "maxiresponse.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "my.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "procuration.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "quickstamp-gb.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "register.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "validationlist.bpost.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "www.bpost.be",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "4afd6f0f-40a3-4f6d-a332-56b5970d12a0",
"name": "Bühler Group VDP",
"company_handle": "buhlergroup",
"handle": "buhlergroupvdp",
"url": "https://www.intigriti.com/programs/buhlergroup/buhlergroupvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.buhlergroup.com",
"description": "- Our main domain containing hundreds of subdomains/assets. Can be customer facing websites and services but also assets for internal purposes\n- For assets requiring authentication, please refer to the FAQ section",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.pk-buhler.ch",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.buhler-datascience.ch",
"description": "- containing subdomains/assets specific to our data science team\n- For assets requiring authentication, please refer to the FAQ section",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.buhlercloud.com",
"description": "- containing subdomains/assets related to a customer facing web application\n- For assets requiring authentication, please refer to the FAQ section",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.buhlergroup.ai",
"description": "- containing subdomains/assets related to customer facing AI services\n- For assets requiring authentication, please refer to the FAQ section",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.buhlergroup.cn",
"description": "- containing subdomains/assets located in our Chinese locations. Mainly IT systems related to internal purposes.\n- For assets requiring authentication, please refer to the FAQ section",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.buhlergroup.io",
"description": "- containing subdomains/assets related to customer facing digital services\n- For assets requiring authentication, please refer to the FAQ section",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.buhlertest.ch",
"description": "- containing subdomains/assets of test systems\n- For assets requiring authentication, please refer to the FAQ section",
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "194.9.120.0 - 194.9.123.255",
"description": "- This is our public IP range used for systems located in the DMZ. (Sub)domains listed above may point to IPs in this range but there are also other types of assets such as network devices.\n- For assets requiring authentication, please refer to the FAQ section",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.info.buhlergroup.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.learnhub.buhlergroup.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.virtualworld-portal.buhlergroup.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.virtualworld.buhlergroup.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.webinars.buhlergroup.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bestbuy.buhlergroup.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "channel.buhlergroup.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "gitlab.buhler-datascience.ch/api/v4/projects",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "imap.buhlergroup.cn",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "pop.buhlergroup.cn",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "smtp.buhlergroup.cn",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "efd8bd86-a986-4b4a-9eda-c9a6a1a6b540",
"name": "CM.com",
"company_handle": "cmcom",
"handle": "cmcom",
"url": "https://www.intigriti.com/programs/cmcom/cmcom/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 3500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "login.cm.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.ticketing.cm.com",
"description": "Login to your account and go to https://www.cm.com/en-gb/app/ticketing/\nFrom here you can create tickets and much more!\nMake sure to take a look at the user-side ticket store as well (https://store.ticketing.cm.com/..)",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.cm.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.cmtelecom.com",
"description": "Some of the applications that are in our scope use our old api. \nIf you find a bug on this api and it is from a product that is in scope, it is valid.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "cm.com/[locale]/app/*",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "cm.com/[locale]/register",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "appmiral.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "building-blocks.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "cm.com/app/messagingtrial/",
"description": "An application that makes it possible for developers to do a limited test of sending messages using the CM.COM business messaging API.\n\nWhat we would like to know is:\n* Can the application be exploited to allow sending more than the allowed number of messages?\n* Can the app be exploited to send to other recipients besides the whitelisted recipients?",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "cmcom.atlassian.net",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.cm.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.appmiral.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.cm.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.cmtelecom.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "ios",
"endpoint": "1199521324",
"description": "Right now we don't have a way to make test accounts for these apps, this will be added in the future",
"impact": "No Bounty"
},
{
"type": "ios",
"endpoint": "1579530451",
"description": "Right now we don't have a way to make test accounts for these apps, this will be added in the future",
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "com.cm.cashregister",
"description": "Right now we don't have a way to make test accounts for these apps, this will be added in the future",
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "com.ticketflow.ticketscanner",
"description": "Right now we don't have a way to make test accounts for these apps, this will be added in the future",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "demo.globalticket.com/*",
"description": "GlobalTicket is one of our integrations. \nBe sure to check out `/cms` to try and work your way into it.",
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "https://github.com/cmdotcom",
"description": "Our public code repositories are being used by our customers. In scope for this domain is issues with the public code we host (vulnerabilities, libraries that have known security concerns, keys accidentally pushed to the public GitHub etc.). \n**Testing the GitHub itself is out-of-scope**, they have their own bug bounty program if you are interested :) ",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "0083a5bf-e54f-4f79-a972-12a795272c8b",
"name": "Canada Post - Responsible Disclosure Program",
"company_handle": "innovapost",
"handle": "innovapost",
"url": "https://www.intigriti.com/programs/innovapost/innovapost/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.azcpggpc.ca",
"description": "Any subdomain of azcpggpc.ca (eg. alert-management-svc.prd01.retail-api.azcpggpc.ca)",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.canadapost-postescanada.ca",
"description": "Any subdomain of canadapost-postescanada.ca (eg. www.canadapost-postescanada.ca, sso-osu.canadapost-postescanada.ca and store.canadapost-postescanada.ca)",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.infopost.ca",
"description": "Any subdomain of infopost.ca (eg. www.infopost.ca and dev.infopost.ca)",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.postescanada-canadapost.ca",
"description": "Any subdomain of postescanada-canadapost.ca (eg. www.postescanada-canadapost.ca)",
"impact": "No Bounty"
},
{
"type": "ios",
"endpoint": "394391577",
"description": "Canada Post's mobile application for iOS",
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "com.canadapost.android",
"description": "Canada Post's mobile application for Android",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "48853273-690a-4555-8ac5-821a1c464312",
"name": "Capital.com",
"company_handle": "capitalcom",
"handle": "capitalcom",
"url": "https://www.intigriti.com/programs/capitalcom/capitalcom/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 15000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "payment.backend-capital.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.backend-capital.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "capital.com/*",
"description": null,
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "com.capital.trading",
"description": "https://apps.apple.com/BY/app/id1230088754?mt=8",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.capital.trading",
"description": "https://play.google.com/store/apps/details?id=com.capital.trading&hl=en",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "open-api.capital.com",
"description": "The Capital.com API allows direct access to the latest version of our trading engine.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.capital.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.itcapital.io",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "aff.capital.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "go.capital.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "register.capital.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "careers.capital.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*affiliates.backend-capital.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*eduapp.backend-capital.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*education.backend-capital.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "help.capital.com",
"description": "CNAME to Zendesk",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "relocate-with-us.capital.com",
"description": "CNAME to Webflow",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "3cxby.itcapital.io",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": " texis.itcapital.io",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "96d3f49a-4c5f-4bc8-835a-77f734eefe4e",
"name": "Citymesh Responsible Vulnerability Disclosure Program",
"company_handle": "citymesh",
"handle": "responsiblevulnerabilitydisclosureprogram",
"url": "https://www.intigriti.com/programs/citymesh/responsiblevulnerabilitydisclosureprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "iprange",
"endpoint": "31.31.128.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "31.31.140.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "31.31.141.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "31.31.143.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "31.31.143.0/25",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "31.31.150.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "31.31.158.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "31.31.159.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "45.11.166.40/29",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "79.132.241.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "85.234.192.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "85.234.203.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "85.234.204.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "85.234.205.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "193.110.255.128/28",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "212.71.0.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "212.71.1.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "212.71.2.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "212.71.3.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "212.71.4.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "212.71.5.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "212.71.8.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "212.71.11.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "213.211.130.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "213.211.138.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "213.211.188.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "213.219.128.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "213.219.132.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://livechat.citymesh.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://auth.citymesh.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://extra.citymesh.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://fleet.citymeshconnect.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://my.citymesh.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://cabmanager.citymesh.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://dialhome.ncentric.be/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://auth.wifilab.be/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://extra.edpnet.net/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://api-gateway.citymesh.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://cc.safety-drones.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.antwerpfreewifi.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.biotechnology-citymesh.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh-connect.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh-connect.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.eu",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.guide",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.net",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.fr",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.nl",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.io",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymeshconnect.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.citymeshconnect.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ctmsh.co",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.connectingsenses.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.connectingsenses.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.connectow.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.connectow.eu",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.engiem2m.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.edpnet.net",
"description": "Please check the out of scope section for excluded subdomains.",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.edpnet.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.edpnet.nl",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.edpnet.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.engiem2m.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.gowifi.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.myiot.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ncentric.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ncentric.cloud",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ncentric.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ptxbac.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ps-radiocom.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ps-radiocom.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.safety-drones.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.safety-drones.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.safetydrones.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.sigfox.nl",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.towereye.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.towereye.eu",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.wifilab.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.wflb.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.wifinmbssncb.be",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.static.edpnet.net",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.dyn.edpnet.net",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.citymesh.recruitee.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.digi-mobile.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.insky.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.128.128/26",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.128.192/27",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.128.64/26",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.130.0/23",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.132.0/24",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.134.0/23",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.136.0/21",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.139.0/24",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.140.0-87",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.140.92-254",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.141.0/26",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "31.31.143.0-71",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "afeb2624-ac2e-46bc-b078-b0e018baeb62",
"name": "Cloudways by DigitalOcean",
"company_handle": "digitalocean",
"handle": "cloudways",
"url": "https://www.intigriti.com/programs/digitalocean/cloudways/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "USD"
},
"max_bounty": {
"value": 4000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.cloudways.com",
"description": "All external services/software like `support.cloudways.com` and `feedback.cloudways.com` that are not owned, managed or controlled by Cloudways are considered out of scope and ineligible for rewards.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.cloudways.com",
"description": "Cloudways API offers an alternative to the Cloudways Platform. Many, but not all actions that Cloudways Platform allows through the UI can also be performed through Cloudways API.\n\nIn the event a vulnerability is applicable to both the Cloudways Platform (platform.cloudways.com) and API, it will be treated as one root incident.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "developers.cloudways.com",
"description": "Cloudways Developers authorizes the API key to use Cloudways API. The vulnerability testing of this target should focus on the process of API authorization ONLY. All other areas on Cloudways developers are strictly OUT OF SCOPE.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "platform.cloudways.com",
"description": "Cloudways Platform is the primary target for this program. Cloudways Platform is the main interaction point for Cloudways customers. Through the Platform, customers could launch managed cloud servers and then set up their application on these servers. Once the application is up, Cloudways Platform provides users with options to manage their servers and applications.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "unified.cloudways.com",
"description": "Cloudways Platofrm with new UI along with new api and backend to handle all the services of Cloudways",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.cloudways.com",
"description": "Cloudways website is the corporate website that is often the initial touchpoint for a significant number of interactions between visitors, customers and Cloudways. It offers product details and related corporate information to visitors.\n",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "css-tricks.com",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "4981522f-5675-4f46-b7b7-e065d30c8d79",
"name": "Cross Border Fines",
"company_handle": "bpost",
"handle": "crossborderfines",
"url": "https://www.intigriti.com/programs/bpost/crossborderfines/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "EUR"
},
"max_bounty": {
"value": 3000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://justonweb.be/fines/",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "13cfc6fe-92b2-4a56-8577-855ff0bc2f1c",
"name": "Cyber Security Coalition",
"company_handle": "cybersecuritycoalition",
"handle": "cybersecuritycoalition",
"url": "https://www.intigriti.com/programs/cybersecuritycoalition/cybersecuritycoalition/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "annualreport.cybersecuritycoalition.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "award.cybersecuritycoalition.be",
"description": "Awards website",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "blog.cybersecuritycoalition.be",
"description": "Blog site",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "www.cybersecuritycoalition.be",
"description": "Public website",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "1cf88d51-7927-4747-af33-204f6f1c161f",
"name": "DHL Group Vulnerability Disclosure Program",
"company_handle": "dhlgroup",
"handle": "dhlvdp",
"url": "https://www.intigriti.com/programs/dhlgroup/dhlvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.deutschepost.de",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.dhl",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.dhl.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.dhl.de",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.dpdhl.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "Any other domain from DHL Group companies",
"description": null,
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "Mobile apps owned by DHL Group companies",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "806f54d7-a85d-40bd-82cc-f09c1a500f28",
"name": "DPG Media",
"company_handle": "dpgm",
"handle": "dpgmedia",
"url": "https://www.intigriti.com/programs/dpgm/dpgmedia/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.dpgmedia.be",
"description": "excluding\n* login.dpgmedia.be",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.dpgmedia.nl",
"description": "excluding\n* login.dpgmedia.nl",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Any related DPG media domain",
"description": "_Only applicable to domains that are **100% owned by DPG**. \nFor example, projects that are partly owned by DPG and where DPG media is not responsible for the IT infrastructure are **not** in scope._\n\nYou can easily validate based on Domain Whois:\n\nDe Persgroep Publishing nv\nBrusselstesteenweg 347\n1730 Asse\nBelgië\n\nDPG Media Services NV \nMediaplein 1 \n2018 Antwerpen \nBelgium",
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "bd22f48d-633e-4b26-bf71-e4778d41b247",
"name": "DataCamp",
"company_handle": "datacamp",
"handle": "datacamp",
"url": "https://www.intigriti.com/programs/datacamp/datacamp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 1500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "profiles-api.datacamp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.datacamp.com/certification",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.datacamp.com/groups",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.datacamp.com/learn",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "assessment-api.datacamp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "assessment-v2.datacamp.com ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "assessment.datacamp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "campus.datacamp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.datacamp",
"description": null,
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "https://apps.apple.com/au/app/datacamp-learn-data-science/id1263413087",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "practice.datacamp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "projects.datacamp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.datacamp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.datacamp.com/datalab",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.datacamp.com",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.it.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "app.datacamp.com/recruit",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ast-viewer.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "confluence.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "dccertified.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "intranet.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jira.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "links.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "rdocumentation.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "signature.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "status.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "support.datacamp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "talent-jobs-api.datacamp.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "8bf1f259-cac9-4114-9b84-3b950897b1ec",
"name": "De Morgen",
"company_handle": "dpgm",
"handle": "demorgen",
"url": "https://www.intigriti.com/programs/dpgm/demorgen/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "myaccount.demorgen.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "shop.demorgen.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.demorgen.be",
"description": "excluding\n* demorgen.be/service\n* demorgen.be/inloggen\n* demorgen.be/login\n* demorgen.be/registreren",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.demorgen.be/abonnementen",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.demorgen.be",
"description": "excluding abonnement.demorgen.be",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "* demorgen.be/inloggen",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* demorgen.be/login",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* demorgen.be/registreren",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* demorgen.be/service",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "abonnement.demorgen.be",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "0d6d1230-beb5-489c-b306-cf9c2e06730f",
"name": "De Volkskrant",
"company_handle": "dpgm",
"handle": "devolkskrant",
"url": "https://www.intigriti.com/programs/dpgm/devolkskrant/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "myaccount.volkskrant.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "shop.volkskrant.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webwinkel.volkskrant.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.volkskrant.nl",
"description": "excluding\n* volkskrant.nl/service\n* volkskrant.nl/inloggen\n* volkskrant.nl/login\n* volkskrant.nl/registreren",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.volkskrant.nl/abonnementen",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.volkskrant.nl",
"description": "excluding abonnement.volkskrant.nl",
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "d14eedce-607d-4233-995d-30dbc7de8f23",
"name": "Delen Private Bank",
"company_handle": "delenprivatebank",
"handle": "privatebankdelen",
"url": "https://www.intigriti.com/programs/delenprivatebank/privatebankdelen/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "EUR"
},
"max_bounty": {
"value": 15000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "api.digital.delen.be ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.digital.delen.lu ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.delen.be ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.delen.ch ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.delen.lu ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "auth.digital.delen.be ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "auth.digital.delen.lu ",
"description": null,
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "be.delen.digital",
"description": null,
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "delen/id1064839588",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "login.delen.be ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "login.delen.ch ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "login.delen.lu ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "login.oyens.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "status.delen.be ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "sts.delen.be ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.cadelam.be ",
"description": "🇫🇷🇳🇱",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.cadelux.lu/en ",
"description": "🇬🇧🇫🇷🇳🇱",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.delen.bank",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.delen.be/en ",
"description": "🇬🇧🇫🇷🇳🇱",
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "dd9dba85-e047-42f3-b59e-9328c7d49672",
"name": "DigitalOcean",
"company_handle": "digitalocean",
"handle": "digitalocean",
"url": "https://www.intigriti.com/programs/digitalocean/digitalocean/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "USD"
},
"max_bounty": {
"value": 10000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.digitalocean.com",
"description": "Please review the __*.digitalocean.com Out of Scope Subdomains__ section below to ensure testing of only in-scope domain assets.",
"impact": "Tier 2"
},
{
"type": "iprange",
"endpoint": "169.254.169.254",
"description": "Metadata service available at http://169.254.169.254/ from Droplets",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.digitalocean.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "cloud.digitalocean.com",
"description": "Findings against resources owned by your account should be filed underneath this asset.\n\n* While performing your research, please limit the scope of testing to only the accounts or resources that are owned by you.\n* If you discover a vulnerability that could allow you to bypass existing controls and gain access to other accounts, **please do not take any further action** against those accounts or data that are not owned by you.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "amd.digitalocean.com",
"description": "This asset follows the same testing guidelines as `cloud.digitalocean.com`.\n\n* While performing your research, please limit the scope of testing to only the accounts or resources that are owned by you.\n* If you discover a vulnerability that could allow you to bypass existing controls and gain access to other accounts, **please do not take any further action** against those accounts or data that are not owned by you.\n\nNote that we consider `cloud.digitalocean.com` and `amd.digitalocean.com` as having functionally the same backend codebase.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "marketplace.digitalocean.com",
"description": "Note that marketplace 1-click apps and add-ons are maintained by our partnered vendors and are out of scope. \nPlease see the \"Out of Scope\" section below for more info.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.digitalocean.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.snapshooter.com",
"description": "SnapShooter is a cloud backup and recovery solution.",
"impact": "Tier 2"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/do-agent",
"description": "A daemon that helps collect system metrics from droplets",
"impact": "Tier 2"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/droplet-agent",
"description": "A daemon that enables web console access on droplets",
"impact": "Tier 2"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/doctl",
"description": "The official command line interface for the DigitalOcean API",
"impact": "Tier 3"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/action-doctl",
"description": "GitHub Actions for DigitalOcean - doctl",
"impact": "Tier 3"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/godo",
"description": "DigitalOcean's Go API client",
"impact": "Tier 3"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/pydo",
"description": "DigitalOcean's Python API client",
"impact": "Tier 3"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/terraform-provider-digitalocean",
"description": "DigitalOcean's official Terraform provider",
"impact": "Tier 3"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/go-nbd",
"description": "Golang-only network block device client",
"impact": "Tier 3"
},
{
"type": null,
"endpoint": "https://github.com/digitalocean/do-markdownit",
"description": "Markdown plugin run against all user-submitted content on https://digitalocean.com/community",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "digitaloceanmirrors.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "digitaloceanpartners.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "digitaloceanstatus.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "digitaloceantest.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "do.co",
"description": "Company shortlink service",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "hackathon-tracker.digitalocean.com",
"description": "API for hacktoberfest.com",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "hacktoberfest.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "paperspace.com",
"description": "We do not currently offer bounty rewards for findings related to the `paperspace.com` domain or associated sub-domains.",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "anchor.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "brand.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cloudsupport.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "deploy.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "email.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "events.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "go.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "groove.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "helpdesk.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ideas.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "investor.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "investors.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ir.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "mirrors.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "pilot.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "rewards.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "segment.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "status.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "tracking.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "waves.digitalocean.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.db.ondigitalocean.com",
"description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.\n\nAny database created inside your own account on this domain are considered in-scope. Use the `cloud.digitalocean.com` asset in that case.",
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.digitaloceanspaces.com",
"description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.\n\nAny Spaces buckets created inside your own account on this domain are considered in-scope. Use the `cloud.digitalocean.com` asset in that case.",
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.doserverless.co",
"description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.\n\nAny Functions created inside your own account on this domain are considered in-scope. Use the `cloud.digitalocean.com` asset in that case.",
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.k8s.ondigitalocean.com",
"description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.\n\nAny Kubernetes clusters created inside your own account on this domain are considered in-scope. Use the `cloud.digitalocean.com` asset in that case.",
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.ondigitalocean.app",
"description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.\n\nAny Apps created inside your own account on this domain are considered in-scope. Use the `cloud.digitalocean.com` asset in that case.",
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "registry.digitalocean.com/*",
"description": "Customers' resources are hosted underneath this domain, so the entire domain should be considered out-of-scope.\n\nAny container registries created inside your own account on this domain are considered in-scope. Use the `cloud.digitalocean.com` asset in that case.",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Assets created by other DigitalOcean customers",
"description": "**Any asset (Droplet, Space, or otherwise) created by other DigitalOcean customers are not to be tested under any circumstances.**",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Marketplace Apps and Add-Ons",
"description": "The marketplace applications and add-ons are maintained by our partnered vendors. \nSecurity issues against these components of the marketplace are not in the scope of this program and ineligible for bounty rewards, but we are happy to help facilitate communications to the application owners.\nPlease reach out to us at security@digitalocean.com for facilitation.",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Other DigitalOcean open source projects not listed",
"description": "All open source projects hosted by DigitalOcean not otherwise listed as in-scope are out-of-scope.",
"impact": "Out of scope"
}
]
}
},
{
"id": "1dcf052a-9cd7-4278-99d1-3c037efbf781",
"name": "Donorbox VDP",
"company_handle": "donorbox",
"handle": "donorboxvdp",
"url": "https://www.intigriti.com/programs/donorbox/donorboxvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "ios",
"endpoint": "https://apps.apple.com/us/app/donorbox-live/id1668808097",
"description": "Donorbox Live is a mobile app that allows orgs to connect Stripe-sanctioned card readers and accept in person payments. See the infrastructure section below for details.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://donorbox.org/admin",
"description": "This is the customer support admin console used by Donorbox employees. A donorbox.org account (signed in via Google SSO and with MFA enabled) is required to access this. Additionally, you must be invited to the Rebel Idealist organization in order to gain initial admin access. Please report any unauthorized access to this page.",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "https://play.google.com/store/apps/details?id=org.donorbox.cardreader&hl=en&gl=US",
"description": "Donorbox Live is a mobile app that allows orgs to connect Stripe-sanctioned card readers and accept in person payments. See the infrastructure section below for details.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://donorbox.org",
"description": "This is the website which includes any page you can navigate to from www.donorbox.org, e.g., www.donorbox.org/pricing.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://donorbox.org/embed/potato",
"description": "This is an example of an embed form. Embed forms can be added to a separate website used by the organization. Changing the organization who receives the donation (aka hijacking) or providing fraudulent donations (like a double refund) should not be possible.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://donorbox.org/org_admin",
"description": "This is the admin console for organizations. When customers create an org account, they will be directed here to make changes such as creating a campaign, connecting Stripe or PayPal, and changing the donation form. Donor information and donations can be viewed.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://donorbox.org/potato",
"description": "This is an example of a hosted page, which lives under the host domain. Hosted pages are provided for organizations to use as their main website if they don't already have one. When a new donation form is created, a hosted page gets created by default.",
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "e8b2e8ca-1fb2-4c17-933f-2a1f5cfb7da7",
"name": "Driessen Vulnerability Disclosure Program",
"company_handle": "driessengroep",
"handle": "driessenvdp",
"url": "https://www.intigriti.com/programs/driessengroep/driessenvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "www.driessen.nl/*",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "www.driessen.nl/contact",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "www.driessen.nl/mijn/solliciteren/",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "e540980d-b56e-4956-afff-f914653a4f6e",
"name": "Dropbox Bug Bounty",
"company_handle": "dropbox",
"handle": "dropbox",
"url": "https://www.intigriti.com/programs/dropbox/dropbox/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "USD"
},
"max_bounty": {
"value": 15000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "Dropbox.com",
"description": "Dropbox Application",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "sign.dropbox.com",
"description": "Sign by Dropbox (formerly HelloSign)",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "HelloSign.com",
"description": "HelloSign (now Dropbox Sign)",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "dash.ai",
"description": "Web Browser Extension",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "dash.dropbox.com",
"description": "Dash by Dropbox MacOS and PC",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.dropbox.com",
"description": "Dropbox Public API",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "replay.dropbox.com",
"description": "Replay by Dropbox",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "Dropbox Desktop Application",
"description": "Dropbox for MacOS and PC ",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "327630330",
"description": "Dropbox iOS Application",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "6450553960",
"description": "Dash by Dropbox iOS Application",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "1080074001",
"description": "Dropbox EMM iOS Application",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.dropbox.dash",
"description": "Dash by Dropbox Android Application",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.dropbox.android",
"description": "Dropbox Android Application",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "HelloFax.com",
"description": "HelloFax Web Application",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "docsend.com",
"description": "Docsend Web Application",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.Reclaim.ai",
"description": "Reclaim.ai Web Application",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "dropbox.com/paper",
"description": "Paper by Dropbox Application",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.dropbox.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.dropboxer.net",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.dropboxforum.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.dropboxpartners.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.hellofax.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.docsend.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.reclaim.ai",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.helloworks.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.hellosign.com",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "Boxcryptor",
"description": "Including: \n\n*.boxcryptor.com",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Formswift",
"description": "Including:\n\n*.formswift.com",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Dropbox Passwords",
"description": "Including:\n\niOS and Android Applications",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Dropbox Capture Windows Desktop App",
"description": null,
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Dropbox Capture macOS Desktop App",
"description": null,
"impact": "Out of scope"
},
{
"type": "android",
"endpoint": "com.dropbox.paper",
"description": "Paper by Dropbox Android Application",
"impact": "Out of scope"
},
{
"type": "ios",
"endpoint": "1126623662",
"description": "Paper by Dropbox iOS Application",
"impact": "Out of scope"
}
]
}
},
{
"id": "b31aef04-c63f-429f-b965-f92c94e5eec3",
"name": "Dropbox Vulnerability Disclosure Program ",
"company_handle": "dropbox",
"handle": "dropbox-vdp",
"url": "https://www.intigriti.com/programs/dropbox/dropbox-vdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "All assets owned by or attributable to Dropbox",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "Third-party systems or domains referencing Dropbox",
"description": "Before testing or reporting a vulnerability, confirm that the target asset is owned or managed by Dropbox. Terms like “Dropbox-compatible” do not mean Dropbox controls the system. If you're unsure, contact the program team to avoid interacting with assets outside of scope at bugbounty@dropbox.com.",
"impact": "Out of scope"
}
]
}
},
{
"id": "2b664acb-80d4-4edb-9fcc-bcc562987f92",
"name": "Dstny",
"company_handle": "dstny",
"handle": "dstnybugbounty",
"url": "https://www.intigriti.com/programs/dstny/dstnybugbounty/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2205,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "https://docs.google.com/spreadsheets/d/1CzscF67guNFMy-L_v79ng2mW36dQWb2rQSbK540j-ys/edit?gid=1208823298#gid=1208823298",
"description": "Sizable list of the Tier 1 domains, IP ranges, and other. The full scope of Tier 1/2/3/no-bounty/out-of-scope domains can be found [here](https://docs.google.com/spreadsheets/d/1CzscF67guNFMy-L_v79ng2mW36dQWb2rQSbK540j-ys/edit?gid=744529838#gid=744529838).\nPlease double-check the out-of-scope domains before submitting a report.",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "https://docs.google.com/spreadsheets/d/1CzscF67guNFMy-L_v79ng2mW36dQWb2rQSbK540j-ys/edit?gid=1281087877#gid=1281087877",
"description": "Sizable list of the Tier 2 domains, IP ranges, and other. The full scope of Tier 1/2/3/no-bounty/out-of-scope domains can be found [here](https://docs.google.com/spreadsheets/d/1CzscF67guNFMy-L_v79ng2mW36dQWb2rQSbK540j-ys/edit?gid=744529838#gid=744529838).\nPlease double-check the out-of-scope domains before submitting a report.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "https://docs.google.com/spreadsheets/d/1CzscF67guNFMy-L_v79ng2mW36dQWb2rQSbK540j-ys/edit?gid=1767553194#gid=1767553194",
"description": "Sizable list of the Tier 3 domains, IP ranges, and other. The full scope of Tier 1/2/3/no-bounty/out-of-scope domains can be found [here](https://docs.google.com/spreadsheets/d/1CzscF67guNFMy-L_v79ng2mW36dQWb2rQSbK540j-ys/edit?gid=744529838#gid=744529838).\nPlease double-check the out-of-scope domains before submitting a report.",
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "https://docs.google.com/spreadsheets/d/1CzscF67guNFMy-L_v79ng2mW36dQWb2rQSbK540j-ys/edit?gid=1817816238#gid=1817816238",
"description": "Domains in this scope won't lead to a bounty, but we welcome submissions.",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "https://docs.google.com/spreadsheets/d/1CzscF67guNFMy-L_v79ng2mW36dQWb2rQSbK540j-ys/edit?gid=1370437389#gid=1370437389",
"description": "These domains are entirely out-of-scope.",
"impact": "Out of scope"
}
]
}
},
{
"id": "b962ecba-799e-46b7-a33e-327212bc482e",
"name": "Exact Vulnerability Disclosure Program",
"company_handle": "exact",
"handle": "exactvulnerabilitydisclosureprogram",
"url": "https://www.intigriti.com/programs/exact/exactvulnerabilitydisclosureprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.itscope.com",
"description": "ITscope is part of Exact Group",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.itscope.com",
"description": "ITscope is part of Exact Group",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.itscope.de",
"description": "ITscope is part of Exact Group",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.itscope.de",
"description": "ITscope is part of Exact Group",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.gripp.com",
"description": "Gripp is part of Exact Group",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.gripp.com",
"description": "Gripp is part of Exact Group",
"impact": null
},
{
"type": "url",
"endpoint": "www.fiscaalgemak.nl",
"description": "Fiscaalgemaak is a Product of Exact Group",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.fiscaalgemak.nl",
"description": "Fiscaalgemaak is a Product of Exact Group",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.bouw7.nl",
"description": "Bouw7 is a Product of Exact Group",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.bouw7.nl",
"description": "Bouw7 is a Product of Exact Group",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.horeko.com",
"description": "Horeko is part of Exact Group",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.horeko.com",
"description": "Horeko is part of Exact Group",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.weclapp.com",
"description": "weclapp is part of Exact Group",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.weclapp.com",
"description": "weclapp is part of Exact Group",
"impact": null
},
{
"type": "url",
"endpoint": "All Exact Group Related Domains",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "https://www.exact.com/*",
"description": "Marketing website of Exact Group",
"impact": null
}
],
"out_of_scope": []
}
},
{
"id": "4d41a636-c811-4757-8fd9-007d7f18e212",
"name": "Exoscale Bug Bounty",
"company_handle": "exoscale",
"handle": "excoscalebugbounty",
"url": "https://www.intigriti.com/programs/exoscale/excoscalebugbounty/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 5000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://portal.exoscale.com/",
"description": "Our web portal. A good place to start to create your test accounts, deploy your first resources and play around with our services.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": " https://api-*exoscale.com/v2",
"description": "Our public API to deploy and interact with our different services. Have a look at [the API documentation](https://openapi-v2.exoscale.com/).\n\nThe API is deployed across multiple zones with different URLs:\n\nhttps://api-ch-gva-2.exoscale.com/v2\nhttps://api-ch-dk-2.exoscale.com/v2\nhttps://api-de-fra-1.exoscale.com/v2\nhttps://api-de-muc-1.exoscale.com/v2\nhttps://api-at-vie-1.exoscale.com/v2\nhttps://api-at-vie-2.exoscale.com/v2\nhttps://api-bg-sof-1.exoscale.com/v2\nhttps://api-hr-zag-1.exoscale.com/v2",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "https://sos-*.exo.io",
"description": "sos-*.exo.io are the subdomains related to our S3-compatible Object Storage service (called SOS). Have a look at [the SOS product documentation](https://community.exoscale.com/product/storage/object-storage/). These endpoints implement the S3 protocol. \n\n\nThere is a subdomain for each zone where the service is offered: \n\nhttps://sos-ch-gva-2.exo.io\nhttps://sos-ch-dk-2.exo.io\nhttps://sos-de-fra-1.exo.io\nhttps://sos-de-muc-1.exo.io\nhttps://sos-at-vie-1.exo.io\nhttps://sos-at-vie-2.exo.io\nhttps://sos-bg-sof-1.exo.io\nhttps://sos-hr-zag-1.exo.io\n\nPlease note that there may be resources owned by customers on these domains. Customers' resources are out of scope. ",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "https://sks-*.exo.io",
"description": "sks-*.exo.io are the subdomains related to our managed Kubernetes (SKS) clusters. Have a look at [the SKS product documentation](https://community.exoscale.com/product/compute/containers/).\n\n\nThere is a subdomain for each zone where the service is offered: \n\nhttps://sks-ch-gva-2.exo.io\nhttps://sks-ch-dk-2.exo.io\nhttps://sks-de-fra-1.exo.io\nhttps://sks-de-muc-1.exo.io\nhttps://sks-at-vie-1.exo.io\nhttps://sks-at-vie-2.exo.io\nhttps://sks-bg-sof-1.exo.io\nhttps://sks-hr-zag-1.exo.io\n\nPlease note that there may be resources owned by customers on these domains. Customers' resources are out of scope. ",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.internal.exoscale.ch",
"description": "Exoscale internal services. Not accessible to the outside world.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://www.exoscale.com/",
"description": "Our [public website](https://www.exoscale.com/). A great way to start to familiarise with our products and services and learn more about everything Exoscale has to offer!",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://community.exoscale.com/",
"description": "Our [public documentation](https://community.exoscale.com/). Another great way familiarise with our products and services and learn more about everything Exoscale has to offer!",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "https://changelog.exoscale.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://exoscalestatus.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://academy.exoscale.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://jobs.exoscale.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "CDN service",
"description": "Exoscale offers a CDN service in partnership with Ducksify, member of the Akamai NetAlliance Partner network. The CDN service is out of scope of this program. ",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Marketplace products",
"description": "Exoscale offers instant deployments of certain partner solutions through a marketplace. The marketplace products are out of scope of this program. ",
"impact": "Out of scope"
}
]
}
},
{
"id": "104ed53e-3c29-4d16-b89a-d322c9df5e9a",
"name": "FREEPIK VDP",
"company_handle": "freepik",
"handle": "freepikcompany",
"url": "https://www.intigriti.com/programs/freepik/freepikcompany/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Freepik",
"description": "Only assets directly related to the company are considered in-scope.",
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "0bcc2455-bd63-490b-b725-890a93a1c678",
"name": "Fing Bug Bounty Program",
"company_handle": "lansweeper",
"handle": "fing",
"url": "https://www.intigriti.com/programs/lansweeper/fing/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 3500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "service.fing.com",
"description": "Our public cloud API for Device Recognition which can be requested on our website: https://app.fing.com/internet/business/devrecog/trial.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.fing.com",
"description": "The Fing web application that gives you an overview of all monitored networks",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "Fing desktop",
"description": "The free Fing App to identify connected devices, troubleshoot network and device issues, detect network intruders and run Wi-Fi and internet speed tests anywhere. It can be downloaded here: http://app.fing.com/app",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "www.fing.com*",
"description": "Always use \"intigriti.me\" address for any web form",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "611c246e-1bf9-42b7-a458-af832582d0d7",
"name": "Grafana Labs",
"company_handle": "grafanalabs",
"handle": "grafanaossbbp",
"url": "https://www.intigriti.com/programs/grafanalabs/grafanaossbbp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 10,
"currency": "USD"
},
"max_bounty": {
"value": 15000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Grafana Loki",
"description": null,
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "Grafana Mimir",
"description": null,
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "Grafana OSS",
"description": null,
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "Grafana Pyroscope",
"description": null,
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "Grafana Tempo",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "https://github.com/grafana/*",
"description": "Only repository misconfigurations for non-archived repositories are in scope - please read '**In scope**' section below for detailed scope.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Non-Core Grafana Plugins",
"description": "Grafana Labs developed [plugins](https://grafana.com/grafana/plugins/all-plugins/?signature=grafana) not installed by default are accepted, but not eligible for a bounty. ",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.grafana.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.grafana.net",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "4acc7e11-3634-4ce5-b100-d961d3f6c6f0",
"name": "HRS Group VDP",
"company_handle": "hrsgroup",
"handle": "hrsgroupvdp",
"url": "https://www.intigriti.com/programs/hrsgroup/hrsgroupvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://www.hrs.com",
"description": "This is the hotel reservation web application. Please note that this is a production system. Do **NOT** make hotel reservations for testing purposes, as they are real reservations.",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "https://hotelservice.hrs.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://jobs.hrs.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://www.hrs.com/deals/",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "e85b4b33-7785-43b5-a5aa-5bcd226688b4",
"name": "Here Technologies",
"company_handle": "heretechnologies",
"handle": "heretechnologies",
"url": "https://www.intigriti.com/programs/heretechnologies/heretechnologies/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.account.api.here.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.account.here.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.mobilitygraph.hereapi.com",
"description": "Including, but not limited to, following applications:\nhttps://predictor.mobilitygraph.hereapi.com/\nhttps://profile.mobilitygraph.hereapi.com/\nhttps://subscription.mobilitygraph.hereapi.com/\n",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.router.hereapi.com",
"description": "Including, but not limited to, following applications:\nhttps://matrix.router.hereapi.com/\nhttps://subp-als.matrix.router.hereapi.com/v8/matrix\nhttps://transit.router.hereapi.com/\nhttps://intermodal.router.hereapi.com/",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.scbe.api.here.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.subp-router.hereapi.com",
"description": "Including, but not limited to, following application:\nhttps://vip-als.subp-router.hereapi.com/\n",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "955837609",
"description": null,
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.here.app.maps",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://jaguar.here.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://landrover.here.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Leaked/compromised employee accounts *.here.com",
"description": "Any leaked/compromised employee accounts within the domain @here.com for any service in domains *.here.com (excluding unverified accounts on account.here.com) and here.okta.com, for example john.doe@here.com account for in.here.com. If you come across any such accounts, whether compromised due to malware infections, security breaches, or any other cause, please notify us. Depending on account setup and environment valid (belongs to HERE employee and active) and non-duplicate reports will be accepted with Low/Medium severity. Please make sure to provide as much information as you can on the source and the reason of account compromise, for example - date of compromise, hostname, stealer id, source you obtained info from.\n\nPlease use the CSV format for all credentials. For example:\n\n`username, password, service, source, date_of_leak`\n\nIf the exact `date_of_leak` is unknown, use \"unknown\" instead.\n\n",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.here.com",
"description": "This scope (*.here.com) is for Log4J and Spring4Shell RCE vulnerabilities only.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.hereapi.com",
"description": "This scope (*.hereapi.com) is for Log4J and Spring4Shell RCE vulnerabilities only.",
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "5c7a8f79-a23b-4367-a2c6-63a2d48586ee",
"name": "Het Laatste Nieuws",
"company_handle": "dpgm",
"handle": "hetlaatstenieuws",
"url": "https://www.intigriti.com/programs/dpgm/hetlaatstenieuws/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "* hln.be/inloggen",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "* hln.be/login",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "* hln.be/registreren",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "hln.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "myaccount.hln.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.hln.be",
"description": "excluding\n* hln.be/service\n* hln.be/inloggen\n* hln.be/login\n* hln.be/registreren",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.hln.be",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "* hln.be/service",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "406fd572-83b2-49de-9200-594c484d5bb9",
"name": "Het Parool",
"company_handle": "dpgm",
"handle": "hetparool",
"url": "https://www.intigriti.com/programs/dpgm/hetparool/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "myaccount.parool.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "shop.parool.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webwinkel.parool.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.parool.nl",
"description": "excluding\n* parool.nl/service\n* parool.nl/inloggen\n* parool.nl/login\n* parool.nl/registreren",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.parool.nl/abonnementen",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.parool.nl",
"description": "excluding abonnement.parool.nl",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "* parool.nl/inloggen",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* parool.nl/login",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* parool.nl/registreren",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* parool.nl/service",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "abonnement.parool.nl",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "c7272420-0cef-4366-87d2-278c06591799",
"name": "House of HR Vulnerability Disclosure Program",
"company_handle": "houseofhr",
"handle": "houseofhrvulnerabilitydisclosureprogram",
"url": "https://www.intigriti.com/programs/houseofhr/houseofhrvulnerabilitydisclosureprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.houseofhr.com/*",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.swop.com/*",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "houseofhr.com/contact-us",
"description": "This contact form is out of scope",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "houseofhr.com/your-career/jobs",
"description": "Applying for jobs is out of scope",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "rebel.houseofhr.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "a78e0210-4de1-4ced-8895-48ac98c3166d",
"name": "Housing Application (huisvestingsapp) Bug Bounty Program",
"company_handle": "kuleuven",
"handle": "huisvesting",
"url": "https://www.intigriti.com/programs/kuleuven/huisvesting/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://www.kuleuven.be/sapredir/huisvesting",
"description": "!! You can create an account with [your @intigriti.me address](https://go.intigriti.com/intigritime) and name 'Intigriti Test' (as explained in the FAQ), but the **registration process** itself is **not in scope** for the bug bounty programme !!\n\nThe scope includes all assets that are reasonably related to the housing application app (except for authentication like login or registration process).",
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "67d5a491-4baa-4565-bdc9-962bcd5f5ddd",
"name": "Humo",
"company_handle": "dpgm",
"handle": "humo",
"url": "https://www.intigriti.com/programs/dpgm/humo/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "* humo.be/registreren",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "myaccount.humo.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "shop.humo.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.humo.be",
"description": "excluding\n* humo.be/service\n* humo.be/inloggen\n* humo.be/login\n* humo.be/registreren",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.humo.be/abonnementen",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.humo.be",
"description": "excluding abonnement.humo.be",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "* humo.be/inloggen",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* humo.be/login",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* humo.be/service",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "abonnement.humo.be",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "f6f576c3-c066-4be1-9d0b-f6d934d682f6",
"name": "ICI PARIS XL",
"company_handle": "aswatson",
"handle": "iciparisxl",
"url": "https://www.intigriti.com/programs/aswatson/iciparisxl/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 10,
"currency": "USD"
},
"max_bounty": {
"value": 8500,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.iciparisxl.nl",
"description": "This is ICI Paris XL NL, our Dutch online Perfumery.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.iciparisxl.be",
"description": "This is ICI Paris XL BE, our Belgian online Perfumery.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.iciparisxl.lu",
"description": "This is ICI Paris XL LU, our Luxembourgish online Perfumery.",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "ICI Paris XL Android",
"description": "This is our ICI Paris XL (Android) app.\nApp link: https://play.google.com/store/apps/details?id=com.iciparisxl.app",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "ICI Paris XL iOS",
"description": "This is our ICI Paris XL (iOS) app.\nApp link [https://apps.apple.com/nl/app/ici-paris-xl-beauty/id1061895392](https://)",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.iciparisxl.be",
"description": "This is the API server of the ICI Paris XL mobile app in Belgium",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.iciparisxl.lu",
"description": "This is the API server of the ICI Paris XL mobile app in Luxembourg",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.iciparisxl.nl",
"description": "This is the API server of the ICI Paris XL mobile app in the Netherlands",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.iciparisxl.lu",
"description": "This subdomain is used to store static content for the www.iciparisxl.lu e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.iciparisxl.nl",
"description": "This subdomain is used to store static content for the www.iciparisxl.nl e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.iciparisxl.be",
"description": "This subdomain is used to store static content for the www.iciparisxl.be e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.iciparisxl.lu",
"description": "This is the API server for the www.iciparisxl.lu website\nAPI spec: https://api.iciparisxl.lu/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.iciparisxl.nl",
"description": "This is the API server for the www.iciparisxl.nl website\nAPI spec: https://api.iciparisxl.nl/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.iciparisxl.be",
"description": "This is the API server for the www.iciparisxl.be website\nAPI spec: https://api.iciparisxl.be/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.iciparisxl.com",
"description": "This is a referral page to the ICI Paris XL e-commerce websites",
"impact": null
},
{
"type": "url",
"endpoint": "xlence.iciparisxl.nl",
"description": "This is a marketing related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "newsletter.iciparisxl.nl",
"description": "This is a marketing related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "newsletter-feedback.iciparisxl.nl",
"description": "This is a marketing related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "beauty-and-you.iciparisxl.nl",
"description": "This is a marketing related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "folder.iciparisxl.nl",
"description": "This is a marketing related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "folders.iciparisxl.nl",
"description": "This is a marketing related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "edition.iciparisxl.nl",
"description": "This is a marketing related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "servicefr.iciparisxl.be",
"description": "This is a customer service related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "wifi-in-store.iciparisxl.nl",
"description": "This is an application used to connect to in-store WIFI in the ICI Paris XL stores",
"impact": null
},
{
"type": "url",
"endpoint": "wifi-in-store.iciparisxl.lu",
"description": "This is an application used to connect to in-store WIFI in the ICI Paris XL stores",
"impact": null
},
{
"type": "url",
"endpoint": "wifi-in-store.iciparisxl.be",
"description": "This is an application used to connect to in-store WIFI in the ICI Paris XL stores",
"impact": null
},
{
"type": "url",
"endpoint": "service.iciparisxl.nl",
"description": "This is a customer service related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "servicefr.iciparisxl.lu",
"description": "This is a customer service related application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "campagne.iciparisxl.nl",
"description": "An Adobe Campaign application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "campagne.iciparisxl.lu",
"description": "An Adobe Campaign application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "campagne.iciparisxl.be",
"description": "An Adobe Campaign application from ICI Paris XL",
"impact": null
},
{
"type": "url",
"endpoint": "servicenl.iciparisxl.be",
"description": "This is a customer service related application from ICI Paris XL",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.iciparisxl.lu",
"description": null,
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.iciparisxl.nl",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.iciparisxl.be",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.pourvous.nl",
"description": "This is our Pour Vous e-commerce website",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.pourvous.nl",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
}
],
"out_of_scope": []
}
},
{
"id": "540e04bb-ae56-49cd-8e05-311a08ba44f7",
"name": "ING Responsible Disclosure",
"company_handle": "ing",
"handle": "ing-responsible-disclosure",
"url": "https://www.intigriti.com/programs/ing/ing-responsible-disclosure/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Any ING (sub)domain",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "b084e962-1d83-4bec-9d46-0f02c0f7bf88",
"name": "InnoGames",
"company_handle": "innogames",
"handle": "innogames",
"url": "https://www.intigriti.com/programs/innogames/innogames/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 4500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Backend/Non-Game",
"description": "* *.igpayment.com\nThis is our payment environment used in all of our games.\n\n* *.innogames.de\nThis wildcard hosts backend services, which are not intended to be seen by end users. \n\n* login.innogames.de\nThis is our central login and account management tool. We do not provide accounts for this service and there are no registration pages available. \n\n* *.innogames.com\n\n* www.innogames.com\n***Please do not send applications through the application form. This is a 3rd party tool and out-of-scope.***\n\n* support.innogames.com\n***Please avoid creating many new tickets, but instead concentrate your testing on the ticket contents.***\n\n**Note for automated-scanning:**\nWe are happy that you are as enthusiastic as we are about this program!\nTo not impact our live-systems and other researchers too much, we ask you to keep your automated scanners on a scan rate of 1 request/s. ",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "Elvenar",
"description": "* xs-play.elvenar.com\nThe landing page for the game login.\n\n* xs0.elvenar.com\nThe master server, which performs authentication and holds inventory of \"game-world-wide\" player data.\n\n* xs1.elvenar.com\nThis is the actual game world, where the game takes place.\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Forge of Empires",
"description": "* xs-play.forgeofempires.com\nThe landing page for the game login.\n\n* xs0.forgeofempires.com\nThe master server, which performs authentication and holds inventory of \"game-world-wide\" player data.\n\n* xs1.forgeofempires.com\nThis is the actual game world, where the game takes place.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Grepolis",
"description": "* xs-play.grepolis.com\nThe landing page for the game login.\n\n* xs0.grepolis.com\nThe master server, which performs authentication and holds inventory of \"game-world-wide\" player data.\n\n* xs1.grepolis.com\nThis is the actual game world, where the game takes place.\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Tribal Wars",
"description": "* tribalwars.cash / xs0.tribalwars.cash\nThe master server, which performs authentication and holds inventory of \"game-world-wide\" player data..\n\n* xs(1-3).tribalwars.cash\nThese are the actual game worlds, where the game takes place.\n",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "autodiscover.innogames.de",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "exchange.innogames.de",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "igjam.eu",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jamf.innogames.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "mail.innogames.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "newsroom.innogames.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "pn.innogames.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "slack.innogames.de",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "typingmind.innogames.de",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "10eb5e95-08e2-4f4e-8d22-f8c600a7acff",
"name": "Intel®",
"company_handle": "intel",
"handle": "intel",
"url": "https://www.intigriti.com/programs/intel/intel/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 250,
"currency": "USD"
},
"max_bounty": {
"value": 100000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Hardware",
"description": null,
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "Firmware",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Software",
"description": null,
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "Services",
"description": "Intel Cloud Service offerings are a wide range of services delivered on demand to companies and customers over the internet.",
"impact": null
},
{
"type": "other",
"endpoint": "IT Infrastructure",
"description": "IT Infrastructure at Intel falls out of Scope of the Intel® Bug Bounty Program. For issues related to Intel's IT infrastructure (services or systems that are not customer-facing), please contact Intel's [External Security Research](mailto:external.security.research@intel.com) team. Any submissions to the Intel® Bug Bounty Program in this category will be forwarded internally to the appropriate team and closed with a neutral rating to researcher profile statistics wherever possible.\n",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "ee2612e7-e188-492f-9bb2-ba48651523de",
"name": "Intergamma",
"company_handle": "intergamma",
"handle": "intergamma",
"url": "https://www.intigriti.com/programs/intergamma/intergamma/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 5500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "www.gamma.nl/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "www.gamma.be/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "www.karwei.nl/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "kassa.gamma.nl/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "kassa.gamma.be/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "kassa.karwei.nl/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "mijn.gamma.nl/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "mijn.gamma.be/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "mijn.karwei.nl/*",
"description": null,
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "949829216",
"description": "iOS app of GAMMA NL",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "950693949",
"description": "iOS app of GAMMA BE",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "950680989",
"description": "iOS app of Karwei",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "1558129454",
"description": "Our brand new iOS app fully dedicated to paint, with nice features to use AR and see how the paint looks on your own wall.\nShares various web views with our website.\n\nTechnically equal to the Android version",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "nl.gamma.app.android",
"description": "Android app of GAMMA NL",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "be.gamma.app.android",
"description": "Android app of GAMMA BE",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "nl.karwei.app.android",
"description": "Android app of Karwei",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.gamma.nl/*",
"description": "**Out of scope: mail.gamma.nl**\n\n\nThis covers all subdomains of gamma.nl not listed in Tier 1",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.gamma.be/*",
"description": "**Out of scope: mail.gamma.be**\n\nThis covers all subdomains of gamma.be not listed in Tier 1",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.karwei.nl/*",
"description": "**Out of scope: mail.karwei.nl**\n\n**api.maakafspraak.karwei.nl and maakafspraak.karwei.nl are listed seperately**\n\nThis covers all subdomains of Karwei.nl not listed in Tier 1",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.intergamma.cloud",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.intergamma.nl/*",
"description": "Corporate website",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.restintergamma.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.intergamma-test.nl",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.werkenbijgamma.nl",
"description": "Recruiting website",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.werkenbijgamma.be",
"description": "Recruiting website",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.werkenbijkarwei.nl",
"description": "Recruiting website",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "irmg.nl",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "gammacademy.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "karwei-promotiepunt.nl",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "gammalokaal.nl",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.karweioutletstore.nl",
"description": null,
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "nl.gamma.verf",
"description": "Our brand new Android app fully dedicated to paint, with nice features to use AR and see how the paint looks on your own wall.\nShares various web views with our website.\n\nTechnically equal to the iOS version",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.configuratoren.nl/*",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "afspraakmaken.gamma.nl",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.afspraakmaken.gamma.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.afspraakmaken.gamma.nl",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.maakafspraak.karwei.nl",
"description": null,
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Everything related to configurators, both on primary as other domains",
"description": "Temporary catch-all exclusion because of security maintenance and fixing of known issues",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "horrenconfigurator-fr.gamma.be",
"description": "Third party hosted application",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "horrenconfigurator-nl.gamma.be",
"description": "Third party hosted application",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "horrenconfigurator.karwei.nl",
"description": "Third party hosted application",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "karwei-2018.hetmooistegordijn.nl",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "maakafspraak.karwei.nl",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "mail.gamma.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "mail.gamma.nl",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "mail.karwei.nl",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "3f6b3170-afd4-411c-84fc-24113a562ecf",
"name": "KU Leuven Responsible Disclosure Program",
"company_handle": "kuleuven",
"handle": "kuleuvenrdp",
"url": "https://www.intigriti.com/programs/kuleuven/kuleuvenrdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "iprange",
"endpoint": "IPv4: 134.58.0.0/16",
"description": null,
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "IPv6: 2a02:2c40::/32",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "www.trismegistos.org",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "768ad323-335b-4710-9370-6b81925c122f",
"name": "Kinepolis Group",
"company_handle": "kinepolis",
"handle": "website",
"url": "https://www.intigriti.com/programs/kinepolis/website/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 5000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.klubcinema.fr",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.megatix.be ",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "booking.mjrtheatres.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "extras.landmarkcinemas.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "identityserver.landmarkcinemas.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "kinepolis.megatix.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "luxfilmfestfilms.megatix.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "luxfilmfestproducts.megatix.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "luxfilmfesttickets.megatix.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "movieapi.kinepolis.megatix.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "tickets.kinepolis.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "tickets.kinepolis.ch",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "tickets.kinepolis.es",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "tickets.kinepolis.fr",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "tickets.kinepolis.lu",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "tickets.kinepolis.nl",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "userprofile-ui.landmarkcinemas.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kinepolis.be ",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kinepolis.ch ",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kinepolis.com ",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kinepolis.es ",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kinepolis.fr ",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kinepolis.lu ",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kinepolis.nl ",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.landmarkcinemas.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.mjrtheatres.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "business.kinepolis.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "business.kinepolis.lu",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "business.kinepolis.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.inthepocket.kinepolis",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "extras-acc.landmarkcinemas.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://movieclub-int.kinepolis.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://movienow-int.kinepolis.be/admin",
"description": "We are planning on using a new way to authenticate our INT/UAT testers, and it's active on this URL. Are there weaknesses on this page?",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://shop-acc.kinepolis.be/",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "identityserver-acc.landmarkcinemas.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "kinepolis-studio.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "kinepolis/id368204284",
"description": null,
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "nz.co.vista.android.movie.mjrtheatres",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "stage.landmarkcinemas.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "userprofile-acc.landmarkcinemas.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.kinepolis.biz",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.kinepolis.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.kinepolis.ch",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.kinepolis.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.kinepolis.fr",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.kinepolis.lu",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.kinepolis.nl",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.landmarkcinemas.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.mjrtheatres.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "ios",
"endpoint": "522089287",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "egaming.kinepolis.es",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.cineramabios.nl",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "dev.kinepolis.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "helpdesk.landmarkcinemas.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jobs.kinepolis.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "l.kinepolis.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "openx.kinepolis.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "shop.kinepolis.be ",
"description": "We'll be limiting testing for our eshop to the testing environment (shop-acc.kinepolis.be) for the time being.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "shop.kinepolis.es",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "shop.kinepolis.fr ",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "shop.kinepolis.lu",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "b98261a6-2339-4325-b00b-008e24b28e88",
"name": "Kiwa Vulnerability Disclosure Program",
"company_handle": "kiwa",
"handle": "kiwavdp",
"url": "https://www.intigriti.com/programs/kiwa/kiwavdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.kiwa.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.kiwa.info",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.kiwa.nl",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.kiwa.no",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.kiwa.se",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "https://careers.kiwa.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://qr.kiwa.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://www.kiwa.com/en/contact/",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "d108eca8-374c-4e6f-a996-4af69c7bd079",
"name": "Kruidvat",
"company_handle": "aswatson",
"handle": "kruidvat",
"url": "https://www.intigriti.com/programs/aswatson/kruidvat/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 10,
"currency": "USD"
},
"max_bounty": {
"value": 8500,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.kruidvat.nl",
"description": "This is Kruidvat NL, our Dutch online Pharmacy.\nAPI spec: https://www.kruidvat.nl/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kruidvat.be",
"description": "This is Kruidvat BE, our Belgian online Pharmacy.\nAPI spec: https://www.kruidvat.be/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Kruidvat BE iOS",
"description": "This is our Kruidvat mobile app for Belgium.\nApp Link: https://apps.apple.com/be/app/kruidvat/id1151434781",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Kruidvat NL iOS",
"description": "This is our Kruidvat mobile app for The Netherlands.\nApp Link: https://itunes.apple.com/nl/app/kruidvat-mobiele-app/id531631058",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Kruidvat BE Android",
"description": "This is our Kruidvat mobile app for Belgium.\nApp Link: https://play.google.com/store/apps/details?id=nl.kruidvat.voordeelkaart",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Kruidvat NL Android",
"description": "TThis is our Kruidvat mobile app for The Netherlands.\nApp Link: https://play.google.com/store/apps/details?id=be.kruidvat.voordeelkaart",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.kruidvatkids.nl",
"description": "This is our Kruidvat Kids e-commerce website, specifically for the daycare market",
"impact": null
},
{
"type": "url",
"endpoint": "speelgoedfolder.kruidvat.nl",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "depliantdejouets.kruidvat.be",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "folder.kruidvat.be",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "folder.kruidvat.nl",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "speelgoedfolder.kruidvat.be",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-static.kruidvat.be",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-static.kruidvat.nl",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.kruidvat.be",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "magazine.kruidvat.be",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.kruidvat.nl",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "campaign.kruidvat.nl",
"description": "An Adobe Campaign application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "campaign.kruidvat.be",
"description": "An Adobe Campaign application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "campaign-uat.kruidvat.nl",
"description": "An Adobe Campaign application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "campaign-uat.kruidvat.be",
"description": "An Adobe Campaign application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "cewe.kruidvat.nl",
"description": "This is our third party website from the Kruidvat Netherlands Fotoservice by CEWE",
"impact": null
},
{
"type": "url",
"endpoint": "cewe.kruidvat.be",
"description": "This is our third party website from the Kruidvat Belgium Fotoservice by CEWE",
"impact": null
},
{
"type": "url",
"endpoint": "cewetest.kruidvat.nl",
"description": "This is our third party website from the Kruidvat Netherlands Fotoservice by CEWE",
"impact": null
},
{
"type": "url",
"endpoint": "cewetest.kruidvat.be",
"description": "This is our third party website from the Kruidvat Belgium Fotoservice by CEWE",
"impact": null
},
{
"type": "url",
"endpoint": "digital.kruidvat.be",
"description": "An Adobe Campaign application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "digital.kruidvat.nl",
"description": "An Adobe Campaign application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "foto.kruidvat.be",
"description": "This is our third party website from the Kruidvat Belgium Fotoservice by our own brand",
"impact": null
},
{
"type": "url",
"endpoint": "foto.kruidvat.nl",
"description": "This is our third party website from the Kruidvat Netherlands Fotoservice by our own brand",
"impact": null
},
{
"type": "url",
"endpoint": "fotoservice.kruidvat.nl",
"description": "This is our third party website from the Kruidvat Netherlands Fotoservice by our own brand",
"impact": null
},
{
"type": "url",
"endpoint": "fotoservice.kruidvat.be",
"description": "This is our third party website from the Kruidvat Belgium Fotoservice by our own brand",
"impact": null
},
{
"type": "url",
"endpoint": "photo.kruidvat.be",
"description": "This is our third party website from the Kruidvat Belgium Fotoservice by our own brand",
"impact": null
},
{
"type": "url",
"endpoint": "service.kruidvat.be",
"description": "This is a customer service related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "service.kruidvat.nl",
"description": "This is a customer service related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "servicefr.kruidvat.be",
"description": "This is a customer service related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "www.cewe.kruidvat.be",
"description": "This is our third party website from the Kruidvat Belgium Fotoservice by CEWE",
"impact": null
},
{
"type": "url",
"endpoint": "www.cewe.kruidvat.nl",
"description": "This is our third party website from the Kruidvat Netherlands Fotoservice by CEWE",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.kruidvatkids.nl",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.kruidvat.nl",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.kruidvat.be",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.trekpleister.nl",
"description": "\"This is Trekpleister, our Dutch online Pharmacy.\nAPI spec: https://www.trekpleister.nl/api/v2/api-docs\"",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "campaign.trekpleister.nl",
"description": "An Adobe Campaign application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "campaign-uat.trekpleister.nl",
"description": "An Adobe Campaign application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.trekpleister.nl",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "service.trekpleister.nl",
"description": "This is a customer service related application from Kruidvat",
"impact": null
},
{
"type": "url",
"endpoint": "folder.trekpleister.nl",
"description": "This is a marketing related application from Kruidvat",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.trekpleister.nl",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.prijsmepper.nl",
"description": "This is the website for the Prijsmepper brand",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.prijsmepper.nl",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
}
],
"out_of_scope": []
}
},
{
"id": "06ea3a06-58d5-4173-af0e-c2f1f98714c6",
"name": "Lansweeper Bug Bounty Program",
"company_handle": "lansweeper",
"handle": "lansweeper1",
"url": "https://www.intigriti.com/programs/lansweeper/lansweeper1/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 6000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "Lansweeper Discovery",
"description": "Our new Lansweeper Discovery to discover IT and OT devices. This is the default software you will get when you start a trial.\n\n* Scanner can be downloaded from the cloud platform, more info here: https://community.lansweeper.com/t5/sites/install-network-discovery/ta-p/72388\n* Info on Lansweeper Discovery: https://community.lansweeper.com/t5/sites/lansweeper-discovery/ta-p/75199#feedbackquestions\n* OT specific: https://community.lansweeper.com/t5/lansweeper-ot/how-to-scan-your-ot/ta-p/64599",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.lansweeper.com",
"description": "The cloud Platform, this also includes lecstaticcontent.lansweeper.com\n\nYou can request your trial on our website: https://www.lansweeper.com/download/ but always use \"intigriti.me\" address for any user account\n\nWith this trial you get access to our cloud platform (app.lansweeper.com) and Lansweeper Discovery.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "fb.lansweeper.com",
"description": "More information: https://www.lansweeper.com/product/features/integrate/flow-builder/",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "edge.lansweeper.com",
"description": "Domain used during the two-way sync process between the local web console (on-premises software) and the cloud platform. \n\nYou can request your trial on our website: https://www.lansweeper.com/download/ but always use \"intigriti.me\" address for any user account. You have to install the on-premises software (try on-premises software) and link this to a cloud version. With this set-up you get access to our cloud platform (app.lansweeper.com), our on-premises scanner and the sync process (edge.lansweeper.com) between these two.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.lansweeper.com",
"description": "Data API used for integrations with our cloud platform (app.lansweeper.com). \nMore information about our Data API: https://developer.lansweeper.com/docs/data-api/get-started/welcome",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "backoffice.lansweeper.com",
"description": "Internal backoffice portal for cloud platform\nNo authorisation will be given",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://lsagentrelay.lansweeper.com/",
"description": "Our cloud relay server connection using LsAgent. If the computers you're scanning do not have a direct connection to your Lansweeper installation, scanned LsAgent data can be sent to our relay server in the cloud. This is only used in our old Lansweeper Classic software, so if you start the trial you should select our on-premises software (Lansweeper Classic).\n\nOur LsAgent is a cross-platform scanning agent that can scan computers both inside and outside of your network. It automatically collects an inventory from the computer it's installed on and sends the data back to the Lansweeper Classic installation, this can be done through our relay server in the cloud.\n\nFor this, you must enable relay access in your Lansweeper Classic installation. \nScanned LsAgent data is sent securely over HTTPS (TLS 1.2) to the relay server in Microsoft Azure, where it is encrypted as well. Your Lansweeper scanning server can retrieve the scanned data from the relay server, after which it is deleted from the relay. In order to use the relay server, make sure outbound traffic is allowed on your Lansweeper scanning server. Specifically, the scanning server must be able to make an outbound connection to port 443 of lsagentrelay.lansweeper.com, the cloud relay server. \n\nMore information about LsAgent can be found on our website: https://community.lansweeper.com/t5/scanning-your-network/introduction-to-lsagent-for-windows-linux-and-mac/ta-p/64473\n\nThe use of the relay server must explicitly be enabled in the Lansweeper web console. It is not enabled by default!",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.lansweeper.com/trial",
"description": "Demo site with demo data to test the cloud platform\n\nAlways use \"intigriti.me\" address for any web form",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "autoupdateapi.lansweeper.com",
"description": "API for updating on-premise software",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "docs.lansweeper.com",
"description": "Lansweeper's technical documentation",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "login.lansweeper.com",
"description": "Auth0 identitiy provider for cloud platform.\nAlways use \"intigriti.me\" address for any user account",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "on-premises software",
"description": "The on-premises software is the latest available version on our website (www.lansweeper.com/changelog).\n\nYou can request your trial on our website: https://www.lansweeper.com/download/ but always use \"intigriti.me\" address for any user account. Click on 'try on-premises' below.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.lansweeper.com",
"description": "Always use \"intigriti.me\" address for any web form\n\n**Out of scope for this domain:**\nStore.lansweeper.com\nwww.lansweeper.com/forum\nThird-party plug-ins (e.g. Pardot - CleverBridge - Botpress)",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.lansweeper.com",
"description": "Any other public-facing Lansweeper related URL",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": " lsrunase2.0 and lsencrypt2.0 ",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "careers.lansweeper.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "www.lansweeper.com/forum",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "43c4b274-ccbd-4ea2-8047-d40b0b4205ac",
"name": "Libelle",
"company_handle": "dpgm",
"handle": "libelle",
"url": "https://www.intigriti.com/programs/dpgm/libelle/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.libelle.nl",
"description": "excluding\n* libelle.nl/service\n* libelle.nl/inloggen\n* libelle.nl/login\n* libelle.nl/registreren",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.libelle.nl",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "* libelle.nl/inloggen",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* libelle.nl/login",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* libelle.nl/registreren",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* libelle.nl/service",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "ad2bd496-536c-4c24-b885-ce01d66966b9",
"name": "Marionnaud",
"company_handle": "aswatson",
"handle": "marionnaud",
"url": "https://www.intigriti.com/programs/aswatson/marionnaud/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 10,
"currency": "USD"
},
"max_bounty": {
"value": 8500,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.marionnaud.fr",
"description": "This is Marionnaud France, our online Perfumery.",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Marionnaud France Android",
"description": "This is our Marionnaud France (Android) app.\nApp link: https://play.google.com/store/apps/details?id=com.marionnaud.marionnaudfrance",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Marionnaud France iOS",
"description": "This is our Marionnaud France (iOS) app.\nApp link: https://apps.apple.com/fr/app/marionnaud-france/id1127368763",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.marionnaud.fr",
"description": "This is the API server of the Marionnaud France mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.marionnaud.fr",
"description": "This subdomain is used to store static content for the www.marionnaud.fr e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.marionnaud.fr",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "ecom-data.marionnaud.fr",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "bdes-api.marionnaud.fr",
"description": "This is the API for the bdese.marionnaud.fr supplier portal",
"impact": null
},
{
"type": "url",
"endpoint": "bdese.marionnaud.fr",
"description": "This is a supplier portal for Marionnaud France",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.fr",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.es",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.paris",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.com",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.marionnaud.at",
"description": "This is Marionnaud Austria, our online Perfumery.",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Marionnaud Austria iOS",
"description": "This is our Marionnaud Austria (iOS) app.\nApp link: https://apps.apple.com/gb/app/marionnaud-%C3%B6sterreich/id1114541888",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Marionnaud Austria Android",
"description": "This is our Marionnaud Austria (Android) app.\nApp link: App Link https://play.google.com/store/apps/details?id=at.marionnaud.customer",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.marionnaud.at",
"description": "This is the API server of the Marionnaud Austria mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.marionnaud.at",
"description": "This is the API server for the www.marionnaud.at website\nAPI spec: https://api.marionnaud.at/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.marionnaud.at",
"description": "This subdomain is used to store static content for the www.marionnaud.at e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "campaign.marionnaud.at",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.marionnaud.at",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.de",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.at",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.marionnaud.ch",
"description": "This is Marionnaud Switzerland, our online Perfumery.",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Marionnaud Switzerland iOS",
"description": "This is our Marionnaud Switzerland (iOS) app.\nApp link: https://apps.apple.com/ch/app/id1486316902",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Marionnaud Switzerland Android",
"description": "This is our Marionnaud Switzerland (Android) app.\nApp link: https://play.google.com/store/apps/details?id=ch.marionnaud.customer",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.marionnaud.ch",
"description": "This is the API server of the Marionnaud Switzerland mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.marionnaud.ch",
"description": "This is the API server for the www.marionnaud.ch website\nAPI spec: https://api.marionnaud.ch/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.marionnaud.ch",
"description": "This subdomain is used to store static content for the www.marionnaud.ch e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "campaign.marionnaud.ch",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.marionnaud.ch",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "extranet.marionnaud.ch",
"description": "This is the extranet for Marionnaud Switzerland",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.ch",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.marionnaud.it",
"description": "This is Marionnaud Italy, our online Perfumery.",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Marionnaud Italy iOS",
"description": "This is our Marionnaud Italy (iOS) app.\nApp link: https://apps.apple.com/it/app/marionnaud/id883671274",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Marionnaud Italy Android",
"description": "This is our Marionnaud Italy (Android) app.\nApp link: https://play.google.com/store/apps/details?id=it.marionnaud.customer",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.marionnaud.it",
"description": "This is the API server of the Marionnaud Italy mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.marionnaud.it",
"description": "This is the API server for the www.marionnaud.it website\nAPI spec: https://api.marionnaud.it/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.marionnaud.it",
"description": "This subdomain is used to store static content for the www.marionnaud.it e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "campaign.marionnaud.it",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.marionnaud.it",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.it",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.marionnaud.hu",
"description": "This is Marionnaud Hungary, our online Perfumery.",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "Marionnaud Hungary iOS",
"description": "This is our Marionnaud Hungary (iOS) app.\nApp link: https://apps.apple.com/hu/app/marionnaud-magyarorsz%C3%A1g/id1645840482",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "Marionnaud Hungary Android",
"description": "This is our Marionnaud Hungary (Android) app.\nApp link: https://play.google.com/store/apps/details?id=hu.marionnaud.customer",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "media.marionnaud.hu",
"description": "This subdomain is used to store static content for the www.marionnaud.hu e-commerce website",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.marionnaud.hu",
"description": "This is the API server for the www.marionnaud.hu website\nAPI spec: https://api.marionnaud.hu/api/v2/api-docs",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.marionnaud.hu",
"description": "This is the API server of the Marionnaud Hungary mobile app",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "ecom-data.marionnaud.hu",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "campaign.marionnaud.hu",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.hu",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.marionnaud.cz",
"description": "This is Marionnaud Czech Republic, our online Perfumery.",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "Marionnaud Czech Republic iOS",
"description": "This is our Marionnaud Czech Republic (iOS) app.\nApp link: https://apps.apple.com/cz/app/marionnaud-%C4%8Desko/id1641863747",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "Marionnaud Czech Republic Android",
"description": "This is our Marionnaud Czech Republic (Android) app.\nApp link: https://play.google.com/store/apps/details?id=cz.marionnaud.customer",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "media.marionnaud.cz",
"description": "This subdomain is used to store static content for the www.marionnaud.cz e-commerce website",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.marionnaud.cz",
"description": "This is the API server for the www.marionnaud.cz website\nAPI spec: https://api.marionnaud.cz/api/v2/api-docs",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.marionnaud.cz",
"description": "This is the API server of the Marionnaud Czech Republic mobile app",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "campaign.marionnaud.cz",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.marionnaud.cz",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.cz",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.marionnaud.ro",
"description": "This is Marionnaud Romania, our online Perfumery.",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "Marionnaud Romania Android",
"description": "This is our Marionnaud Romania (Android) app.\nApp link: https://play.google.com/store/apps/details?id=ro.marionnaud.customer",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "Marionnaud Romania iOS",
"description": "This is our Marionnaud Romania (iOS) app.\nApp link: https://apps.apple.com/ro/app/marionnaud-romania/id1021924260",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.marionnaud.ro",
"description": "This is the API server for the www.marionnaud.ro website\nAPI spec: https://api.marionnaud.ro/api/v2/api-docs",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.marionnaud.ro",
"description": "This is the API server of the Marionnaud Romania mobile app",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "media.marionnaud.ro",
"description": "This subdomain is used to store static content for the www.marionnaud.ro e-commerce website",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.ro",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.marionnaud.sk",
"description": "This is Marionnaud Slovakia, our online Perfumery.",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "Marionnaud Slovakia iOS",
"description": "This is our Marionnaud Slovakia (iOS) app.\nApp link: https://apps.apple.com/gb/app/marionnaud-beaut%C3%A9-soins/id1127368763",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "Marionnaud Slovakia Android",
"description": "This is our Marionnaud Slovakia (Android) app.\nApp link: https://play.google.com/store/apps/details?id=sk.marionnaud.customer",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "media.marionnaud.sk",
"description": "This subdomain is used to store static content for the www.marionnaud.sk e-commerce website",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.marionnaud.sk",
"description": "This is the API server of the Marionnaud Slovakia mobile app",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.marionnaud.sk",
"description": "This is the API server for the www.marionnaud.sk website\nAPI spec: https://api.marionnaud.sk/api/v2/api-docs",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.marionnaud.sk",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
}
],
"out_of_scope": []
}
},
{
"id": "65c92f22-f631-4a07-a59d-e1f9ebcc811a",
"name": "Meshtastic",
"company_handle": "meshtastic",
"handle": "meshtastic",
"url": "https://www.intigriti.com/programs/meshtastic/meshtastic/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "https://github.com/meshtastic/firmware",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "5ae71f99-d61e-42d2-b74e-b218530bb3b5",
"name": "Mobile Vikings",
"company_handle": "mv",
"handle": "mobilevikings",
"url": "https://www.intigriti.com/programs/mv/mobilevikings/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 5000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "mobilevikings.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.unleashed.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "jimmobile.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "uwa.mobilevikings.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "vpn.mobilevikings.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.mas.mobilevikings.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.mobilevikings.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.prd-pub.mobilevikings.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.prd.mobilevikings.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "mgm.mobilevikings.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "vikingco.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "vikingdeals.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.acc-pub.mobilevikings.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.acc.mobilevikings.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.dev-pub.mobilevikings.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.dev.mobilevikings.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "vikinglab.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "forms.mobilevikings.be",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "23f5d877-7948-4740-830c-393e66753fc4",
"name": "Monzo Public Bug Bounty Program",
"company_handle": "monzobank",
"handle": "monzopublicbugbountyprogram",
"url": "https://www.intigriti.com/programs/monzobank/monzopublicbugbountyprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "GBP"
},
"max_bounty": {
"value": 12500,
"currency": "GBP"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.monzo.com",
"description": "The crux of Monzo where the APIs live as well as Monzo Business. Excludes the main website (like `monzo.com`/`www.monzo.com`).",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.prod-ffs.io",
"description": "Where our internet-facing services are accessed",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "1052238659",
"description": "The public seed of the Monzo app on iOS",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "co.uk.getmondo",
"description": "The public seed of the Monzo app on Android",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.monzo.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "monzo.com",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*/p2p/*",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*/contact-discovery/*",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*/inbound-p2p/*",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.monzo.me",
"description": "Houses the services for the pay me/request payment feature",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "community.monzo.com",
"description": "We use a third-party, Discourse for our community forums. Third-parties are out of scope for our programs.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "login.internal.monzo.com",
"description": "This is our connection to Okta for internal authentication. Third-parties are out of scope for our programs. ",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "monzo.me",
"description": "Monzo.me is a service that allows Monzo users to easily receive money from others via a personalised link, even if the sender doesn't have a Monzo account.",
"impact": "Out of scope"
}
]
}
},
{
"id": "56339d19-36cc-49a0-8e8f-b2502e00d165",
"name": "Moralis VDP",
"company_handle": "moralis",
"handle": "moralisio",
"url": "https://www.intigriti.com/programs/moralis/moralisio/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.moralis.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.bigmoralis.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.grandmoralis.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.moralis-internal.io",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.moralis-streams.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.moralis.io ",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.moralisapp.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.moralishost.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.moralisweb3.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.usemoralis.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "docs.moralis.io",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "status.moralis.io",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "c45fe6df-1e31-4701-8e75-e9f01919ea20",
"name": "NVIDIA Vulnerability Disclosure Program",
"company_handle": "nvidia",
"handle": "nvidiavdp",
"url": "https://www.intigriti.com/programs/nvidia/nvidiavdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "All NVIDIA assets are in scope! Including NVIDIA.com",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "Third-party systems or domains referencing NVIDIA, non-secure error reporting 3rd party vulns already disclosed",
"description": "Before initiating any testing or submitting a report, please ensure that the asset in question is genuinely owned or operated by NVIDIA. Descriptive phrases such as “compatible with NVIDIA GPU” do not constitute confirmation of NVIDIA’s ownership or control. When in doubt, we strongly encourage you to verify the asset's ownership through the program team to avoid unintentional testing of third-party systems.\n",
"impact": "Out of scope"
}
]
}
},
{
"id": "67f303d5-5c5b-44ec-a278-874f818fbc48",
"name": "Nestlé VDP",
"company_handle": "nestlé",
"handle": "nestlévdp",
"url": "https://www.intigriti.com/programs/nestl%C3%A9/nestl%C3%A9vdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.nestle.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "2a8404d4-25b6-45f4-96b5-be2b2aea01d1",
"name": "Nexuzhealth",
"company_handle": "nexuzhealth",
"handle": "nexuzhealth",
"url": "https://www.intigriti.com/programs/nexuzhealth/nexuzhealth/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 2500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "android",
"endpoint": "be.nexuzhealth.mobile.cpv",
"description": "[CPV](https://play.google.com/store/apps/details?id=be.nexuzhealth.mobile.cpv)\nThis application is only to be used by personnel responsible for transport of patients. No logon information will be given.",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "be.nexuzhealth.mobile.kws",
"description": "[KWS Companion](https://play.google.com/store/apps/details?id=be.nexuzhealth.mobile.kws)\nThis application is only to be used by healthcare professionals. No logon information will be given.",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "be.nexuzhealth.mobile.mynexuz",
"description": "[mynexuzhealth](https://play.google.com/store/apps/details?id=be.nexuzhealth.mobile.mynexuz)\nThis application is intended to be used by patients in order to consult their medical data, their doctors appointments and more. Login: see below.",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "kws-companion/id1342124012",
"description": "[KWS Companion](https://apps.apple.com/be/app/kws-companion/id1342124012)\nThis application is only to be used by healthcare professionals. No logon information will be given.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "mynexuz.be",
"description": "This website is intended to be used by patients in order to consult their private data, their doctors & appointments and more. Login: see below.",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "mynexuzhealth/id1459856321",
"description": "[mynexuzhealth](https://apps.apple.com/be/app/mynexuzhealth/id1459856321)\nThis application is intended to be used by patients in order to consult their medical data, their doctors appointments and more. Login: see below.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "liquidfiles.nexuzhealth.com",
"description": "Our large and secure file transfer solution",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.nexuzhealth.*",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.nexuzhealth.pro",
"description": "Platform for healthcare providers (nexuzhealth pro)",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "idp-contact.nexuzhealth.be",
"description": "Please check the **UZ Leuven** public program",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "media.nexuzhealth.be",
"description": "Please check the **UZ Leuven** public program",
"impact": "Out of scope"
},
{
"type": "ios",
"endpoint": "nexuzhealth-pro/id1623165353",
"description": "iOS App: nexuzhealth pro ",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "nexuzhealth.atlassian.net",
"description": null,
"impact": "Out of scope"
},
{
"type": "android",
"endpoint": "pro.nexuzhealth.hn",
"description": "Android App: nexuzhealth pro ",
"impact": "Out of scope"
}
]
}
},
{
"id": "d489d81f-6b42-4ef1-b7f8-f16d9b404621",
"name": "Nexuzhealth VDP",
"company_handle": "nexuzhealth",
"handle": "nexuzhealthvdp",
"url": "https://www.intigriti.com/programs/nexuzhealth/nexuzhealthvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "All assets related to nexuzhealth ",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "ecf9c610-36eb-47df-8b25-bb496aff8015",
"name": "Nexuzhealth Web PACS",
"company_handle": "uz leuven",
"handle": "nexuzhealthwebpacs",
"url": "https://www.intigriti.com/programs/uz%20leuven/nexuzhealthwebpacs/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 1000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": " idp-contact.nexuzhealth.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "media.nexuzhealth.be/patient/ ",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "c7af90e7-ebe9-464f-9786-84970bc4cce3",
"name": "OVO VDP",
"company_handle": "ovoenergy",
"handle": "ovovdp",
"url": "https://www.intigriti.com/programs/ovoenergy/ovovdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "GBP"
},
"max_bounty": {
"value": 0,
"currency": "GBP"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.bonnetapps.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.boostpower.co.uk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.corgihomeheat.co.uk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.corgihomeplan.co.uk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.corgihomeplan.uk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.gridsvc.net",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.joinbonnet.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ovo-live.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ovo-sso.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ovo.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ovoener.gy",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ovoenergy.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.ovotech.org.uk",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "pol-dev.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prod.tardis.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "pol.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "notification-service.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "developer.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "aws.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.prd.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cheque-payouts.uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "servicecomms-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "payments-api.uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "direct-debit-review.prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "argocd.metering-shared-test.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "mon.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "worldpay-webhook-ovotest.uat.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "kafka-connect-fintxns.uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "recommended-dds.uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "engineering-handbook.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "login-aggregator.internal.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "aiven-kafka-users-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "retail-payg.gcp.nonprod.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "keg-tap-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "mq01.dev.ptl.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "kafka-connect-fintxns.prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "test-simple-event.data-availability.gcp.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "id-oot.dev.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "retail-aiven-kafka-users.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "oot.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "smex-scheduler-test.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prod.flow-platform.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "rac-spam.uat.randc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "admin.internal.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "tardis.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bast-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "artemis.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "accounts-internal-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "fakeidserver.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "log.prd.mon.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prx01.uat.ptl.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "argocd.metering-shared-sandbox.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bast-aus.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "worldpay-webhook-orion.uat.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "flow-platform.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bast-uat-aus.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "internal.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "eng-svc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "smex-scheduler-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cms-flags.prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "tariffs-service.prd.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "contracts-api.prd.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jaws-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cloudquery-grafana.seceng-prod-aws.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "internal.prod.tardis.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "account-transaction.rise.gcp.nonprod.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "impulsive.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "sis.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "profile-coefficients.prd.rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uat.smb.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "frontend-api.prod.usage.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "retail-payg.gcp.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "webhook.uat.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uat.randc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.uat.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "recommended-dds.prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "orion-bolton-service.prd.props.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "direct-debit-review.uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "smex-scheduler-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.test.he.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "argocd.metering-shared-non-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "aiven-kafka-users.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bast-load-test.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "load-test-event.test-tap-team.gcp.nonprod.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth0.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "public.bws-testing.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "testlab.gcp.infosec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "terraform.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "notification-service-public.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "estimation.uat.randc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "infosec-audit.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "contract-update-service.prd.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "manual-readings.uat.randc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "webhook.prd.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "servicecomms-dev.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "data-availability.gcp.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "salesforce.prod.oot.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "self-serve-refunds.uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cip.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bws-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth.id.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "smex-scheduler-sandbox.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "nonprod.cip.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "accounts-internal-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "sis-sandbox.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cheque-payouts.prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "accounts-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jaws-testing.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "orion-bolton-service.uat.props.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "nonprod.tardis.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "payments-api.prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "replay.prd.rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "login.internal.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bws.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bws-testing.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "argocd.metering-shared-non-prod-aus.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prd.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prod.growth.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "sme.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "seceng-nonprod-aws.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "nonprod.growth.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jaws-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "orion-onboarding-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "argocd.metering-shared-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "worldpay-webhook-orion.prd.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "internal.id-test.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "notification-service-uat-public.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "nonprod.flow-platform.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "contract-update-service.uat.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "kafka-connect-fintxns.prod.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "rise.gcp.nonprod.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prod.oot.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "test-cert-manager.uat.randc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth-green.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "servicecomms.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "reads-lifecycle-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "tariffs-service.uat.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "public-manual-readings.prd.rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uat.payments.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bws-sandbox.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "profile-coefficients.uat.randc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "asp-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "internal.nonprod.tardis.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bast.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uat.nonprod.flow-platform.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "rise.gcp.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "asp-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "estimation.prd.rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ipam.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "replay.uat.randc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "homemoves-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth-green.internal.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.prd.meters.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uat.onboarding.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "homemoves-prod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "payment-dd-service.uat.ptl.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "frontend-api.uat.usage.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "orion-onboarding.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "account-activation-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prd.smb.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uat.rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "move-ins.prod.homemoves.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cost-usage.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "sonarqube.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "public-manual-readings.uat.randc.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "nonprod.oot.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "sis-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "direct-debit-review-exemption.uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "accounts-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "contracts-api.uat.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "log.uat.mon.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "scully-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "self-serve-refunds.prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "shipit.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "core-billing.gcp.nonprod.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "notification-service-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "manual-reads.prd.rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "pol-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth.internal.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "admin.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "bast-test-aus.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.he.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prd.rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "account-transaction.rise.gcp.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "rac-spam.prd.rac.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "prod.usage.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.nonprod.oot.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "public.homemoves-*.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "contracts-api.*.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.prod.oot.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.uat.meters.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth-internal.id-uat.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "payment-dd-service.prd.ptl.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "pol-staging.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "reads-lifecycle-nonprod.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cms-flags.uat.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "move-ins.nonprod.homemoves.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jaws-sandbox.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uat.usage.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "direct-debit-review-exemption.prd.pace.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "data-availability.gcp.nonprod.bedrock.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.ec.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "qs.ovotech.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.oisl.gg",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "appsfwd.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "askovo.net",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth-retail.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "auth-www.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cctv-mgr.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cev.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "documentum.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ecomms.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "fortivpn.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "forum.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "greeninstaller.co.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "hackable-lenny.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "hackable-sarge.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "hackable-slink.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "hackable-woody.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "http://vp-alexandria.gridsvc.net/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "learn.ovo.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "lightning.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ovo-comms-uat.co.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ovo-comms.co.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ovo.itgcanopy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ovobyus.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ovocards.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ovocommunity.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ovofoundation.org.uk",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ovomyrewards.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "paybylink.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "pma.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "survey.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "tech.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "testrailapp.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "thirdpartyassurance.ovoenergy.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "tracking.ovo.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "188976b1-e8b3-4132-a6f6-e96113599474",
"name": "Oda",
"company_handle": "oda",
"handle": "oda",
"url": "https://www.intigriti.com/programs/oda/oda/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 75,
"currency": "EUR"
},
"max_bounty": {
"value": 4000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "login.prod.nube.tech",
"description": null,
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "1076840480",
"description": "Mathem iOS app - used by our swedish customers to order groceries",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "1079537578",
"description": "Oda iOS app - used by our norwegian customers to order groceries",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://mathem.se",
"description": "The main shop and brand in Sweden.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://oda.com",
"description": "The main shop used in Norway.",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "no.kolonial.tienda",
"description": "Oda android app - used by our norwegian customers to order groceries",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "se.mathem.mathem",
"description": "Mathem android app - used by our swedish customers to order groceries",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.oda.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.prod.nube.tech",
"description": "Should mostly be internal services",
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "2f8db691-ed2b-4796-9b31-d808efb80dfa",
"name": "Online enrollment for students Bug Bounty Program",
"company_handle": "kuleuven",
"handle": "onlineinschrijvingenbetalingstoepassing",
"url": "https://www.intigriti.com/programs/kuleuven/onlineinschrijvingenbetalingstoepassing/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://associatie.kuleuven.be/inschrijvingen/oli_login_50000050",
"description": "🇬🇧🇳🇱 the registration/login part on idp.kuleuven.be itself is out of scope for the program",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://webwsp.aps.kuleuven.be/sap/bc/ui5_ui5/sap/zc_oi_appl/",
"description": "🇬🇧🇳🇱 ",
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "ecc515cc-c0c1-4a72-966a-ba2baef4d35f",
"name": "Orbia Responsible Disclosure",
"company_handle": "orbia",
"handle": "orbiavdp",
"url": "https://www.intigriti.com/programs/orbia/orbiavdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.alphagary.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.alphagarycompuestos.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.amanco.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.biarrinetworks.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.bow-group.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.duraline.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.klea.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.kouraglobal.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.metropolder.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.mexichem.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.naiad.cloud",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.naiad.ninja",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.netafim.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.orbia.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.orbiaglobal.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.plastigama.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.polderroof.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.silatronix.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.sylvin.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.vestolit.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.wavin.com",
"description": "Multiple geo top level domain (e.g. wavin.nl) re-directing to wavin.com",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.wavin.io",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.zephex.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "ios",
"endpoint": "1383688497",
"description": null,
"impact": "No Bounty"
},
{
"type": "ios",
"endpoint": "1517825382",
"description": null,
"impact": "No Bounty"
},
{
"type": "ios",
"endpoint": "1616009566",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "aqora.naiad.*",
"description": null,
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "br.com.ideia2001.CatalogoWavin",
"description": null,
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "com.instalsoft.wavinsmartinstalsystem",
"description": null,
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "com.RD3Digital.AmancoWavinRA",
"description": null,
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "com.wavin.sentio",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "ios",
"endpoint": "1584170510",
"description": null,
"impact": "Out of scope"
},
{
"type": "android",
"endpoint": "com.loyaltyworks.wavinapp",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.vectus.in",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "64f80113-969e-4c55-9649-8a044487941c",
"name": "PDQ bug bounty program",
"company_handle": "pdq",
"handle": "pdqcomprivate",
"url": "https://www.intigriti.com/programs/pdq/pdqcomprivate/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 3500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://app.pdq.com/",
"description": "Production environment for our PDQ Connect — please take care not to disrupt any services when testing",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://portal.pdq.com/",
"description": "Production environment for our billing portal — please take care not to disrupt any services when testing",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://a.simplemdm.com/",
"description": "Production environment for SimpleMDM — please take care not to disrupt any services when testing",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://auth2.pdq.com/",
"description": "Production environment for our authentication tool — please take care not to disrupt any services when testing",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://library.pdq.com/",
"description": "Production environment for our Package Library — please take care not to disrupt any services when testing",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "https://*.pdq.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "https://*.pdq.tools/",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "https://*.simplemdm.com/ ",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "https://*.smartdeploy.com/ ",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "9ef59fe8-d021-4d23-9521-0d7d01da03ee",
"name": "PeopleCert VDP",
"company_handle": "peoplecert",
"handle": "peoplecert",
"url": "https://www.intigriti.com/programs/peoplecert/peoplecert/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://hstconboarding.peoplecert.org/",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://passport.peoplecert.org/",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "atv.peoplecert.org",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "selt.languagecert.org",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.languagecert.org",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.peoplecert.org",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "694f3e58-f408-4a3f-8e2a-1b562650399a",
"name": "Personio",
"company_handle": "personio",
"handle": "personio",
"url": "https://www.intigriti.com/programs/personio/personio/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 5000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.app.personio-dev.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.app.personio.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.personio-internal.de",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.personio.tools",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.personio-dev.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.personio.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "https://*.personio.de",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "https://*.personiowhistleblowing.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://community.personio.com",
"description": "It is recommended for researchers to follow the following process for our community platform so as to avoid spamming regular user. Any activity not within the following parameters will not be considered a valid submissions:\n\n**Step 1:**\nGo to 🇪🇺 https://community.personio.com or 🇩🇪https://community.personio.de\n\n**Step 2:**\nIf you have an account, click on 🇪🇺 Log in or 🇩🇪Einloggen to log in.\nIf you don’t have an account yet, Click on Sign up or Registrieren in the Menu Bar to sign up\n\n**Step 3:**\nClick on 🇪🇺 Ask the Community or 🇩🇪Frag’ die Community to publish a new thread / post.\n\n**Step 4:**\nWhen publishing your post, select the Category: \"Hacking Playground\" which has been setup specifically for Intigriti researchers\n\nIf you just signed up and cannot see it yet, please wait a couple minutes then refresh.\nIf you still cannot see it, please contact community@personio.de for assistance.\n\nAs a result, your post will land in the Hacking Playground Area.\n\n🇪🇺https://community.personio.com/hacking-playground-156 or 🇩🇪https://community.personio.de/hacking-playground-243\n",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://hug.personio.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://sec-test--.personio.de",
"description": "Please see FAQ for creation instructions ",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://www.personio.com/free-trial/",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://www.personio.de/kostenlos-testen/",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "Other assets owned by Personio",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": " www.personio.de",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "personio.slack.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "statuspage.personio.de",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "support.personio.de",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "www.personio.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "www.personio.es",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "0f05f9cd-03e1-4f90-a449-2f43cdaf879a",
"name": "Port of Antwerp-Bruges",
"company_handle": "portofantwerp",
"handle": "portofantwerp",
"url": "https://www.intigriti.com/programs/portofantwerp/portofantwerp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 4500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "iprange",
"endpoint": "188.118.8.0/25",
"description": null,
"impact": "Tier 2"
},
{
"type": "iprange",
"endpoint": "94.107.237.192/26",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": " login-test.portofantwerpbruges.com/",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "apps-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "apps-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "apps.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "apps.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "as2-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "as2-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "as2.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "as2.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "digitalspecs.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "login-accpt.portofantwerpbruges.com",
"description": "NEW login page",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "maximo-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "maximo-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "maximo.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "maximo.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "maximo.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "my-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "my-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "my.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "my.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "notula-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "oprc.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "register-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "register-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "servicedesk-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "servicedesk-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "servicedesk.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "servicedesk.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "share-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "share-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "share.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "share.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webapps-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webapps-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webapps-test.portofantwerpbruges.com/xui",
"description": "The NEW login page can currently only be accessed in the TEST environment",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webapps.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webapps.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "wiki-accpt.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "wiki-accpt.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "wiki.portofantwerp.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "wiki.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.oursustainableport.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.portofantwerpbruges.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "erpx.unit4cloud.com/u4erx_pab_acp1",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "erpx.unit4cloud.com/u4erx_pab_prev",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "erpx.unit4cloud.com/u4erx_pab_prod",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.portofantwerp.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.portofantwerpbruges.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "future.portofantwerp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "future.portofantwerpbruges.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jobs.portofantwerp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jobs.portofantwerpbruges.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "media.portofantwerp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "media.portofantwerpbruges.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "register.portofantwerp.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "register.portofantwerpbruges.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "c12292a3-d997-406f-863b-42d223dcbae6",
"name": "Proof.com VDP",
"company_handle": "proof",
"handle": "proofvdp",
"url": "https://www.intigriti.com/programs/proof/proofvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://verify.proof.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://api.proof.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://app.proof.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "3f79ce72-f3f5-4ec4-9b4b-b8328d577e78",
"name": "Qualified Responsible Disclosure Program",
"company_handle": "qualified",
"handle": "qualifiedresponsibledisclosureprogram",
"url": "https://www.intigriti.com/programs/qualified/qualifiedresponsibledisclosureprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "app.qualified-dev.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.qualified.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.qualified.com/v1",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "452a516e-fc32-4285-96e5-97ad5e5e9595",
"name": "RGF BE - VDP",
"company_handle": "rgfstaffing",
"handle": "rgfbe-vdp",
"url": "https://www.intigriti.com/programs/rgfstaffing/rgfbe-vdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "http://uat-www.startpeople.be/",
"description": "The website located at https://uat-www.startpeople.be/nl/ is the User Acceptance Testing (UAT) version of Start People's official website, startpeople.be. This UAT environment is used for testing new features, updates, and configurations before they are implemented on the live production site. It allows for testing functionality, identifying potential bugs or vulnerabilities, and ensuring everything works as expected in a safe, non-public environment. This helps ensure that any changes are thoroughly vetted before going live, providing a secure and stable experience for users.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://uat-www.brightplus.be",
"description": "The website located at https://uat-www.brightplus.be/nl/ is the User Acceptance Testing (UAT) version of BrightPlus official website, brightplus.be. This UAT environment is used for testing new features, updates, and configurations before they are implemented on the live production site. It allows for testing functionality, identifying potential bugs or vulnerabilities, and ensuring everything works as expected in a safe, non-public environment. This helps ensure that any changes are thoroughly vetted before going live, providing a secure and stable experience for users.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://uat-www.career.be",
"description": "The website located at https://uat-www.career.be/nl/ is the User Acceptance Testing (UAT) version of Unique Career official website, career.be. This UAT environment is used for testing new features, updates, and configurations before they are implemented on the live production site. It allows for testing functionality, identifying potential bugs or vulnerabilities, and ensuring everything works as expected in a safe, non-public environment. This helps ensure that any changes are thoroughly vetted before going live, providing a secure and stable experience for users.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://uat-www.entrili.com",
"description": "The website located at https://uat-www.entrili.be/nl/ is the User Acceptance Testing (UAT) version of Entrili's official website, entrili.be. This UAT environment is used for testing new features, updates, and configurations before they are implemented on the live production site. It allows for testing functionality, identifying potential bugs or vulnerabilities, and ensuring everything works as expected in a safe, non-public environment. This helps ensure that any changes are thoroughly vetted before going live, providing a secure and stable experience for users.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://uat-www.unique.be",
"description": "The website located at https://uat-www.unique.be/nl/ is the User Acceptance Testing (UAT) version of Unique official website, unique.be. This UAT environment is used for testing new features, updates, and configurations before they are implemented on the live production site. It allows for testing functionality, identifying potential bugs or vulnerabilities, and ensuring everything works as expected in a safe, non-public environment. This helps ensure that any changes are thoroughly vetted before going live, providing a secure and stable experience for users.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://uat-www.uniqueselect.be",
"description": "The website located at https://uat-www.uniqueselect.be/nl/ is the User Acceptance Testing (UAT) version of Unique Select official website, uniqueselect.be. This UAT environment is used for testing new features, updates, and configurations before they are implemented on the live production site. It allows for testing functionality, identifying potential bugs or vulnerabilities, and ensuring everything works as expected in a safe, non-public environment. This helps ensure that any changes are thoroughly vetted before going live, providing a secure and stable experience for users.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://uat-www.usgprofessionals.be",
"description": "The website located at https://uat-www.usgprofessionals.be/nl/ is the User Acceptance Testing (UAT) version of USG Professionals official website, usgprofessionals.be. This UAT environment is used for testing new features, updates, and configurations before they are implemented on the live production site. It allows for testing functionality, identifying potential bugs or vulnerabilities, and ensuring everything works as expected in a safe, non-public environment. This helps ensure that any changes are thoroughly vetted before going live, providing a secure and stable experience for users.",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.brightplus.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.career.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.entrili.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.expressmedical.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.jobinson.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.public-sourcing.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.rgfstaffing.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.solvus.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.startpeople.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.unique.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.uniqueselect.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.usgprofessionals.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://pen-app.entrili.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "201f8ade-4d93-4d8b-b371-af5ed9d8b837",
"name": "RIPE NCC",
"company_handle": "ripencc",
"handle": "ripencc",
"url": "https://www.intigriti.com/programs/ripencc/ripencc/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "access.ripe.net",
"description": "This is the authentication service for our membership and community, mostly used for all of our membership (e.g. LIR) applications.\nWe strongly suggest you to adjust your scanners to the limit where we mentioned in the req/sec.\n\nPlease adhere to the **out of scope** rules below.\n",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "https://github.com/RIPE-NCC/rpki-commons",
"description": "This library contains an implementation of an X.509 v3 certificate extension which binds a list of IP address blocks or prefixes to the subject of a certificate (IP Address Delegation Extension).",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "https://github.com/RIPE-NCC/rpki-core",
"description": "This repository contains the source code for the RIPE NCC certification. We strive to publish as many components as possible with reasonable effort. Some elements or information are not included, either because of our threat model or because we can not publish them.",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "https://github.com/RIPE-NCC/whois",
"description": "RIPE Database whois code repository.\n\n",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "lirportal.ripe.net",
"description": "Our portal page for LIR's where they can access their information and more.\nSince this portal designed to give access only to LIR's, you can't create an account.\n\n**Until then**;\n\n* Be careful with the unauthorized data access here\n* Limit your tools requests",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.ripe.net",
"description": "Our main domain.\nWe suggest you to check out of scope section of our program if you discover any vulnerabilities on this domain or it's subdomains.\nTo make your reports better, we suggest you to check the IP address of the asset you've found so you can understand the address if in scope or out of scope.\n",
"impact": "Tier 2"
},
{
"type": "iprange",
"endpoint": "193.0.0.0/19 and 2001:67c:2e8::/48",
"description": "This is our IP Range.\nSince we are letting some people to host their content, there are some exclusions.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "https://github.com/RIPE-NCC/rpki-monitoring",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "https://github.com/RIPE-NCC/rpki-publication-server",
"description": "This is the RIPE NCC's implementation of RFC 8182 - The RPKI Repository Delta Protocol and a draft of RFC 8181 - A Publication Protocol for the Resource Public Key Infrastructure.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "https://github.com/RIPE-NCC/rpki-ta-0",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "https://github.com/RIPE-NCC/rsyncit",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "Assets owned by RIPE NCC",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.anchors.atlas.ripe.net",
"description": "These probes and anchors are not hosted in networks managed by the RIPE NCC, but in networks participating in the RIPE Atlas project. If you find any vulnerabilities for IP addresses associated with RIPE Atlas probes/anchors, you will need to report them to the security teams of the responsible network operators.",
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.probes.atlas.ripe.net",
"description": "These probes and anchors are not hosted in networks managed by the RIPE NCC, but in networks participating in the RIPE Atlas project. If you find any vulnerabilities for IP addresses associated with RIPE Atlas probes/anchors, you will need to report them to the security teams of the responsible network operators.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "193.0.0.160/27",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "2001:67c:2e8:3::/64",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "Any *.ripe.net host that is located outside of the in-scope IP ranges ",
"description": "The RIPE NCC uses a number of SaaS provider where a *.ripe.net record may point to. However, these services are not maintained by the RIPE NCC and are not part of this Bug Bounty program. If you think a specific host may be in scope, please contact Intigriti Support",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "Any of the beta/dev environments",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "exams.ripe.net",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "RIPE Meeting network (2001:67c:64::/48 and 193.0.24.0/21)",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ripe(1to87).ripe.net",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "b2049472-b637-49c3-b9cc-077c676f093c",
"name": "Randstad",
"company_handle": "randstad",
"handle": "randstad",
"url": "https://www.intigriti.com/programs/randstad/randstad/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.randstad.*",
"description": "Out of Scope: workplace.randstad.in & apps.randstad.in",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.randstadrisesmart.*",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.risesmart.*",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Any related Randstad domain",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "apps.randstad.in",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cz.randstad.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "workplace.randstad.in",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "e1dc7326-0466-4c06-bd52-3c6df82370be",
"name": "Red Bull",
"company_handle": "redbull",
"handle": "redbull",
"url": "https://www.intigriti.com/programs/redbull/redbull/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "https://gist.github.com/RedBullSecurity/3eb88debcb01759eccf65ec2b799b340",
"description": "## Please use only this list to search for targets.\n\nDomains that are related to Red Bull and can be found on [this list](https://gist.github.com/RedBullSecurity/3eb88debcb01759eccf65ec2b799b340). \n- Submissions affecting other domains than the ones on the list will be out of scope. \n- Please stop enumerating Red Bull related domains, and work based on the list provided.\n\nAny subdomain not mentioned in this list, will be considered as out of scope.",
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "IOS and Android apps related to Red Bull",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.newyorkredbulls.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "9a3f850e-4387-4434-98c7-dba2827b727b",
"name": "Revolut VDP",
"company_handle": "revolut",
"handle": "revolutvdp",
"url": "https://www.intigriti.com/programs/revolut/revolutvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "GBP"
},
"max_bounty": {
"value": 0,
"currency": "GBP"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "All domains of Revolut",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "afaeab02-261f-486e-8a43-4dee76fccabb",
"name": "Rivian Bug Bounty",
"company_handle": "rivian",
"handle": "rivianbugbounty",
"url": "https://www.intigriti.com/programs/rivian/rivianbugbounty/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "USD"
},
"max_bounty": {
"value": 5000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://business.rivian.com/api",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://rivian.com/api/gql/content/graphql",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://rivian.com/api/gql/gateway/graphql",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://rivian.com/api/gql/orders/graphql",
"description": null,
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": " *.rivian.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "1570215232",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "basecamp.rivian.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.rivian.android.consumer",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "rivian.com",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "assets.rivian.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "careers.rivian.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "demovehicles.rivian.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "feedback.rivian.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "internalshop.rivian.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "media.rivian.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "stories.rivian.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "view.e.rivian.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "196fa177-ac2d-41b0-91bb-07bc9db43b7a",
"name": "SBB - Swiss Federal Railways",
"company_handle": "sbb",
"handle": "sbbglobal",
"url": "https://www.intigriti.com/programs/sbb/sbbglobal/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 6666,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": " Mobile Apps",
"description": "**SBB Mobile** - your personal travel companion for public transport.\n[SBB Mobile IOS](https://apps.apple.com/us/app/sbb-mobile/id294855237) | [SBB Mobile Android](https://play.google.com/store/apps/details?id=ch.sbb.mobile.android.b2c&feature=search_result&hl=en)\n\n**SBB Preview** - [always be among the first to test the latest features.](https://www.sbb.ch/en/travel-information/apps/sbb-preview.html)\n[SBB Preview IOS](https://apps.apple.com/us/app/sbb-preview/id1074833098) | [SBB Preview Android](https://play.google.com/store/apps/details?id=ch.sbb.mobile.android.preview)\n\n**Backend URLs**\n[*.sbbmobile.ch]()\n\nPlease find more details about the apps in the\n[FAQ for SBB Mobile and SBB Preview](https://www.sbb.ch/en/help-and-contact/products-services/apps/sbb-mobile-sbb-preview/sbb-mobile-app.html)",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.swisspass.ch",
"description": "[Swisspass](https://www.swisspass.ch/home?lang=en) is the key to mobility in Switzerland.\n\nWith SwissPass customers can manage their travelcard details easily and use the partner services.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.sbb.ch",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.sbb.ch",
"description": null,
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "Mobile Apps",
"description": "**SBB Freesurf** - browse the web for free on the train.\n[SBB Freesurf IOS](https://apps.apple.com/us/app/sbb-freesurf/id1437409619) | [SBB Freesurf Android](https://play.google.com/store/search?q=freesurf&c=apps&hl=en)\n\n**SBB GO** - as a study paricipant, you can record your customer journey with the SBB go app and evaluate SBB Touchpoints along your journey.\n[SBB GO IOS](https://apps.apple.com/ch/app/sbb-go/id1224135762) | [SBB GO Android](https://play.google.com/store/apps/details?id=ch.sbb.kd.kom.sbbgo)\n\n**SBB Inclusive** - provides visual and digital customer information in stations and on SBB long-distance services\n[SBB Inclusive IOS](https://apps.apple.com/ch/app/sbb-inclusive/id1495023290) | [SBB Inclusive Android](https://play.google.com/store/apps/details?id=ch.sbb.inclusive&hl=en)\n\n**SBB P-Rail** - [your parking space at the station](https://www.sbb.ch/en/tickets-offers/private-transport/car-parking/park-and-rail.html)\n[P+Rail IOS](https://apps.apple.com/us/app/p-rail/id1355008152) | [P+Rail Android](https://play.google.com/store/apps/details?id=ch.sbb.prail2&hl=en_US&gl=US&pli=1=)",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.elvetino.ch",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.sbbcargo.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.transsicura.ch",
"description": null,
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "All other Web and mobile APPs owned by SBB ",
"description": null,
"impact": null
},
{
"type": "other",
"endpoint": "All other SBB owned IT assets",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "2f896c63-2720-48f4-a727-aa919aeeec85",
"name": "Signicat Responsible Disclosure",
"company_handle": "signicat",
"handle": "signicatresponsibledisclosure",
"url": "https://www.intigriti.com/programs/signicat/signicatresponsibledisclosure/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "ReadID",
"description": "Any domains or services related to our ReadID product",
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "Dokobit",
"description": "Any domains or services related to Dokobit by Signicat as a brand",
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "Signicat",
"description": "Any domains or services related to Signicat as a brand",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "0d585f25-b705-4141-a961-66d6ade8942e",
"name": "SimScale",
"company_handle": "simscale",
"handle": "simscale",
"url": "https://www.intigriti.com/programs/simscale/simscale/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 250,
"currency": "EUR"
},
"max_bounty": {
"value": 6000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "SimScale API",
"description": "API URL: `https://api.simscale.com`\n\nThe API doc is available at https://api.simscale.com.\n\nAPI keys can be managed in the [API keys page](https://www.simscale.com/dashboard/api_keys).\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "SimScale Platform",
"description": "The following areas and paths under domain `https://www.simscale.com`:\n\n#### User Account & Security\nIncludes all aspects of user accounts, including signup, login, password management, API keys, and session handling.\n\nPaths: `/signup/*`, `/signin/*`, `/dashboard/profile`, `/dashboard/security`, `/dashboard/api_keys`\n\n* [User registration](https://www.simscale.com/signup/) and following onboarding\n* [Login](https://www.simscale.com/signin/)\n* [Password reset](https://www.simscale.com/signin/forgot-password/)\n* [Change password](https://www.simscale.com/dashboard/security) (login required)\n* [API key management](https://www.simscale.com/dashboard/api_keys/) (login required)\n\n\n#### Dashboard \n\nCentral space for project and permission management.\n\nPaths: `/dashboard/*`\n\n* [Dashboard](https://www.simscale.com/dashboard/) (login required).\n\n\n#### Workbench\n\nCovers the complete simulation workflow, including CAD import and editing, meshing, simulation setup and execution, and post-processing.\n\nPaths: `/workbench/*`\n\n* [Workbench](https://www.simscale.com/workbench/?pid=1765004443902609189) (login required), opens a public project in view-only mode.\n\n\n#### Public project library\n\nPaths: `/projects/*`\n\n* [Public projects](https://www.simscale.com/projects/)\n* [Detail page of a public project](https://www.simscale.com/projects/simscale/tutorial-_pipe_junction_flow/)\n\n\n#### Related API endpoints\n\nAll API endpoints used by the areas listed above.\n\nPaths: `/api/*`, `/csm/*`, `/postprocessing/*`",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "SimScale Forum",
"description": "Everything below https://www.simscale.com/forum/\n",
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "SimScale Website",
"description": "Domain https://www.simscale.com and the remaining paths not listed under SimScale Platform or SimScale Forum.\n\n* [Landing page](https://www.simscale.com/)\n* [Documentation](https://www.simscale.com/docs/)\n* [Blog](https://www.simscale.com/blog/)\n",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "https://www.simscale.com/api/v1/projects/*",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "www.simscale.com/forum/users/*.json",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "4352dcef-dfc5-4d74-8fd8-9bef5aa16f18",
"name": "Skoda Auto Bug Bounty Program",
"company_handle": "skodaauto",
"handle": "skodaautoprivatebugbountyprogram",
"url": "https://www.intigriti.com/programs/skodaauto/skodaautoprivatebugbountyprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 200,
"currency": "EUR"
},
"max_bounty": {
"value": 5000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "ios",
"endpoint": "1632202810",
"description": null,
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "cz.skodaauto.myskoda",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "152bc833-04a4-40d2-bdaa-0b31f6161449",
"name": "Social Deal",
"company_handle": "socialdeal",
"handle": "socialdeal",
"url": "https://www.intigriti.com/programs/socialdeal/socialdeal/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 750,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "ios",
"endpoint": "910898851",
"description": "We expect that issued items are including print-screen of the version of the app. \n\n",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "app.nl.socialdeal",
"description": "We expect that issued items are including print-screen of the version of the app. \n\n",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "http://socialdeal.nl/inspirations/bluemonday/",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "http://www.whynot.com/",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://www.socialdeal.nl/orderlist/5e834ae0bed5c/63d772e2ed277/",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.socialdeal.nl",
"description": "Our main website. \nwww.socialdeal.be and www.socialdeal.de are the same websites, with different Locale.\n",
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "8f6c92dc-1300-4f11-8284-29b6ed743378",
"name": "Speakap Responsible Disclosure",
"company_handle": "speakap",
"handle": "speakapresponsibledisclosure",
"url": "https://www.intigriti.com/programs/speakap/speakapresponsibledisclosure/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.speakap.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.speakap.io",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "Any related Speakap domain",
"description": null,
"impact": "No Bounty"
},
{
"type": "ios",
"endpoint": "https://apps.apple.com/nl/app/speakap/id713925262",
"description": null,
"impact": "No Bounty"
},
{
"type": "android",
"endpoint": "nl.speakap.speakap",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "5ed6962a-7017-4d60-8805-e169b638528d",
"name": "Sqills",
"company_handle": "sqills",
"handle": "sqillscorporatewebsite",
"url": "https://www.intigriti.com/programs/sqills/sqillscorporatewebsite/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.sqills.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.sqills.team",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.red.sqills.team",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "booking.*.cloud.sqills.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "booking.*.sqills.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "careers.sqills.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "welcome.sqills.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "5111e2de-2d04-4ec8-9f24-c0b76cbfd38e",
"name": "Storebrand Responsible Disclosure",
"company_handle": "spp-storebrand",
"handle": "storebrand-rd",
"url": "https://www.intigriti.com/programs/spp-storebrand/storebrand-rd/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.capitalbolig.dk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.aipmanagement.dk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.capitalinvestment.dk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.storebrandam.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.fr",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.de",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.ie",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.co.uk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.lu",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.nl",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.is",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.fi",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfondene.dk",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfonder.se",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfunds.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.skagenfondene.no",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.storebrandfonder.se",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.storebrandfastigheter.se",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.cubera.no",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.storebrand.no",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.kron.no",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.spp.se",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "0cff4473-e61f-47fa-b840-154a75128796",
"name": "Superdrug",
"company_handle": "aswatson",
"handle": "superdrug",
"url": "https://www.intigriti.com/programs/aswatson/superdrug/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 10,
"currency": "USD"
},
"max_bounty": {
"value": 8500,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.superdrug.com",
"description": "This is Superdrug, our online Pharmacy in the UK",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Superdrug iOS",
"description": "This is our Superdrug (iOS) app.\nApp link: https://apps.apple.com/gb/app/superdrug/id1267896687",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Superdrug Android",
"description": "This is our Superdrug (Android) app.\nApp link: https://play.google.com/store/apps/details?id=superdrug.com.beautycard",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.superdrug.com",
"description": "This is the API server for the www.superdrug.com website\nAPI spec: https://api.superdrug.com/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.superdrug.com",
"description": "This subdomain is used to store static content for the www.superdrug.com e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.superdrug.com",
"description": "This is the API server of the Superdrug mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "campaign.superdrug.com",
"description": "This is a marketing related application from Superdrug",
"impact": null
},
{
"type": "url",
"endpoint": "community.superdrug.com",
"description": "This is the social community website from Superdrug",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.superdrug.com",
"description": "This is a marketing related application from Superdrug",
"impact": null
},
{
"type": "url",
"endpoint": "videogp-api.superdrug.com",
"description": "This is the API server for the Superdrug Video GP website.",
"impact": null
},
{
"type": "url",
"endpoint": "healthclinics.superdrug.com",
"description": "This is the Superdrug Healthclinics website.",
"impact": null
},
{
"type": "url",
"endpoint": "innovation.superdrug.com",
"description": "This is a marketing related application from Superdrug",
"impact": null
},
{
"type": "url",
"endpoint": "onlinedoctor.superdrug.com",
"description": "This is the Superdrug Online Doctor website.",
"impact": null
},
{
"type": "url",
"endpoint": "onlinepharmacy.superdrug.com",
"description": "This is the Superdrug Online Pharmacy (Wordpress) website.",
"impact": null
},
{
"type": "url",
"endpoint": "videogp.superdrug.com",
"description": "This website can be used by customers to set a video appointment with a GP.",
"impact": null
},
{
"type": "url",
"endpoint": "app.pharmacy.superdrug.com",
"description": "This is the authenticated portal for customers from Superdrug Online Pharmacy website.",
"impact": null
},
{
"type": "url",
"endpoint": "appt.healthclinics.superdrug.com",
"description": "This is the online booking system for Superdrug Healthclinics.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.superdrug.com",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned in the scope.\nReports on these applications may be eligible for bonuses, chosen by the program team.",
"impact": null
},
{
"type": "url",
"endpoint": "www.savers.co.uk",
"description": "This is Savers, our online Pharmacy in the UK",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Savers iOS",
"description": "This is our Savers (iOS) app.\nApp link: https://apps.apple.com/gb/app/savers/id6451311397",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Savers Android",
"description": "This is our Savers (Android) app.\nApp link: https://play.google.com/store/apps/details?id=uk.co.savers",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.savers.co.uk",
"description": "This is the API server for the www.savers.co.uk website\nAPI spec: https://api.savers.co.uk/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.savers.co.uk",
"description": "This subdomain is used to store static content for the www.savers.co.uk e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.savers.co.uk",
"description": "This is the API server of the Savers mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.superdrugmobile.com",
"description": "This is the Superdrug Mobile website",
"impact": null
},
{
"type": "url",
"endpoint": "campaign.savers.co.uk",
"description": "This is a marketing related application from Superdrug",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.savers.co.uk",
"description": "This is a marketing related application from Superdrug",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.savers.co.uk",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned in the scope.\nReports on these applications may be eligible for bonuses, chosen by the program team.",
"impact": null
}
],
"out_of_scope": []
}
},
{
"id": "82be1e9b-f9ab-45e7-82fd-9ba65be37645",
"name": "Tempo-Team ",
"company_handle": "randstad",
"handle": "tempo-team",
"url": "https://www.intigriti.com/programs/randstad/tempo-team/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.tempo-team.*",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "Any related Tempo-Team domain",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.tempo-team.be",
"description": "🇳🇱🇫🇷",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.tempo-team.com",
"description": "🇩🇪",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.tempo-team.nl",
"description": "🇳🇱",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.tempo-team.de",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "025558a4-e74e-41eb-9bf6-a01dbe8e5a7a",
"name": "The Coca-Cola Company Vulnerability Disclosure Program",
"company_handle": "tccc",
"handle": "coca-cola",
"url": "https://www.intigriti.com/programs/tccc/coca-cola/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Brand Sites",
"description": "Brand sites owned by The Coca-Cola Company.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "Corporate Sites",
"description": "*.us.coca-cola.com\n*.coca-cola.com\n*.ko.com\n*.testko.com\n*.coca-colacompany.com\n*.coke.com\n*.cokeurl.com\n*.tccc-aem.com",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Hindustan Coca-Cola Beverages",
"description": "Since our establishment on 14th February 1997 in Bengaluru, Karnataka, Hindustan Coca-Cola Beverages (HCCB) has been on a mission to refresh the nation. Having flourished into one of the Top 5 leading beverage companies in India, all our operations are geared towards creating nothing but the best. We specialize in manufacturing, packaging and distributing a vast range of beverages from The Coca-Cola Company portfolio nationwide. But at the same time, we are more than just a leading beverage company in India, we are a company that is profoundly about the impact we make on our people and planet. \n\n**Domains**\n*.hccb.in\n*.hccbpl.in",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Mobile Applications",
"description": "[CokeOn iOS App](https://apps.apple.com/jp/app/coke-on/id1088184021?l=en-US)\n\n[CokeOn Android App](https://play.google.com/store/apps/details?id=com.coke.cokeon&hl=en_US&pli=1)\n\n[CokePLAY](https://cokeplay.cocacola.co.kr/main)\n\n[Coca-Cola iOS App](https://apps.apple.com/us/app/one-by-the-coca-cola-company/id1310675636)\n\n[Coca-Cola Android App](https://play.google.com/store/apps/details?id=com.cocacola.app.cee&pli=1)\n\n[Costa Coffee iOS App](https://itunes.apple.com/app/id578627826)\n\n[Costa Coffee Android App](https://play.google.com/store/apps/details?id=uk.co.club.costa.costa)\n\n[Costa Coffee Club Poland iOS App](https://itunes.apple.com/app/id1435140959)\n\n[Costa Coffee Club Poland Android App](https://play.google.com/store/apps/details?id=pl.costacoffee.club)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Publicly Facing Assets Related to The Coca-Cola Company",
"description": "Researchers are welcome to submit reports on any publicly facing asset(s) attributed to The Coca-Cola Company.",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "All Coke Stores",
"description": "Applications or assets related to any Coke Stores.",
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.crewconnect.coca-cola.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.connect.coca-cola.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.ccnag.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "limonsoda.cl",
"description": null,
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Assets Related to China",
"description": "All assets located in or related to China are out of scope and reports will not be accepted.",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Coke One North America (CONA)",
"description": "Any application or asset owned by Coke One North America (CONA)",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Food and Beverage Dispensing Devices",
"description": "Due to the unique nature of these devices (usually present on networks operated by 3rd parties), we do not authorize testing against them.\n\n* Coca-Cola Freestyle Machines\n* Dasani Purefill Water Dispensers\n* Intelligent Vending Machines\n* Connected Coolers",
"impact": "Out of scope"
}
]
}
},
{
"id": "b1be2cd1-cb7c-4456-86f4-8e541955a51a",
"name": "The Perfume Shop",
"company_handle": "aswatson",
"handle": "theperfumeshop",
"url": "https://www.intigriti.com/programs/aswatson/theperfumeshop/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 10,
"currency": "USD"
},
"max_bounty": {
"value": 8500,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.theperfumeshop.com",
"description": "This is The Perfume Shop, our online Perfumery in the UK",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.theperfumeshop.com",
"description": "This is the API server of the The Perfume Shop mobile app in the UK",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.theperfumeshop.com",
"description": "This is the API server for the www.theperfumeshop.com website\nAPI spec: https://api.theperfumeshop.com/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.theperfumeshop.com",
"description": "This subdomain is used to store static content for the www.theperfumeshop.com e-commerce website",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "The Perfume Shop Android",
"description": "This is our The Perfume Shop (Android) app.\nApp link: https://play.google.com/store/apps/details?id=com.theperfumeshop.customer",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "The Perfume Shop iOS",
"description": "This is our The Perfume Shop (iOS) app.\nApp link: https://apps.apple.com/gb/app/the-perfume-shop/id1202206665",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "campaign.theperfumeshop.com",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "campaigns.theperfumeshop.com",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "url",
"endpoint": "ecom-data.theperfumeshop.com",
"description": "This is a marketing related application from The Perfume Shop",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.theperfumeshop.com",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
}
],
"out_of_scope": []
}
},
{
"id": "b1d83f6f-c8a6-4082-8a86-59aa27850d06",
"name": "Toast VDP",
"company_handle": "toast",
"handle": "toastvdp",
"url": "https://www.intigriti.com/programs/toast/toastvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "USD"
},
"max_bounty": {
"value": 0,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "android",
"endpoint": "All Toast's Android Apps",
"description": null,
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "All Toast's iOS Apps",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.toasttab.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.xtrachef.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.getsling.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.delphidisplay.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.toasttakeout.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.phrasingpro3.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.rallyforrestaurants.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.estratex.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.toast.org",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.rallyforrestaurants.org",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.rallyforrestaurant.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.ibizdna.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.rallyforestaurants.com",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "2e52d6d3-da18-467f-836e-7a22b82bef5f",
"name": "Tomorrowland",
"company_handle": "tomorrowland",
"handle": "tomorrowland",
"url": "https://www.intigriti.com/programs/tomorrowland/tomorrowland/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "cas.tomorrowland.com",
"description": "Bounty Boosts: This application is temporarily treated as a Tier 2 app for the duration of the spotlight period.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.weareone.world",
"description": "Currently as T2, will be evaluated on individual basis.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "belgium.tomorrowland.com",
"description": "Vulnerabilities found on either winter/brasil/belgium .tomorrowland.com will be considered duplicate.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "brasil.tomorrowland.com",
"description": "Vulnerabilities found on either winter/brasil/belgium .tomorrowland.com will be considered duplicate.",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.tomorrowland.oneworldradio",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "globaljourney.tomorrowland.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "my.tomorrowland.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "one-world-radio-tomorrowland/id1485778856",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "sp1y1tpaf1.execute-api.eu-west-1.amazonaws.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "tlbe.prod.tomorrowland.com",
"description": "Vulnerabilities found on either TLFR/TLBR/TLBE.prod.tomorrowland.com will be considered duplicate.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "tlbr.prod.tomorrowland.com",
"description": "Vulnerabilities found on either TLFR/TLBR/TLBE.prod.tomorrowland.com will be considered duplicate.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "tlfr.prod.tomorrowland.com",
"description": "Vulnerabilities found on either TLFR/TLBR/TLBE.prod.tomorrowland.com will be considered duplicate.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "winter.tomorrowland.com",
"description": "Vulnerabilities found on either winter/brasil/belgium .tomorrowland.com will be considered duplicate.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "winterpackages.tomorrowland.com",
"description": "Out of Scope: bypassing payment process",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.tomorrowland.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "store.tomorrowland.com",
"description": "Vulnerabilities found on either brasil-store/store .tomorrowland.com will be considered duplicate.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "brasil-store.tomorrowland.com",
"description": "Vulnerabilities found on either brasil-store/store .tomorrowland.com will be considered duplicate.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.stag.tomorrowland.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.stag.weareone.world",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.tomorrowland.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "components.stag.tomorrowland.com",
"description": "Vulnerabilities found on either components.stag.tomorrowland.com or components.tomorrowland.com will be considered duplicate.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "components.tomorrowland.com",
"description": "Vulnerabilities found on either components.stag.tomorrowland.com or components.tomorrowland.com will be considered duplicate.",
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "0d0034de-b53e-47b8-9a9d-41c302c49b5a",
"name": "Torfs",
"company_handle": "torfs",
"handle": "torfs",
"url": "https://www.intigriti.com/programs/torfs/torfs/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 6500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "winkels.torfs.be",
"description": "🇫🇷🇳🇱",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.schoenentorfs.be",
"description": "🇫🇷🇳🇱",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.schoenentorfs.nl ",
"description": "🇳🇱",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.torfs.be",
"description": "🇫🇷🇳🇱",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.torfs.nl",
"description": "🇳🇱",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.samenfittorfs.be",
"description": "🇳🇱 ",
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "Any related Torfs domain",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "efa92aaa-d683-4cf9-8834-a03cf864cc80",
"name": "Trouw",
"company_handle": "dpgm",
"handle": "trouw",
"url": "https://www.intigriti.com/programs/dpgm/trouw/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "myaccount.trouw.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "shop.trouw.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webwinkel.trouw.nl",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.trouw.nl",
"description": "excluding\n* trouw.nl/service\n* trouw.nl/inloggen\n* trouw.nl/login\n* trouw.nl/registreren",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.trouw.nl/abonnementen",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.trouw.nl",
"description": "excluding abonnement.trouw.nl",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "* trouw.nl/inloggen",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* trouw.nl/login",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* trouw.nl/registreren",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* trouw.nl/service",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "abonnement.trouw.nl",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "ed04d1ef-1aa3-49dd-92f1-06f50f9756b9",
"name": "TrueLayer",
"company_handle": "truelayer",
"handle": "truelayer",
"url": "https://www.intigriti.com/programs/truelayer/truelayer/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 75,
"currency": "EUR"
},
"max_bounty": {
"value": 6000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "api.truelayer[-sandbox].com",
"description": "The majority of our API endpoints live here",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.mtls.truelayer[-sandbox].com",
"description": "The same API as `api.truelayer[-sandbox].com` but with mutual TLS setup",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "auth.truelayer[-sandbox].com",
"description": "Our service for getting OAuth access tokens to access our APIs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "auth.mtls.truelayer[-sandbox].com",
"description": "The same service as `auth.truelayer[-sandbox].com` but with mutual TLS setup",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.truelayer[-sandbox].com",
"description": "Hosted Payments Page v2",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "login-api.truelayer[-sandbox].com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "login.truelayer[-sandbox].com",
"description": "Where you can connect your bank account and use Open Banking to pull data such as transactions",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "onboarding-api.truelayer.com",
"description": "Used in the developer console",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "pay-api.truelayer[-sandbox].com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "pay.truelayer[-sandbox].com",
"description": "Some of our older payment API endpoints live here rather than on api.truelayer.com",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "paydirect.truelayer[-sandbox].com",
"description": "Some of our older payment API endpoints live here rather than on api.truelayer.com",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "payment.truelayer[-sandbox].com",
"description": "Our hosted payments page for merchants that want us to manage the UI screens for making payments",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "payments-experience-api.truelayer[-sandbox].com",
"description": "Hosted Payments Page dependency (e.g. for handoff)",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "user-authentication-api.truelayer[-sandbox].com",
"description": "Remember Me functionality for payments. See https://truelayer.com/legal/enduser_tos/#save-my-details-remember-me",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "users-api.truelayer.com",
"description": "Internal service for managing users",
"impact": "Tier 1"
},
{
"type": "other",
"endpoint": "C# SDK",
"description": "https://github.com/TrueLayer/truelayer-dotnet",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "console-backend.truelayer[-sandbox].com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "console.truelayer[-sandbox].com",
"description": "Our developer console where you can login, create applications, manage your OAuth client ID/secret, upload public keys for request signing, view transactions",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "sftp.reports.truelayer.com",
"description": "SFTP reporting functionality in the Console. See https://docs.truelayer.com/docs/sftp-in-console",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Java SDK",
"description": "https://github.com/TrueLayer/truelayer-java",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "PHP SDK",
"description": "https://github.com/TrueLayer/truelayer-php",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TrueLayer for Magento (Magento plugin)",
"description": "https://github.com/TrueLayer/magento2",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TrueLayer for WooCommerce (WordPress plugin)",
"description": "https://wordpress.org/plugins/truelayer-for-woocommerce/ is our WordPress plugin allowing you to use TrueLayer as a checkout option in your WooCommerce store. The source code is also [available on GitHub](https://github.com/TrueLayer/truelayer-woocommerce).",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "shopify-admin.truelayer.com",
"description": "Shopify Plugin backend admin page. See https://docs.truelayer.com/docs/shopify",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "shop-pay-app-api.truelayer.com",
"description": "Shopify Plugin backend API. See https://docs.truelayer.com/docs/shopify",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "truelayer-signing",
"description": "https://github.com/TrueLayer/truelayer-signing is our open source library for generating signed requests for calling TrueLayer APIs. Many languages are supported including Rust, C#, NodeJS, Go, Java and PHP.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "webhooks.truelayer[-sandbox].com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.truelayer.cloud",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.truelayer.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.truelayer.io",
"description": null,
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "iOS SDK",
"description": "https://github.com/TrueLayer/TrueLayer-iOS-SDK",
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "React Native SDK",
"description": "https://github.com/TrueLayer/truelayer-react-native-sdk",
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "Web SDK",
"description": "https://www.npmjs.com/package/truelayer-web-sdk\n\nA lightweight web SDK for integrating Truelayer's payment services into your web application.",
"impact": "Tier 3"
},
{
"type": "other",
"endpoint": "Rust SDK",
"description": "https://github.com/TrueLayer/truelayer-rust\n\nCurrently we are not paying bounties for this asset as it's still in alpha.",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "trust.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "banks.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "careers.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "docs.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "docs.houston.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://truelayer.com/contact/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "index.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "info.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "signin.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "support.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "status.truelayer.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "truelayer.zendesk.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "724ad196-90de-4ba8-bf21-dc114ab7fce4",
"name": "Trusted Firmware",
"company_handle": "arm",
"handle": "trustedfirmware",
"url": "https://www.intigriti.com/programs/arm/trustedfirmware/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 1000,
"currency": "USD"
},
"max_bounty": {
"value": 20000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "OP-TEE",
"description": "OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Mbed TLS & TF-PSA-Crypto",
"description": "Mbed TLS is a C library that implements X.509 certificate manipulation and the TLS and DTLS protocols. Its small code footprint makes it suitable for embedded systems. Mbed TLS includes the TF-PSA-Crypto repository that provides an implementation of the PSA Cryptography API.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TrustedFirmware-A (TF-A)",
"description": "The Trusted Firmware-A project provides a reference implementation of secure world software for Armv8-A and Armv9-A class processors.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TrustedFirmware-M (TF-M)",
"description": "Trusted Firmware-M (TF-M) implements the Secure Processing Environment (SPE) for Armv8-M, Armv8.1-M architectures (e.g. the Cortex-M33, Cortex-M23, Cortex-M55, Cortex-M85 processors) or dual-core platforms. It is the platform security architecture reference implementation aligning with PSA Certified guidelines, enabling chips, Real Time Operating Systems and devices to become PSA Certified.",
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "51bde6cd-ee7e-4236-98f0-60166bea28e3",
"name": "Twago",
"company_handle": "randstad",
"handle": "twago",
"url": "https://www.intigriti.com/programs/randstad/twago/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.itprojects.talent-community.com",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "e6386eb8-ce59-43b5-98b6-f1590cafdceb",
"name": "Tweakers",
"company_handle": "dpgm",
"handle": "tweakers",
"url": "https://www.intigriti.com/programs/dpgm/tweakers/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.tweakblogs.net",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.tweakers.net",
"description": "Out of scope: elect.tweakers.net",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.tweakimg.net",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "elect.tweakers.net",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "2cf03670-6a2d-4ac7-8b1e-2e0d84338204",
"name": "UZ Leuven",
"company_handle": "uz leuven",
"handle": "uzleuven",
"url": "https://www.intigriti.com/programs/uz%20leuven/uzleuven/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 5000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "autodiscover.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "ecrf.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "extranet-asa.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "extranet.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "liquidfiles.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "mx1.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "mx2.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "pcrstudioruzb.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "prddsplunkhf.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "sts.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.uzleuven.be",
"description": null,
"impact": "Tier 1"
},
{
"type": "iprange",
"endpoint": "193.58.149.121,193.58.149.98,193.58.149.82,193.58.149.101,193.58.149.107,193.58.149.108,193.58.149.111",
"description": "These are the ip's used by our reverse proxy.\nThe Host header will determine the bounty tier.\nIf a report is submitted where the Host header is not used we will default to Tier 2.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "wp5-truststroke.uzleuven.be",
"description": "* access to /api/ should only work from BE or NL ip's\n* access to other paths or / should not work",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "cardsonline.azdiest.be",
"description": "This webapp should return a http 403 error due to ip whitelisting.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "liquidfilestest.uzleuven.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "random.uzleuven.be/random/",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "teststs.uzleuven.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "w1.uzleuven.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "cardsonlinetst.azdiest.be",
"description": "This webapp should return a http 403 error due to ip whitelisting.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.kwsdose.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.playuzleuven.be",
"description": null,
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.uzleuven.*",
"description": "#### *.uzleuven.be (tier 3) only applies to everything that hasn't been listed in the scope.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.contactallerg(y|ie).uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.mir.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*dev.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*idp*.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*stag*.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "files.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "kumulus.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "mijnacc.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "mirc.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "prddnighting01.uzleuven.be",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "w1.uzleuven.be/random",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "ziekenhuisschool.be",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "preview.redcap.gbiomed.kuleuven.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "jobs.uzleuven.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "uzleuven.atlassian.net",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "vacatures.uzleuven.be",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "eb340a46-b5b8-4165-b8d8-bc032493e8a6",
"name": "Ubisoft Responsible Disclosure Program",
"company_handle": "ubisoft",
"handle": "ubisoftvdp",
"url": "https://www.intigriti.com/programs/ubisoft/ubisoftvdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "Game Titles",
"description": "**Active in-scope Game Titles** - *last updated 08/12/25*\n\nPlatforms: all officially supported platforms and distribution channels for each title (e.g., PC, PlayStation, Xbox, Switch, iOS, Android, cloud services, and web-based games playable in a web browser).\n\n* R6 Siege\n* TCTD2\n* For Honor\n* Skull & Bones\n* The Crew: Motorfest\n* Just Dance\n* Watch Dogs Legion\n* Laser\n* Genesis\n* GR: Wildlands\n* AC: Shadows\n* Hungry Shark World\n* Hungry Shark Evolution\n* Invincible\n* Howrse\n* Brawlhalla\n* R6Mobile\n* M&M Era of Chaos\n* JD:Now\n* AC Mirage\n* AC Shadows\n* POP Lost Crown",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "First-party Ubisoft Web, Desktop and Mobile applications",
"description": "* Public-facing web applications and APIs owned and operated by Ubisoft (e.g., *.ubisoft.com, *.ubi.com, *.ubisoftconnect.com).\n* Official desktop applications (e.g., Ubisoft Connect and similar Ubisoft-owned client software) and official mobile applications (iOS/Android). Mobile applications that provide corporate services, account management, companion functionality, or other non‑game features are in scope; mobile games are excluded (see Game‑specific exclusions).\n* Corporate/online services and infrastructure exposed to the internet where Ubisoft is the owner/operator (e.g., partner/employee portals, admin panels, CDNs, storage endpoints).",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "The Settlers Online game",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "forums.ubisoft.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "ivalua.ubisoft.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "suppliers-ivalua.ubisoft.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "a5158346-5add-4916-bd31-d8a5fe1e805f",
"name": "Universitätsspital Zürich VDP",
"company_handle": "universitatsspitalzurich",
"handle": "usz-vdp",
"url": "https://www.intigriti.com/programs/universitatsspitalzurich/usz-vdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.unispital.ch ",
"description": "forwarding to usz.ch",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.usz.ch ",
"description": "this is our Main Website.\nYou are welcome to check it all around for security Issues.",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "28e0de63-e932-43cf-8a23-5ea24dabd48f",
"name": "Uphold",
"company_handle": "Uphold",
"handle": "upholdcom",
"url": "https://www.intigriti.com/programs/Uphold/upholdcom/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 6000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "ios",
"endpoint": "1101145849",
"description": "The Uphold Wallet iOS Application is the primary mobile platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the app.\n\nThis is currently installable on Jailbroken devices, please read the out-of-scope findings.",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "6444005221",
"description": "The UpHODL Wallet App is a self-custodial, multichain wallet developed by Uphold Labs, allowing users to securely store, manage, and transact digital assets while maintaining full control over their private keys. The wallet supports Bitcoin (BTC), Ethereum (ETH), XRP, ERC-20 tokens, NFTs, and other blockchain networks, offering seamless DeFi access via WalletConnect and the ability to purchase cryptocurrencies directly using a card.\n\nThis is currently installable on Jailbroken devices, but we don't allow the user to proceed with creating a wallet. Please read the out-of-scope findings.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api-sandbox.uphold.com",
"description": "The Uphold Wallet REST API (https://api.uphold.com) offers developers comprehensive access to Uphold’s financial platform, enabling the creation of innovative services. This API allows for operations such as retrieving account details, managing user accounts, initiating transactions, accessing transaction history, and obtaining real-time market data. By integrating with this API, developers can seamlessly incorporate Uphold’s multi-asset trading and digital wallet functionalities into their applications.\n\nMore information available [here](https://docs.uphold.com).\n\nThis is a sandbox environment designed to closely mimic the production environment, allowing for extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production; if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support their assessment.\n\n",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api-sandbox.uphold.com/graphql",
"description": "The Uphold Wallet GraphQL API (https://api-sandbox.uphold.com/graphql) serves as the API gateway for Uphold’s wallet UIs, facilitating seamless interactions between the front-end interfaces and multiple back-end microservices. Unlike the REST API, which is designed for user automation and third-party integrations, the GraphQL API is primarily responsible for enabling the wallet’s web and mobile applications to fetch and interact with user data, transactions, and account-related functionalities.\n\nMore information available [here](https://docs.uphold.com).\n\nThis is a sandbox environment designed to closely mimic the production environment, allowing for extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production; if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support their assessment.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.portal.enterprise.uphold.com ",
"description": "The Uphold Enterprise API (https://api.portal.enterprise.uphold.com/) is the backend service supporting the Uphold Enterprise Portal (portal.enterprise.uphold.com), enabling enterprise clients to manage their wallets, user delegations, and integrations with Topper widgets. This API facilitates secure enterprise-level account management, transaction processing, and access control. Security testing should focus on authentication mechanisms, authorization flows, data integrity, and potential vulnerabilities that could impact enterprise account security and operations.\n\nThis is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "com.uphold.labs.uphodl.android",
"description": "The UpHODL Wallet App is a self-custodial, multichain wallet developed by Uphold Labs, allowing users to securely store, manage, and transact digital assets while maintaining full control over their private keys. The wallet supports Bitcoin (BTC), Ethereum (ETH), XRP, ERC-20 tokens, NFTs, and other blockchain networks, offering seamless DeFi access via WalletConnect and the ability to purchase cryptocurrencies directly using a card.",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "com.uphold.wallet",
"description": "The Uphold Wallet Android Application is the primary mobile platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the app.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "portal.enterprise.uphold.com",
"description": "The Uphold Enterprise Portal (https://portal.enterprise.uphold.com) is a secure platform for Uphold’s enterprise clients, providing tools to manage enterprise wallets, delegate user roles and permissions, and integrate with Topper widgets. This portal enables businesses to oversee digital asset operations, facilitate transactions, and enforce access control within their organization. Key features include multi-user account management, real-time transaction monitoring, and compliance support, allowing enterprises to securely manage financial operations.\n\nThis is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "wallet-sandbox.uphold.com",
"description": "The Uphold Wallet Web Application (https://wallet.uphold.com) is the primary UI platform for Uphold users to manage their wallets, providing a full suite of financial services, including account management, real-time price quotes, transactions, and access to account history. Users can deposit, withdraw, exchange assets, and complete KYC verification directly through the application. Fund with Crypto Testnet Faucet (e.g. https://coinfaucet.eu/en/btc-testnet/ for Bitcoin)\n\nThis is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.\n",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.sandbox.topperpay.com",
"description": "The Topper REST API (https://api.topperpay.com) provides a pre-widget integration layer, allowing clients to retrieve essential information before initializing a Topper widget. This API enables businesses to fetch supported countries, assets, and payment methods, as well as generate pricing simulations for specific transaction flows. By leveraging this API, clients can display relevant information to users before engaging with the Topper on-ramp or off-ramp services.\n\nMore information available [here](https://api.topperpay.com/docs/static/index.html).\n\nThis is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.sandbox.topperpay.com",
"description": "The Topper Widget (https://app.topperpay.com) is a live, embeddable component designed for seamless integration into client platforms, enabling end-users to perform cryptocurrency on-ramp and off-ramp transactions. This widget facilitates the conversion between fiat and digital assets directly within the client’s interface, providing a streamlined user experience.\n\nThis is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "graphql.sandbox.topperpay.com/graphql",
"description": "The Topper GraphQL API (https://graphql.topperpay.com/graphql) serves as the API gateway for app.topperpay.com and all client-integrated Topper widgets, facilitating seamless interaction between external applications and Topper’s internal services. This API routes requests to multiple microservices handling user management, KYC verification, transaction processing, and other core functionalities.\n\nMore information available [here](https://docs.topperpay.com/intro).\n\nThis is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "uatcms.optimuscards.com",
"description": "Optimus Cards Management Portal (https://uatcms.optimuscards.com) serves as the User Acceptance Testing (UAT) environment for Optimus Cards’ internal management system. This portal is designed for internal use by authorized personnel to manage and oversee various card services and operations. While it mirrors the functionalities of the production environment (https://cms.optimuscards.com), the UAT portal is intended for testing and validation purposes prior to deploying updates to the live system.\n\nBoth the UAT and production portals may be powered by similar back-end services; however, security assessments should focus exclusively on the UAT environment (https://uatcms.optimuscards.com). This approach allows for the identification of potential vulnerabilities without impacting live operations. \n\nSecurity testing should concentrate on identifying vulnerabilities related to authentication mechanisms, access controls, data handling, and potential misconfigurations within the UAT environment. \n\nPlease note that service degradation attacks are not permitted.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.optimuscards.com",
"description": "The wildcard domain *.optimuscards.com includes all subdomains under optimuscards.com, covering various services related to Optimus Cards’ white-label debit and credit card solutions, Banking as a Service (BaaS), and Cards as a Service (CaaS) for financial institutions and corporate clients. These subdomains may encompass customer account management platforms, API access for partners, administrative portals, and other operational services. Given the financial nature of these services, security testing should focus on identifying vulnerabilities that could impact user data, transactions, or system integrity.\n\nWe are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance. ",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.topperpay.com",
"description": "The wildcard domain *.topperpay.com covers any **unlisted** subdomains related to Topper, an Uphold brand that provides on-ramp and off-ramp solutions for digital assets, enabling users to seamlessly convert between fiat and cryptocurrency. Security testing should focus on identifying vulnerabilities that could impact user security, transaction integrity, or authentication mechanisms.\n\nWhile we have already listed some subdomains in scope, this wildcard serves to cover any additional subdomains that may be discovered. We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance. ",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.uphodl.com",
"description": "The wildcard domain *.uphodl.com covers all subdomains related to UpHODL, Uphold Labs’ self-custodial multichain crypto wallet, which enables users to securely manage their digital assets. Security testing should focus on identifying vulnerabilities that could impact user security, transaction integrity, or authentication mechanisms.\n\nWhile we have already listed some subdomains in scope, this wildcard serves to cover any additional subdomains that may be discovered. We are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance. ",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.uphold.com",
"description": "The wildcard domain *.uphold.com covers any **unlisted** or **undisclosed** subdomains related to Uphold’s financial platform, which provides multi-asset trading, digital wallets, and financial services. While most core assets are explicitly listed in scope, this wildcard serves to cover any additional subdomains that may be discovered. Security testing should focus on identifying vulnerabilities that could impact authentication, transaction integrity, or overall platform security.\n\nWe are willing to give bonuses for any impactful issues found across the rest of our domain, provided we agree on their severity and relevance.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "docs.api.enterprise.uphold.com",
"description": "The Uphold Enterprise API Documentation (https://docs.api.enterprise.uphold.com) provides technical resources for Uphold-as-a-Service, a fully licensed white-label solution that enables financial institutions and business partners to integrate and deploy their own branded digital asset services. This platform offers comprehensive API functionality for managing transactions, compliance, user accounts, and asset trading, while ensuring regulatory compliance and security.\n\nThis is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "docs.optimuscards.com",
"description": "Optimus Cards Developer Documentation (https://docs.optimuscards.com) serves as the primary resource for developers integrating with Optimus Cards’ services. This site provides comprehensive API documentation, integration guides, and technical references necessary for implementing Optimus Cards’ payment solutions into applications. While the documentation itself does not process transactions, it acts as a crucial gateway for developers to access sandbox environments, test APIs, and understand the functionalities offered by Optimus Cards.\n\nEach API endpoint and service described in the documentation may be powered by different back-end systems, implying that security assessments should consider varying architectures, data sources, and authentication mechanisms.\n\nSecurity testing should focus on identifying vulnerabilities related to API endpoint security, data exposure, and potential misconfigurations. \n\nPlease note that service degradation attacks are not permitted.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "docs.topperpay.com",
"description": "The Topper Developer Documentation (https://docs.topperpay.com) provides technical guidance for business customers looking to integrate with Topper, a service that facilitates cryptocurrency purchases and payments. It outlines the onboarding process, API authentication, transaction workflows, and integration requirements for businesses leveraging Topper’s platform. This documentation is intended to assist companies in securely and efficiently embedding Topper’s services into their products. \n\nThis is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "docs.uphold.com",
"description": "The Uphold API Documentation (https://docs.uphold.com) serves as the official resource for developers integrating with the Uphold Platform. It provides detailed guidance on API authentication, endpoints, request/response structures, and best practices for interacting with Uphold’s financial services. The documentation covers topics such as account management, transactions, currency conversion, and security protocols. Bug bounty participants can review the documentation for misconfigurations, security flaws, or exposed sensitive information that could impact the integrity of the Uphold API ecosystem.\n\nThis is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "github.com/uphold/*",
"description": "The wildcard scope github.com/uphold/* covers any public repositories made available by Uphold on GitHub. These repositories may include SDKs, developer tools, open-source projects, documentation, and other publicly accessible codebases that support Uphold’s ecosystem.\n\nSecurity testing should focus on identifying misconfigurations, exposed sensitive information, or vulnerabilities that could impact Uphold’s security posture.\n\nWe are willing to give bonuses for any impactful issues found across our repositories, provided we agree on their severity and relevance. Please note that third-party dependencies are out of scope unless the issue is caused by a misconfiguration or security oversight by Uphold.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "status.uphold.com",
"description": "The Uphold Status Page (https://status.uphold.com/) provides real-time and historical data on the operational status of Uphold’s services, including the Mobile Wallet, Web Wallet, API, and more. It offers transparency regarding system performance, uptime statistics, and incident history, allowing users to monitor the health of Uphold’s platform. \n\nThis is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "support-sandbox.uphold.com",
"description": "The Uphold Help Center is a comprehensive support platform designed to assist users with various aspects of their Uphold experience. It offers self-service options for tasks such as resetting passwords, managing two-factor authentication, and downloading transaction histories. The Help Center also provides detailed articles covering account setup, management, deposits, withdrawals, trading features, and security measures. Users can access guidance on updating account information, linking payment methods, understanding fees and limits, and ensuring account security. Additionally, the platform includes resources for reporting suspicious activities and accessing tax-related information. For personalized assistance, users can contact the support team directly through the Help Center.\n\nThis is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "support-staging.topperpay.com",
"description": "The Topper Support Website (https://support-staging.topperpay.com) serves as the informational and support platform for Topper, providing guidance on account management, verification processes, transaction tracking, and partnership opportunities. Users can access resources to understand Topper’s on-ramp and off-ramp functionalities and submit support requests if needed. \n\nThis is a sandbox environment designed to closely mimic the production environment, allowing for more extensive testing. However, for a reported issue to be considered valid, it must be reproducible in the production environment. The Uphold security team will verify and confirm the issue in production, and if it cannot be replicated, the report will not be considered. In such cases, the team will provide evidence to support the assessment.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.optimuscards.com",
"description": "Optimus Cards Website (https://www.optimuscards.com) serves as the main informational platform for Optimus Cards, providing an overview of its card issuing and payment solutions. The website primarily offers details on the company’s services, regulatory compliance, and contact information. While it does not facilitate financial transactions or serve as a gateway to customer platforms, it functions as a static informational site for prospective clients and partners.\n\nThe website operates as a standalone informational resource without direct integrations to financial systems or user authentication mechanisms. Security assessments should focus on identifying vulnerabilities related to content integrity, redirections, and potential misconfigurations.\n\nPlease note that service degradation attacks are not permitted.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.topperpay.com",
"description": "The Topper Production Website (https://www.topperpay.com) serves as the informational platform for Topper, an Uphold brand that provides on-ramp and off-ramp solutions for digital assets. The website explains how users can seamlessly convert fiat to crypto (on-ramp) and crypto to fiat (off-ramp) while integrating with various self-custodial wallets. It does not facilitate transactions directly but redirects users to app.topperpay.com for asset exchanges.\n\nThis is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.uphodl.com",
"description": "The UpHODL Production Website (https://www.uphodl.com) serves as the institutional website for UpHODL, Uphold Labs’ self-custodial crypto wallet. It provides information about the wallet’s features, supported assets, security model, and integration with decentralized finance (DeFi) platforms. The site is designed for informational and marketing purposes, guiding users on how to download, set up, and use the UpHODL wallet. \n\nThis is a production environment—please review the program policy to avoid denial of service and other types of unavailability during security testing.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.uphold.com",
"description": "The Uphold Website (https://www.uphold.com) serves as the company’s main informational platform, providing an overview of Uphold’s services, institutional offerings, and financial transparency. It includes key sections such as the Transparency Page (real-time reserves data), Institutional and Enterprise offerings, Market Prices, Blog, and Academy, along with general company updates. While the website itself does not provide transactional functionalities, it acts as a gateway to Uphold’s wallet, trading platform, and other financial services.\n\nTechnical Note: Each menu category (Individuals, Enterprise, Institutional, Market Prices, Blog, Academy, Transparency) may be powered by different back-end services, meaning security assessments should consider the possibility of varying architectures, data sources, and API implementations.\n\nSecurity testing should focus on identifying vulnerabilities related to content integrity, redirections, and potential misconfigurations. Please note that service degradation attacks are not permitted.",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "api.topperpay.com",
"description": "Topper API (https://api.topperpay.com) serves as the production API for processing transactions and account-related operations. As this is an actively used environment, it is out of scope for security testing.\n",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.uphold.com",
"description": "Uphold API (https://api.uphold.com) serves as the production API endpoint for Uphold’s platform, facilitating financial transactions, account management, and other core functionalities. As this is an actively used environment, it is out of scope for security testing.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "api.uphold.com/graphql",
"description": "Uphold GraphQL API (https://api.uphold.com/graphql) is the production GraphQL endpoint supporting data retrieval and transactional interactions within the Uphold ecosystem. As this is an actively used environment, it is out of scope for security testing.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "app.topperpay.com",
"description": "Topper App (https://app.topperpay.com) is the production web application for users to manage their Topper accounts and perform financial operations. As this is an actively used environment, it is out of scope for security testing.\n",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "cms.optimuscards.com",
"description": "Optimus Cards Management Portal (https://cms.optimuscards.com) serves as the production version of the internal management system used for overseeing various card services and operations. As this is an actively used environment, it is out of scope for security testing.\n\nPlease note that security testing against the production system (https://cms.optimuscards.com) is strictly prohibited, and service degradation attacks are not permitted.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "graphql.topperpay.com/graphql",
"description": "Topper GraphQL API (https://graphql.topperpay.com/graphql) serves as the production GraphQL endpoint for data retrieval and financial interactions within the Topper platform. As this is an actively used environment, it is out of scope for security testing.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "support.topperpay.com",
"description": "Topper Support (https://support.topperpay.com) provides customer support and documentation for Topper users. As this is an actively used environment, it is out of scope for security testing.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "support.uphold.com",
"description": "Uphold Support (https://support.uphold.com) provides customer support and knowledge base resources for Uphold users. As this is an actively used environment, it is out of scope for security testing.\n",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "wallet.uphold.com",
"description": "Uphold Wallet (https://wallet.uphold.com) serves as the production interface for users to access their Uphold accounts, manage assets, and perform transactions. As this is an actively used environment, it is out of scope for security testing.\n",
"impact": "Out of scope"
}
]
}
},
{
"id": "0083c917-80ac-4943-90b7-ee60dc1bdb17",
"name": "VDP",
"company_handle": "showpad",
"handle": "vdp",
"url": "https://www.intigriti.com/programs/showpad/vdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.showpad.com",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "3219ed72-e563-458d-aafd-9ce8ca4e3087",
"name": "VRT",
"company_handle": "vrtnv",
"handle": "vrtnv",
"url": "https://www.intigriti.com/programs/vrtnv/vrtnv/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "EUR"
},
"max_bounty": {
"value": 2000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "API's",
"description": "* vrt.be/vrtnu-api/graphql/v1\n* vrt.be/vrtnu-api/graphql/public/v1\n* api.vrt.radio\n* vrtnws-api.vrt.be\n* api.sporza.be",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "cds.vrt.radio",
"description": "The cds domain for VRT radio sites.\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Mobile Applications",
"description": "[VRT MAX iOS App](https://apps.apple.com/us/app/vrt-max/id1337574835)\n[VRT MAX Android App](https://play.google.com/store/apps/details?id=be.vrt.vrtnu)\n[VRT NWS iOS App](https://apps.apple.com/us/app/vrt-nws/id952769219)\n[VRT NWS Android App](https://play.google.com/store/apps/details?id=be.vrt.mobile.android.deredactie)\n[Sporza iOS App](https://apps.apple.com/us/app/sporza/id878339906)\n[Sporza Android App](https://play.google.com/store/apps/details?id=com.fwc2014.vrt.and)\n[Ketnet Junior iOS App](https://apps.apple.com/us/app/ketnet-junior/id1001982587)\n[Ketnet Junior Android App](https://play.google.com/store/apps/details?id=be.vrt.ketnet.ketnetjr)",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "player.vrt.be",
"description": "Mediaplayer implementation.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "profiel.vrt.be",
"description": "VRT-profile with Single Sign On implementation",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "sporza.be",
"description": "Sporza is the brand name for all VRT sports broadcasts on radio, television, internet and multimedia.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "vrt.be/vrtmax",
"description": "VRT's online video platform. It allows its users to (re-)watch television programs of its brands één, Canvas and Ketnet on the internet. \n\nTo be able to fully use VRT MAX, you have to register for a VRT profile. Using all of VRT MAX's content is only possible for users with a Belgian residential address. Without the login, you can still watch the live channels.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "vrt.be/vrtnws",
"description": "\nVRT NWS is the news brand of VRT. Informing the Flemish citizen is an essential part of it's job.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Brand Sites",
"description": "All brand sites owned by VRT.\n\nThe main site www.vrt.be and www.vrt.be/* is also \"No bounty\" (except paths in the \"in scope\" section)",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "innovatie.vrt.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "shop.*.be",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "981f8ca2-8ddd-48e8-b710-b6a00fba35cc",
"name": "VTM GO",
"company_handle": "dpgm",
"handle": "vtmgo",
"url": "https://www.intigriti.com/programs/dpgm/vtmgo/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 25,
"currency": "EUR"
},
"max_bounty": {
"value": 2200,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "myaccount.vtm.be",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "vtm.be/vtmgo",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "vtmgo.be",
"description": "excluding\n* vtmgo.be/service\n* vtmgo.be/inloggen\n* vtmgo.be/login\n* vtmgo.be/registreren",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.vtm.be",
"description": "Out of scope: shop.vtm.be",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.vtmgo.be",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "* vtmgo.be/inloggen",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* vtmgo.be/login",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* vtmgo.be/registreren",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "* vtmgo.be/service",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "shop.vtm.be",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "c5a9bbd6-2139-4ec9-bdcc-8e2a5082fd7e",
"name": "Venly",
"company_handle": "arkane",
"handle": "arkanenetwork",
"url": "https://www.intigriti.com/programs/arkane/arkanenetwork/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 5000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "api-wallet.venly.io",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.arkane.network",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "connect.arkane.network ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "connect.venly.io",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "login.arkane.network",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "login.venly.io",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "wallet.venly.io",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api-wallet-sandbox.venly.io",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "acb142c1-ffeb-41c3-a9e7-1624054f42e4",
"name": "Veriff Bug Bounty",
"company_handle": "veriff",
"handle": "veriffbugbounty",
"url": "https://www.intigriti.com/programs/veriff/veriffbugbounty/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 5,
"currency": "EUR"
},
"max_bounty": {
"value": 6000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "ios",
"endpoint": "1467907532",
"description": "An iOS application for demoing our product.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "alchemy.veriff.com",
"description": "This is an end user (internal) API endpoint.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.flamingo-eu.veriff.com",
"description": "This is a public API endpoint.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.us.veriff.me",
"description": "This is a public API endpoint.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.veriff.me",
"description": "This is a public API endpoint.",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "com.veriff.demo",
"description": "An Android application for demoing our product.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "louvre.veriff.me",
"description": "This is an end user (internal) API endpoint.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "magic.veriff.me",
"description": "This is an end user (internal) API endpoint.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "station.veriff.com",
"description": "Here you can find our Veriff Station application.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "stationapi.veriff.com",
"description": "This is the backend for our Station application.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.veriff.com",
"description": "Please note that third party services are out of scope unless the issue is caused due to a misconfiguration by Veriff.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "developers.veriff.me",
"description": "You can find our developers documentation here.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.veriff.com",
"description": "This is our marketing website.",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "https://station.veriff.com/config/",
"description": "Configuration includes public keys what are needed for frontend working properly.",
"impact": "Out of scope"
}
]
}
},
{
"id": "0f95dabb-d299-4574-befc-bb96a3bafb42",
"name": "Visma",
"company_handle": "visma",
"handle": "visma",
"url": "https://www.intigriti.com/programs/visma/visma/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "EUR"
},
"max_bounty": {
"value": 7500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "ios",
"endpoint": "564141518",
"description": "**Visma Scanner**\nVisma Scanner is a mobile app used for sending receipts and invoices to your Visma accounting system.\nThe iOS version of the app can be found here:\nhttps://apps.apple.com/us/app/visma-scanner/id564141518\nPlease read and follow the steps in the Startup guide to create an account and start hacking: https://vismabugbountyprod.z16.web.core.windows.net/VismaScanner-iMXxOpXkhOlTBUQtXfyA-getting-started.pdf\n**Please note that the training code has changed!** It is now: wr0d4 , also make sure to select the same Program/Service options as the Getting Started document has. \n\n**Out of scope:**\n* Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc)\n* Private screen exposure in the app\n* Stack traces from api calls\n* Jailbroken devices is out of scope\n* All options for login are out of scope, except eAccounting (please see details in the \"Getting Started instructions document\"",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "accountsettings.connect.identity.stagaws.visma.com",
"description": "**Connect**\nSee instructions for domain \"connect.identity.stagaws.visma.com\".\n\n**Out of scope:**\n* Session invalidation after enabling 2FA - by design intended to work like this\n* Any other out of scopes on 'connect.identity.stagaws.visma.com'",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "admin.stage.vismaonline.com",
"description": "**Visma Online**\nThis is the old interface for the customer's administrators to administrate the company, where we still have some functionality that has not been moved to the new interface. For example invoicing information and everything regarding collaborations with AO. The collaboration part is out of scope as long as the use of student companies.\nPlease read the Getting Started Instructions in the \"myservices.stage.vismaonline.com\" asset description.\n\n**Out of scope:**\n* Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).\n* The collaboration part is out of scope as long as the use of student companies. Collaboration is between Accounting Office and Client. \n\t- This includes using `/Customer/StudentSignup.aspx` to create companies with arbitrary emails\n\t- Please do not target the BB Test Teacher user or any other Teacher users you find, these accounts only exists as a service requirement and disruptions may cause issues with your testing account.\n* Any other out of scopes on 'myservices.stage.vismaonline.com'",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "ai-testing.maventa.com",
"description": "**AutoInvoice**\n\nThis is the main UI for Visma AutoInvoice. AutoInvoice is Visma's automated and fully ERP integrated service for sending, receiving and handling invoices. AutoInvoice converts and exchanges electronic invoices, optionally prints invoices that can't be sent electronically, receives and interpret PDF invoices and offers services for scanning and interpretation of paper invoices. AutoInvoice handles both Business to Business (B2B) and Business to Consumer (B2C) invoices.\n\nUses partially the embeddable user interface from autointerface-embeddable-stage.maventa.com\n\nCreate a test account on https://ai-testing.maventa.com/registrations, or use one of the demo accounts in the getting started instructions below:\nhttps://vismabugbountyprod.z16.web.core.windows.net/VismaAutoinvoice-tHNjPCTbrmGiPY5y0xr8-getting-started.pdf\n\n**Out of scope or works as expected (accepted risk):**\n\n* adding users to your own company without consent\n* language change CSRF\n* application level DOS from /gdpr endpoint\n* duplicate BID/organization number check on registration can be circumvented by race condition (e.g. open two accounts with same BID/org number at same time)\n* IDOR to delete Invoice ID's belonging to different companies by using GDPR removal form (background job checks the right to delete invoices)\n* Hyperlink Injection via emails while adding users to your company\n* User Enumeration via Timing Discrepancy while registering new users\n* Logout CSRF\n* Customer service/chatbot (these are a 3rd party service)\n\nNote! ai-testing.maventa.com and testing.maventa.com point to the same application but have different branding on the UI. Authentication to the user interface is handled using the Visma Connect service.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "aiassistant.stage.vismaonline.com",
"description": "**AI Assistant**\n\nThe AI Assistant is a AI bot that answers support questions based on public product documentation for Visma Spcs products like Visma eAccounting and Visma Advisor.\n\nYou need to register an user to test this system. The sign-up up process is described in this document:\n\nhttps://vismabugbountyprod.z16.web.core.windows.net/Visma-eAccounting-1GWFyEopW9dTKsGYM3FJ-getting-started.pdf\n**Please note that the training code has changed!** It is now: wr0d4 , also make sure to select the same Program/Service options as the Getting Started document has. \n\nThis video also shows the entire setup (only Swedish audio) https://www.youtube.com/watch?v=kVr_CXgfhi0&t=4s\n\nTLDR: Goto https://admin.stage.vismaonline.com/Customer/StudentSignup.aspx and sign up with the training code \"wr0d4\"\n\n**Out of Scope**\n\n* HTML injection, the AI Assistant should be able to output HTML to the chat window.\n* functionalities that belong to other applications that AI Assistant is integrated with (e.g. Visma Advisor or other Visma SPCS products).",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "api.workbox.dk",
"description": "**Dinero**\nThis is Dinero's Public API.See instructions for \"app.workbox.dk\"",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "app.workbox.dk",
"description": "**Dinero**\nDinero is an accounting software for sole traders and micro businesses based out of Denmark. Our only target group is danish companies and therefore the interface is in danish only. The application is a SaaS application hosted in the cloud and consists of a main application and a number of supportive microservices.\n\nSee the getting started document here: https://vismabugbountyprod.z16.web.core.windows.net/VismaDinero-37UeRwujIXh7r9n3Wol6-getting-started.pdf\n\n**Out of scope:**\n* Issues related to login /user creation / forgot-password and /profile page\n* The Cookie \".AspNet.Cookies\" is not set with HttpOnly which is a known vulnerability - please do not report it.\n* Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).\n* Getting access to Pro features as Free user.\n* Rate-limiting issues (accepted risk)\n* cvrservice.workbox.dk, this endpoint is used for searches of publicly available data",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "authz.workbox.dk",
"description": "**Dinero**\nUsed for Authorization (OAuth). See instructions for \"app.workbox.dk\"",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "autointerface.stag.visma.net",
"description": "**AutoInvoice**\nSee instructions for domain 'ai-testing.maventa.com' to get user credentials.\n\nThe same resource can be accessed through the URL **autointerface-embeddable-stage.maventa.com**\n\nAll data processing is done through the REST API at ax-stage.maventa.com\n\n**Out of scope or works as expected (accepted risk):**\n* Clickjacking is out of scope for this asset since it is designed to be framed (embedded) in other 3rd party services.\n* Regular users are allowed to view certain admin settings pages (but not allowed to edit the settings)",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "ax-stage.maventa.com",
"description": "**AutoInvoice**\nhttps://ax-stage.maventa.com is a REST API connected to Visma AutoInvoice.\n\nAPI documentation is available on https://documentation.maventa.com/rest-api/ and https://ax-stage.maventa.com/swagger/#/\n\nSee instructions for domain 'ai-testing.maventa.com' to get user credentials.\n\n**Out of scope or works as expected (accepted risk):**\n* Regular users are allowed to read certain company settings even though they are not perhaps visible in the UI (but they are not allowed to edit the settings)",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.visma.blue",
"description": "**Visma Scanner**\nVisma Scanner is a mobile app used for sending receipts and invoices to your Visma accounting system.\nThe Andriod version of the app can be found here:\nhttps://play.google.com/store/apps/details?id=com.visma.blue&hl=en\nPlease read and follow the steps in the Startup guide to create an account and start hacking: https://vismabugbountyprod.z16.web.core.windows.net/VismaScanner-iMXxOpXkhOlTBUQtXfyA-getting-started.pdf\n**Please note that the training code has changed!** It is now: wr0d4 , also make sure to select the same Program/Service options as the Getting Started document has. \n\n**Out of scope:**\n* Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc)\n* Private screen exposure in the app\n* Stack traces from api calls\n* Jailbroken devices is out of scope\n* All options for login are out of scope, except eAccounting (please see details in the \"Getting Started instructions document\"",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "connect.identity.stagaws.visma.com",
"description": "**Connect**\nVisma Connect is featurewise a small but critical component in the Visma portfolio. It is a single sign-on solution used by many Visma services. It is also the place where users manage security preferences such as passwords, MFA, 2FA, email and other account settings.\n\nUser accounts for testing can be created on https://connect.identity.stagaws.visma.com (this signup flow is not available in production).\n\nThe test accounts will not have access to any other services right now, so testing is limited to the login portal itself.\n\n**Out of scope:**\n* Session invalidation after enabling 2FA - by design intended to work like this.\n* Please do not knowingly target the BB Test Teacher user or any other users that you have not created yourself.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "eaccounting.stage.vismaonline.com",
"description": "**eAccounting**\nThis is \"Visma eAccounting\" (aka Visma eEkonomi / Visma ePasseli) which is an ERP system available in Sweden, Norway, Finland and The Netherlands.\n\nWe've added into scope also the eEkonomi \"Visma Lön Smart\" which is a subservice of eAccounting. This can be found after you activate your account (check out the instructions bellow).\n\nYou can read more on https://www.visma.no/eaccounting/english/\n\nYou need to register an user to test this system. The sign-up up process is described in this document:\nhttps://vismabugbountyprod.z16.web.core.windows.net/Visma-eAccounting-1GWFyEopW9dTKsGYM3FJ-getting-started.pdf\n**Please note that the training code has changed!** It is now: wr0d4 , also make sure to select the same Program/Service options as the Getting Started document has. \n\nThis video also shows the entire setup (only Swedish audio) https://www.youtube.com/watch?v=kVr_CXgfhi0&t=4s\n\nTLDR: Goto https://admin.stage.vismaonline.com/Customer/StudentSignup.aspx and sign up with the training code \"wr0d4\"\n\n**Out of scope:**\n* Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).\n* Modification of gray-out fields when logged in with an admin account.\n* Improper access control: manipulation of the message conversation by members that have no permission (edit subject, join thread conversation, closing the conversation).\n* Email phishing\n* PDF injection\n* Permissions for Lön Smart (the permissions in eAccounting don´t apply at all for Lön Smart).\n* Possibility to create Orders and Quotes with amount 0€\n* Race Condition in article stock limits\n\n* We plan to fix all server-side validation for all tabs mentioned below. All these are under Lön Smart in eAccounting. So until all fixes are applied the following will remain out of scope:\n\t- Fix server-side validation for tab Basic Information on Employee\n\t- Fix server-side validation for tab Employment on Employee\n\t- Fix server-side validation for tab Pay on Employee\n\t- Fix server-side validation for tab Taxes on Employee\n\t- Fix server-side validation for tab Holiday on Employee\n\t- Fix server-side validation for tab Reporting on Employee\n\t- Fix server-side validation for tab Payslip on Employee\n\t- Fix server-side validation for tab Input values on Employee\n\t- Fix server-side validation for tab Pay and payments in payroll settings\n\t- Fix server-side validation for tab Holiday in payroll settings\n\t- Fix server-side validation for tab Accounting in payroll settings\n\t- Fix server-side validation for tab Work schedules in payroll settings\n\t- Fix server-side validation for tab Agreements in payroll settings\n\t- Fix server-side validation for tab Paycodes in payroll settings\n\t- Fix server-side validation for tab Shortcuts in payroll settings",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "eaccountingprinting.stage.vismaonline.com",
"description": "**eAccounting**\nYou reach this asset by creating and viewing a report under the Accounting/Reports menu as a logged on user in asset \"eaccounting.stage.vismaonline.com\"",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "identity.stage.vismaonline.com",
"description": "**Visma Online**\nVisma Connect is used as identity provider, but an own identity server is used to provide JWT tokens that are used by MyServices (and others). \nPlease read the Getting Started instructions document in the \"myservices.stage.vismaonline.com\" asset description.\n\n**Out of scope:**\n* Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).\n* Please do not target the BB Test Teacher user or any other Teacher users you find, these accounts exists as a service requirement and disruptions may cause issues with your testing account and will not be considered as higher impact.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "myservices-api.stage.vismaonline.com",
"description": "**Visma Online**\nThis is the API behind \"myservices.stage.vismaonline.com\".\nPlease read the Getting Started instructions document in the asset description \"myservices.stage.vismaonline.com\".",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "myservices.stage.vismaonline.com",
"description": "**Visma Online**\nThis is an interface where the customer's users can access all their services, and customer's administrators can manage users on the company and manage users' access to services that the company has. \nMore information about the service and test accounts creation can be found here: \nhttps://vismabugbountyprod.z16.web.core.windows.net/VismaOnline-9Jn9Xh382zaQsQ8IqT2x-getting-started.pdf\n**Please note that the training code has changed!** It is now: wr0d4 , also make sure to select the same Program/Service options as the Getting Started document shows. \n\n\n**Out of scope:**\n* Please **do not** target the BB Test Teacher user or any other Teacher users you find during sign-up as this would violate our Program Rules. If you need to test cross-account issues please create a 2nd test user yourself.\n* Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "oauth.developers.stagaws.visma.com",
"description": "**Visma Developer Portal**\nVisma Developer Portal is used both internally and externally by developers for registering OAuth 2.0/OpenID Connect applications for Single-Sign-On with Visma (Visma Connect) and/or API integration.\n\nExisting Visma Connect users accounts can be used for testing. We also allow registration of new users if needed.\n\nUsers need to register an organization as part of the sign-in or to be added (invite) to an existing organization by organization's manager. The user which registers the organization also gets manager role assigned.\n\nEach organization has its own set of OAuth 2.0/OpenID Connect applications.\n\nPlease read the Getting Started Instructions here: https://vismabugbountyprod.z16.web.core.windows.net/VismaDeveloperPortal-Ze8WD6GFaIFdLvE2ekbN-getting-started.pdf\n\n\n\n**Out of scope:**\n* session invalidation across browsers/devices - this is how it is intended to work by design\n* issues related to other APIs except DevPortal Bug Bounty Interactive and DevPortal Bug Bounty Non-Interactive",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "photoservice.stage.vismaonline.com",
"description": "**Visma Scanner**\n\nBackend service for Visma Scanner mobile app, see instructions for domain \"com.visma.blue\" or “564141518”",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "testing.maventa.com",
"description": "**AutoInvoice**\nhttps://testing.maventa.com/apis/v1.1/wsdl is a SOAP API connected to Visma AutoInvoice.\n\nAPI documentation is available on https://documentation.maventa.com/soap-api/\n\nSee instructions for domain 'ai-testing.maventa.com' to get user credentials.",
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "3e51fb18-7082-4ce5-85d0-2bd889b5ed4e",
"name": "Visma Responsible Disclosure",
"company_handle": "visma",
"handle": "VismaResponsibleDisclosure",
"url": "https://www.intigriti.com/programs/visma/VismaResponsibleDisclosure/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "all",
"description": "This program covers all Visma services, products or web properties.\nWe do not offer money rewards for this program, but as a small token of appreciation for all researchers that submit a previously unknown vulnerability that triggers a code or configuration change, we will offer a place on our [Security Hall of Fame (HoF)](https://www.visma.com/trust-centre/security/products-and-services/bug-bounty-and-responsible-disclosure/hall-of-fame/).\nAlso for **all valid Medium+ reports**, we will offer **swags**.\n\nFor money rewards, the only exceptions are the specific assets listed in our Public Bug Bounty Program, see https://app.intigriti.com/programs/visma/visma/detail. Please note that we will only accept reports for the explicitly listed assets under our Public program.",
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "f64faa66-b7e6-4ad7-bf56-b64a885d682a",
"name": "Vlerick Business School",
"company_handle": "vlerickbusinessschool",
"handle": "vlerickbusinessschool",
"url": "https://www.intigriti.com/programs/vlerickbusinessschool/vlerickbusinessschool/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.vlerick.com",
"description": "When you start testing www.vlerick.com, **visit www.vlerick.com/en?internal first**. In this way, your testing is not taken into account in our web stats.\n\nNEW! Feel free to test & scan our new submdomain https://my.vlerick.com/ as well.",
"impact": "No Bounty"
},
{
"type": "iprange",
"endpoint": "193.190.150.0/24",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://my.vlerick.com/ ",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://viper.uat.vlerick.com/",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://www-tst.vlerick.com/en/",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "https://enterprise.vlerick.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://enterprise2.vlerick.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://mastersblog.vlerick.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://repository.vlerick.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://spoc.myshopify.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://vlerick.myshopify.com/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://webform.vlerick.com",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "92431bf9-ab3e-4e69-9619-c59f8e5193b1",
"name": "Voi Scooters",
"company_handle": "voi",
"handle": "voiscooters",
"url": "https://www.intigriti.com/programs/voi/voiscooters/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 3500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "ios",
"endpoint": "1395921017",
"description": "iOS Mobile Application",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://api.voiapp.io/",
"description": "Backend REST API",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "io.voiapp.voi",
"description": "Android Mobile Application",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "mds.voiapp.io",
"description": "Partner API as documented at https://docs.voiscooters.com/",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.voiscooters.com",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "report.voi.com",
"description": "Website to report badly parked scooters.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "voi.com",
"description": "Informational Website",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "www.voiscooters.com",
"description": "Informational Website",
"impact": "Tier 3"
}
],
"out_of_scope": []
}
},
{
"id": "784ffbc6-daaa-4e7e-8eba-c38a101d7b12",
"name": "Voi Vulnerability Disclosure Program",
"company_handle": "voi",
"handle": "voivulnerabilitydisclosureprogram",
"url": "https://www.intigriti.com/programs/voi/voivulnerabilitydisclosureprogram/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "other",
"endpoint": "All Voi assets",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "Third-party systems or domains referencing Voi",
"description": "Before testing or reporting a vulnerability, confirm that the target asset is owned or managed by Voi. When in doubt, we strongly encourage you to verify the asset's ownership through the program team to avoid unintentional testing of third-party systems.",
"impact": "Out of scope"
}
]
}
},
{
"id": "afc4415d-c004-4cf8-9a12-e0f18cde6db5",
"name": "WP Engine Bug Bounty",
"company_handle": "wpengine",
"handle": "wpenginebugbounty",
"url": "https://www.intigriti.com/programs/wpengine/wpenginebugbounty/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://app.getflywheel.com",
"description": "This is the primary site for researchers to register and test both the Flywheel App as well as the Flywheel Platform. We will not provide credentials or bypass verification controls (i.e, a researcher will need to either provide a valid phone number or credit card to have a live site), but a researcher may register a demo site that matches the platform's functionality without verification. **Please use your Intigriti credentials to register.** Please note that any issues regarding an individual WordPress installation on the Flywheel platform, outside of plugins owned by WP Engine/Flywheel, will be considered out of scope as we do not monitor or manage customer content. We are, however, very interested in issues that may compromise customer isolation on the platform or cause data to be leaked from either a host or an unrelated customer site.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://getflywheel.com",
"description": "This site is the landing page for Flywheel-branded services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality or https://getflywheel.com/schedule-a-demo/. No testing should be done against these targets or any 3rd party services. Please do not contact our Support or Sales teams as part of your testing.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://my.wpengine.com",
"description": "The User Portal for WP Engine. Customers manage their WordPress sites, addons, and billing details through this portal. **No credentials will be provided**. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.\n\nResearchers may sign up for a free trial of our Headless Platform which provides full access to the User Portal and WP Engine platform for testing. The trial signup page can be found at https://wpengine.com/headless-wordpress/ . Please use your Intigriti researcher email address when signing up.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://payments.wpengine.com",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "https://wpengine.com",
"description": "This the landing page for the main WP Engine website. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and Live Chat are out-of-scope - specifically, the Sales Questions functionality and https://wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.\n\n**Please Note:** All customer sites on subdomains of wpengine.com, unless explicitly listed as in scope, are out of scope.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*. advancedcustomfields.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*. bettersearchreplace.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.deliciousbrains.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.localwp.com",
"description": "Local is the #1 local WordPress development tool.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.nitropack.io",
"description": "With NitroPack, you get everything you need for a fast website, in one place. Features like caching, image optimization, and a CDN are ready to go out of the box.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.studiopress.com",
"description": "The studiopress.com, demo.studiopress.com, and my.studiopress.com sites are public facing marketing and WordPress theme e-commerce sites. **No credentials will be provided.** Researchers are free to test functionally that requires authentication with their own accounts.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.wpengine.io",
"description": "This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be \"internal\" services like APIs but have public DNS records and some may be publicly-accessible.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.wpesvc.net",
"description": "This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be \"internal\" services like APIs but have public DNS records and some may be publicly-accessible.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "WP Engine-developed WordPress Plugins and Themes",
"description": "We accept any reports of vulnerabilities in plugins or themes managed or developed by WP Engine, with the exception of any application-level vulnerabilities in the Out of Scope section below. These free versions closely mirror their paid counterparts, so any vulnerabilities discovered should be applicable to both the paid or free plugins.\n\nWe also accept reports for the following plugins:\nAdvanced Custom Fields\nBetter Search Replace \nWP Migrate\nWP Offload Media for Amazon S3, DigitalOcean Spaces, and Google Cloud Storage\nWP Offload SES",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://makeshift.film",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://studiopress.blog",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://torquemag.io",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://velocitize.com",
"description": null,
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "marketing.nitropack.io",
"description": "This asset is hosted at a third-party vendor and is not eligible for bounties.",
"impact": "Out of scope"
}
]
}
},
{
"id": "1e325f65-37de-4094-9079-217e27cab00b",
"name": "WP Engine VDP",
"company_handle": "wpengine",
"handle": "wpengine",
"url": "https://www.intigriti.com/programs/wpengine/wpengine/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*. advancedcustomfields.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*. bettersearchreplace.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.deliciousbrains.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.studiopress.com",
"description": "The studiopress.com, www.studiopress.com, and my.studiopress.com sites are public facing marketing and WordPress theme e-commerce sites. **No credentials will be provided.** Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.wpengine.io",
"description": "This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be \"internal\" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpengine.io",
"impact": "No Bounty"
},
{
"type": "wildcard",
"endpoint": "*.wpesvc.net",
"description": "This is an apex domain used for microservices hosted as subdomains and service-to-service APIs - these are intended to be \"internal\" services like APIs but have public DNS records and some may be publicly-accessible. To aid in testing, we've provided some initial OSINT for this domain: https://crt.sh/?q=%25wpesvc.net",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "app.getflywheel.com",
"description": "This is the primary site for researchers to register and test both the Flywheel App as well as the Flywheel Platform. We will not provide credentials or bypass verification controls (i.e, a researcher will need to either provide a valid phone number or credit card to have a live site), but a researcher may register a demo site that matches the platform's functionality without verification. **Please use your Intigriti credentials to register.** Please note that any issues regarding an individual WordPress installation on the Flywheel platform, outside of plugins owned by WP Engine/Flywheel, will be considered out of scope as we do not monitor or manage customer content. We are, however, very interested in issues that may compromise customer isolation on the platform or cause data to be leaked from either a host or an unrelated customer site.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "getflywheel.com",
"description": "This site is the landing page for Flywheel-branded services. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality or https://getflywheel.com/schedule-a-demo/. No testing should be done against these targets or any 3rd party services. Please do not contact Live Chat agents.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://nitropack.io",
"description": "With NitroPack, you get everything you need for a fast website, in one place. Features like caching, image optimization, and a CDN are ready to go out of the box.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "my.wpengine.com",
"description": "The User Portal for WP Engine. Customers manage their WordPress sites, addons, and billing details through this portal. **No credentials will be provided**. Researchers are free to test functionally that requires authentication with their own accounts. Please note: no reimbursements will be made for money spent to access this part of the application.",
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "NitroPack Plugins",
"description": "We accept any reports of vulnerabilities in plugins developed by NitroPack, with the exception of any application-level vulnerabilities in the Out of Scope section below.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "spressforumstg.wpengine.com",
"description": "The staging environment for the StudioPress community forum, built on WordPress. Researchers are welcome to register an account using their @intigriti.me email address, but should refrain from interacting with the community, making public posts, or performing automated testing which may cause disruption. Do not attempt to gain access to any user accounts not under your control.",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "studiopress.blog",
"description": "This is a public-facing marketing site built on WordPress. Most of the content on this site consists of static blog posts.",
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "WP Engine-developed WordPress Plugins and Themes",
"description": "We accept any reports of vulnerabilities in plugins or themes managed or developed by WP Engine, with the exception of any application-level vulnerabilities in the Out of Scope section below. These free versions closely mirror their paid counterparts, so any vulnerabilities discovered should be applicable to both the paid or free plugins.\n\nWe also accept reports for the following Delicious Brains plugins:\nhttps://wordpress.org/plugins/advanced-custom-fields\n",
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "wpengine.com",
"description": "This the landing page for the main WP Engine website. Most of this data is static, but there are a number of dynamic fields and functionalities that are available to be tested. Support, contact forms, and chat functionality are out-of-scope - specifically, the Sales Questions functionality and wpengine.com/contact/. No testing should be done against these targets or any 3rd party services.",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": " https://getflywheel.com/schedule-a-demo/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://wpengine.com/contact/",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "7999e698-363d-49e2-bd34-4ce47556d03c",
"name": "Water-Link",
"company_handle": "waterlink",
"handle": "water-link",
"url": "https://www.intigriti.com/programs/waterlink/water-link/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 50,
"currency": "EUR"
},
"max_bounty": {
"value": 5000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://desktop.water-link.be/",
"description": "Our Citrix environment for remote access",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "https://pit.water-link.be/",
"description": "Our intranet portal",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.water-link.be/",
"description": null,
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://www.water-link-jaarverslag.be",
"description": "Domain with the annual figures of our organisation.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://www.water-link.be",
"description": "This is the general public website for our citizens.",
"impact": "Tier 3"
},
{
"type": "url",
"endpoint": "https://www.waterstoring.be/",
"description": "Here our citizens can check if their is a (un)planned interruption of the watersupply.",
"impact": "Tier 3"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "aquawardsspatial.water-link.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "gisacc(*).water-link.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://aquawardsoperate.water-link.be/",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://aquawardsoperateacc.water-link.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://feedback.water-link.be",
"description": "SAAS application managed by an external partner",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://gis.water-link.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://gis1.water-link.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://gis2.water-link.be",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://jobs.water-link.be",
"description": "SAP application managed by an external partner\n",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://wl_acc.water-link.be/",
"description": "dev environment for our public website",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://wl_dev.water-link.be/",
"description": "dev environment for our public website",
"impact": "Out of scope"
}
]
}
},
{
"id": "8a9c91c0-dd4f-4ed3-bb65-3c6b68e76b24",
"name": "Watsons",
"company_handle": "aswatson",
"handle": "watsons",
"url": "https://www.intigriti.com/programs/aswatson/watsons/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 10,
"currency": "USD"
},
"max_bounty": {
"value": 8500,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "www.watsons.com.hk",
"description": "This is our online retail platform for health and beauty products in Hong Kong.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.watsons.com.hk",
"description": "This is the API server of the Watsons Hong Kong mobile app",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Hong Kong Android",
"description": "This is our Watsons Hong Kong Mobile (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=com.ndn.android.watsons",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Hong Kong iOS",
"description": "This is our Watsons Hong Kong (iOS) app.\nApp link: https://apps.apple.com/hk/app/%E5%B1%88%E8%87%A3%E6%B0%8F%E9%A6%99%E6%B8%AF/id479512803",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.com.hk",
"description": "This is the API server for the www.watsons.com.hk website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "medias.watsons.com.hk",
"description": "This subdomain is used to store static content for the www.watsons.com.hk e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.com.hk",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.watsons.co.th",
"description": "This is our online retail platform for health and beauty products in Thailand.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.watsons.co.th",
"description": "This is the API server of the Watsons Thailand mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www20.watsons.co.th",
"description": "This is the API server of the Watsons Thailand mobile app",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Thailand iOS",
"description": "This is our Watsons Thailand (iOS) app.\nApp link: https://apps.apple.com/hk/app/watsons-th/id619935224",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Thailand Android",
"description": "This is our Watsons Thailand Mobile (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=com.mtelnet.watson.thailand",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.co.th",
"description": "This is the API server for the www.watsons.co.th website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "community.watsons.co.th",
"description": "The asset is community forum of watsons.co.th",
"impact": null
},
{
"type": "url",
"endpoint": "medias.watsons.co.th",
"description": "This subdomain is used to store static content for the www.watsons.co.th e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.co.th",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.watsons.com.tw",
"description": "This is our online retail platform for health and beauty products in Taiwan.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.watsons.com.tw",
"description": "This is the API server of the Watsons Taiwan mobile app",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Taiwan Android",
"description": "This is our Watsons Taiwan Mobile (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=tw.com.watsons.app",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Taiwan iOS",
"description": "This is our Watsons Taiwan (iOS) app.\nApp link: https://apps.apple.com/hk/app/%E5%B1%88%E8%87%A3%E6%B0%8F%E5%8F%B0%E7%81%A3/id477968775",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.com.tw",
"description": "This is the API server for the www.watsons.com.tw website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "member.watsons.com.tw",
"description": "The asset is promotion website of watsons.com.tw.",
"impact": null
},
{
"type": "url",
"endpoint": "medias.watsons.com.tw",
"description": "This subdomain is used to store static content for the www.watsons.com.tw e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.com.tw",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.watsons.com.sg",
"description": "This is our online retail platform for health and beauty products in Singapore.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.watsons.com.sg",
"description": "This is the API server of the Watsons Singapore mobile app",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Singapore iOS",
"description": "This is our Watsons Singapore (iOS) app.\nApp link: https://apps.apple.com/hk/app/watsons-sg-the-official-app/id449412168",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Singapore Android",
"description": "This is our Watsons Singapore Mobile (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=com.watsons.sg.android",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.com.sg",
"description": "This is the API server for the www.watsons.com.sg website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "medias.watsons.com.sg",
"description": "This subdomain is used to store static content for the www.watsons.com.sg e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.com.sg",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.watsons.com.ph",
"description": "This is our online retail platform for health and beauty products in Philippines.",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Philippines iOS",
"description": "This is our Watsons Philippines (iOS) app.\nApp link: https://apps.apple.com/hk/app/watsons-philippines/id1438203234",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Philippines Android",
"description": "This is our Watsons Philippines Mobile (Android) app. \nApp Link:https://play.google.com/store/apps/details?id=com.mtelnet.watson.ph",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.com.ph",
"description": "This is the API server for the www.watsons.com.ph website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.watsons.com.ph",
"description": "This is the API server of the Watsons Philippines mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "community.watsons.com.ph",
"description": "The asset is community forum of watsons.com.ph.",
"impact": null
},
{
"type": "url",
"endpoint": "medias.watsons.com.ph",
"description": "This subdomain is used to store static content for the www.watsons.com.ph e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.com.ph",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.lookatme.com.ph",
"description": null,
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "LookAtMe Philippines Android",
"description": null,
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "LookAtMe Philippines iOS",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.lookatme.com.ph",
"description": null,
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "medias.lookatme.com.ph",
"description": null,
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.lookatme.com.ph",
"description": null,
"impact": null
},
{
"type": "url",
"endpoint": "www.watsons.com.my",
"description": "This is our online retail platform for health and beauty products in Malaysia.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.watsons.com.my",
"description": "This is the API server of the Watsons Malaysia mobile app",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Malaysia Android",
"description": "This is our Watsons Malaysia Mobile (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=com.watsons.mcommerce",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Malaysia iOS",
"description": "This is our Watsons Malaysia (iOS) app.\nApp link: https://apps.apple.com/hk/app/watsons-my/id1112796292",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.com.my",
"description": "This is the API server for the www.watsons.com.my website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "community.watsons.com.my",
"description": "The asset is community forum of watsons.com.my.",
"impact": null
},
{
"type": "url",
"endpoint": "medias.watsons.com.my",
"description": "This subdomain is used to store static content for the www.watsons.com.my e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.com.my",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.watsons.co.id",
"description": "This is our online retail platform for health and beauty products in Indonesia.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.watsons.co.id",
"description": "This is the API server of the Watsons Indonesia mobile app",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Indonesia Android",
"description": "This is our Watsons Indonesia Mobile (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=com.watsons.id.android",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Indonesia iOS",
"description": "This is our Watsons Indonesia (iOS) app.\nApp link: https://apps.apple.com/hk/app/watsons-id/id1184851346",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.co.id",
"description": "This is the API server for the www.watsons.co.id website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "medias.watsons.co.id",
"description": "This subdomain is used to store static content for the www.watsons.co.id e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.co.id",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.watsons.vn",
"description": "This is our online retail platform for health and beauty products in Vietnam.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.watsons.vn",
"description": "This is the API server of the Watsons Vietnam mobile app",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Vietnam iOS",
"description": "This is our Watsons Vietnam (iOS) app.\nApp link: https://apps.apple.com/in/app/watsons-vietnam/id1446869800",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Vietnam Android",
"description": "This is our Watsons Vietnam Mobile (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=com.watsons.vn.android",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.vn",
"description": "This is the API server for the www.watsons.vn website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "medias.watsons.vn",
"description": "This subdomain is used to store static content for the www.watsons.vn e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.vn",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.pns.hk",
"description": "This is our online retail platform for ParkNShop Hong Kong.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.pns.hk",
"description": "This is the API server of the PNS mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.pns.hk",
"description": "This is the API server for the www.pns.hk website",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "PNS iOS",
"description": "This is our PNS (iOS) app.\nApp link: https://apps.apple.com/hk/app/parknshop/id840837558",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "PNS Android",
"description": "This is our PNS Mobile (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=com.parknshop.parknshopapp",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "medias.pns.hk",
"description": "This subdomain is used to store static content for the www.pns.hk e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.pns.hk",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.parknshop.com",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.fortress.com.hk",
"description": "This is our online retail platform for Fortress Hong Kong.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www10.fortress.com.hk",
"description": "This is the API server of the Fortress Hong Kong mobile app",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Fortress Hong Kong Android",
"description": "This is our Fortress (Android) app. \nApp Link: https://play.google.com/store/apps/details?id=fortress.fortressapp",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Fortress Hong Kong iOS",
"description": "This is our Fortress (iOS) app.\nApp link: https://apps.apple.com/hk/app/fortress/id1133110850",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.fortress.com.hk",
"description": "This is the API server for the www.fortress.com.hk website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "medias.fortress.com.hk",
"description": "This subdomain is used to store static content for the www.fortress.com.hk e-commerce website.",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.fortress.com.hk",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.watsons.com.tr",
"description": "This is our online retail platform for health and beauty products in Turkey.",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Watsons Turkey Android",
"description": "This is our Watsons Turkey (Android) app.\nApp link: https://play.google.com/store/apps/details?id=com.mobular.watsons",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Watsons Turkey iOS",
"description": "This is our Watsons Turkey (iOS) app.\nApp link: https://apps.apple.com/tr/app/watsons-kozmetik-ve-al%C4%B1%C5%9Fveri%C5%9F/id1507132907",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.watsons.com.tr",
"description": "This is the API server of the Watsons Turkey mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.watsons.com.tr",
"description": "This is the API server for the www.watsons.com.tr website\nAPI spec: https://api.watsons.com.tr/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "blog.watsons.com.tr",
"description": "This is the blog website for Watsons Turkey.",
"impact": null
},
{
"type": "url",
"endpoint": "campaign.watsons.com.tr",
"description": "This is a marketing related application from Watsons Turkey",
"impact": null
},
{
"type": "url",
"endpoint": "adayevrak.watsons.com.tr",
"description": "This is an HR related application from Watsons Turkey",
"impact": null
},
{
"type": "url",
"endpoint": "katalog.watsons.com.tr",
"description": "This is a marketing related application from Watsons Turkey",
"impact": null
},
{
"type": "url",
"endpoint": "www.watsonsbeautystudio.com",
"description": "This is Watsons Turkey's Beauty Studio website",
"impact": null
},
{
"type": "url",
"endpoint": "ik.watsons.com.tr",
"description": "This is an HR related application from Watsons Turkey",
"impact": null
},
{
"type": "url",
"endpoint": "gc.watsons.com.tr",
"description": "This is a marketing related application from Watsons Turkey",
"impact": null
},
{
"type": "url",
"endpoint": "odul.watsons.com.tr",
"description": "This is a marketing related application from Watsons Turkey",
"impact": null
},
{
"type": "url",
"endpoint": "wasapi.watsons.com.tr",
"description": "This is the API server for the odul.watsons.com.tr application",
"impact": null
},
{
"type": "url",
"endpoint": "media.watsons.com.tr",
"description": "This subdomain is used to store static content for the www.watsons.com.tr e-commerce website",
"impact": null
},
{
"type": "url",
"endpoint": "scp.watsons.com.tr",
"description": "This is a supplier portal from Watsons Turkey",
"impact": null
},
{
"type": "url",
"endpoint": "scpapi.watsons.com.tr",
"description": "This is the API server for the supplier portal from Watsons Turkey",
"impact": null
},
{
"type": "url",
"endpoint": "bulten.watsons.com.tr",
"description": "This is a marketing related application from Watsons Turkey",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.watsons.com.tr",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.drogas.lt",
"description": "This is our online retail platform for health and beauty products in Lithuania.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "www.drogas.lv",
"description": "This is our online retail platform for health and beauty products in Latvia.",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Drogas Latvia Android",
"description": "This is our Drogas Latvia (Android) app.\nApp link: https://play.google.com/store/apps/details?id=lv.drogas.consumer",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Drogas Latvia iOS",
"description": "This is our Drogas Latvia (iOS) app.\nApp link: https://apps.apple.com/lv/app/drogas/id1564705644",
"impact": "Tier 1"
},
{
"type": "android",
"endpoint": "Drogas Lithuania Android",
"description": "This is our Drogas Lithuania (Android) app.\nApp link: https://play.google.com/store/apps/details?id=lt.drogas.consumer",
"impact": "Tier 1"
},
{
"type": "ios",
"endpoint": "Drogas Lithuania iOS",
"description": "This is our Drogas Lithuania (iOS) app.\nApp link: https://apps.apple.com/lt/app/drogas/id1571651832",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.drogas.lt",
"description": "This is the API server of the Drogas Lithuania mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.drogas.lv",
"description": "This is the API server for the www.watsons.com.tr website\nAPI spec: https://api.drogas.lv/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.drogas.lt",
"description": "This subdomain is used to store static content for the www.drogas.lt e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "app.drogas.lv",
"description": "This is the API server of the Drogas Latvia mobile app",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "api.drogas.lt",
"description": "This is the API server for the www.watsons.com.tr website\nAPI spec: https://api.drogas.lt/api/v2/api-docs",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "media.drogas.lv",
"description": "This subdomain is used to store static content for the www.drogas.lv e-commerce website",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "campaign.drogas.lt",
"description": "This is a marketing related application from Drogas",
"impact": null
},
{
"type": "url",
"endpoint": "campaign.drogas.lv",
"description": "This is a marketing related application from Drogas",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.drogas.lt",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "wildcard",
"endpoint": "*.drogas.lv",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
},
{
"type": "url",
"endpoint": "www.moneyback.com.hk",
"description": "This is the Moneyback website, our Hong Kong loyalty reward program. MoneyBack has turned shopping into fantastic rewards for families across Hong Kong.",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "Moneyback Android",
"description": "This is our Moneyback (Android) app.\nApp link: https://play.google.com/store/apps/details?id=com.asw.moneyback",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "Moneyback iOS",
"description": "This is our Moneyback (iOS) app.\nApp link: https://apps.apple.com/hk/app/moneyback/id1230818544",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "mapi.moneyback.com.hk",
"description": "This is the API Server for our MoneyBack Mobile app.",
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*.moneyback.com.hk",
"description": "This asset contains all other applications on this wildcard not explicitly mentioned elsewhere in the scope",
"impact": null
}
],
"out_of_scope": []
}
},
{
"id": "ea1c246f-7818-4703-b208-9e86e1bd8554",
"name": "Wolt",
"company_handle": "wolt",
"handle": "wolt",
"url": "https://www.intigriti.com/programs/wolt/wolt/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "EUR"
},
"max_bounty": {
"value": 3500,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "authentication.wolt.com",
"description": "#### Keywords: OAuth2, OIDC, JWT\n- Used by: Regular wolt.com users, Wolt employees, other services (service-to-service communication).\n- Handles the vast majority of our authN/authZ. In other words, JWTs signed by this service can grant you access to other services/APIs.\n- Your JWT as a regular wolt.com user comes from this service.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "corporate.wolt.com",
"description": "#### Keywords: admin\n- Used by: Wolt employees, corporate customers.\n- Admin portal for Wolt's corporate customers.\n- Your JWT as a regular wolt.com user should grant you limited access.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "drive.wolt.com",
"description": "#### Keywords: admin\n- Used by: Wolt employees, delivery partners.\n- Admin portal for Wolt's last-mile delivery partners.\n- Your JWT as a regular wolt.com user should grant you limited access.\n",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "merchant.wolt.com",
"description": "#### Keywords: admin\n- Used by: Wolt employees, store managers.\n- Portal for store managers to update menus.\n- Your JWT as a regular wolt.com user should grant you limited access.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "ops.wolt.com",
"description": "#### Keywords: admin\n- Used by: Wolt employees.\n- This service's endpoints are only accessible by Wolt employees (if you can show otherwise, that’ll be **very** interesting). However, your tainted data (e.g., purchase info, profile info) may be processed by this service.",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "restaurant-api.wolt.com",
"description": "- Used by: Regular wolt.com users, Wolt employees, corporate customers, delivery partners, store managers.\n- Notable use-cases: Creating and editing users, placing orders, tracking orders, setting prices.\n- Your JWT as a regular wolt.com user should grant you access to most functionality for your user type.\n",
"impact": "Tier 1"
},
{
"type": "url",
"endpoint": "wolt.com",
"description": "- Used by: Everybody.\n- Our main web page.\n- Notable use-cases: Offering an in-browser JavaScript app to interact with other APIs and services. Offering HTTP endpoints to interact with this service's own APIs.",
"impact": "Tier 1"
},
{
"type": "wildcard",
"endpoint": "*.wolt.com",
"description": "- Anything else under the `.wolt.com` domain is fair game. EXCEPTIONS:\n - `press.wolt.com`. This is a third-party SaaS and we aren't authorized to test it.\n - `blog.wolt.com`. This is a third-party SaaS (wpengine.com). wpengine.com owns the infrastructure, but we maintain the WordPress installation. Only WordPress-level probes are allowed.\n- Depending on the affected service and finding type, we might bump this to `Tier 1` bounties.",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "1477299281",
"description": "#### Keywords: iOS\n- Used by: Wolt couriers.\n- Notable use-cases: Receiving delivery requests, tracking orders, completing deliveries, modifying your profile info.\n- For the time being we don't provide accounts of the `courier` type.\n- It would be *very* interesting if you can interact with the courier APIs without actually having a courier account.",
"impact": "Tier 2"
},
{
"type": "ios",
"endpoint": "943905271",
"description": "#### Keywords: iOS\n- Used by: Wolt customers.\n- Notable use-cases: Regular wolt.com account creation, placing orders, tracking your orders, modifying your profile info.",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.wolt.android",
"description": "#### Keywords: Android\n- Used by: Wolt customers.\n- Notable use-cases: Regular wolt.com account creation, placing orders, tracking your orders, modifying your profile info.",
"impact": "Tier 2"
},
{
"type": "android",
"endpoint": "com.wolt.courierapp",
"description": "#### Keywords: Android\n- Used by: Wolt couriers.\n- Notable use-cases: Receiving delivery requests, tracking orders, completing deliveries, modifying your profile info.\n- For the time being we don't provide accounts of the `courier` type.\n- It would be *very* interesting if you can interact with the courier APIs without actually having a courier account.",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "blog.wolt.com",
"description": "#### Keywords: Third-party SaaS, WordPress\n- Used by: Wolt employees.\n- WordPress blog hosted by wpengine.com.\n- wpengine.com owns the infrastructure, but we maintain the WordPress installation.\n- **Note:** Only WordPress-level probes are allowed.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "gettest.wolt.com",
"description": "Low severity issues affecting gettest.wolt.com",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "links.wolt.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "press.wolt.com",
"description": "This is a third-party SaaS and we aren't authorized to test it.",
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "wolt.atlassian.net",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "bbc2d49d-6b11-40af-9746-aefa64756928",
"name": "Yacht",
"company_handle": "randstad",
"handle": "yacht",
"url": "https://www.intigriti.com/programs/randstad/yacht/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.yacht.nl",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": []
}
},
{
"id": "d89a3560-be5c-406c-8a73-e4c72b0ca4c4",
"name": "Yahoo Bug Bounty",
"company_handle": "yahoo",
"handle": "yahoobugbounty",
"url": "https://www.intigriti.com/programs/yahoo/yahoobugbounty/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 100,
"currency": "USD"
},
"max_bounty": {
"value": 15000,
"currency": "USD"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*ensemble*.yahoo.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "*omega*.yahoo.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "7 News",
"description": "* [7News iOS](https://itunes.apple.com/au/app/7news/id439828000?mt=8)\n* [7News Android](https://play.google.com/store/apps/details?id=com.seven.news&hl=en_US)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "AOL (misc)",
"description": "## In Scope ##\n* *.aol.com\n\n## Notes\nOnly use this asset when nothing else can be reasonably selected.\n\nBugs with AOL that are not listed in scope of our other AOL-related assets can still be submitted to this asset and **_*might*_** be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.\n\n## Out of Scope ##\n* *nat.aol.com\n* *.ipt.aol.com",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "AOL Help",
"description": "## In Scope ##\n* help.aol.com\n* assistance.aol.fr\n* help.aol.co.uk\n* hilfe.aol.de\n\n## Notes ##\nAny bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.\n\n## Out of Scope ##\n* assist.aol.com (2nd party service)\n* helpisp.netscape.com\n* helpconnect.netscape.com\n* help.compuserve.com\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "AOL Homepage",
"description": "## In Scope ##\n* www.aol.de\n* www.aol.co.uk\n* www.aol.in\n* www.aol.ca\n* www.aol.com\n* www.aol.com/*\n* AOL Games Landing Page - https://www.aol.com/games/ -> see 3rd Party Notes Below\n\n## Notes ##\n* OOS Exception: 3rd party components that affect aol.com (e.g. XSS executes in AOL.com domain resulting from abuse of TravelZoo module on Travel page)\n\n## Out of Scope ##\n**First Party Things:**\n* https://ottr.video.yahoo.com/v1/video-exp/schedule\n* https://s.yimg.com/rb/screwdriver/ctv/ve-module/builds/prod/aol/dist/vem.js\n**Second Party Things:**\n* DataMask by AOL (White Label app)\n* AOL OnePoint (White Label app)\n* Private WiFi by AOL (White Label app)\n* AOL Games (White Label app)\n**Third Party Things:**\n* 3rd Party Ad Integration. (Third Party, Taboola)\n* Popular in the Community, More Conversations for You, Commenting on articles (and more) (Third Party, OpenWeb)\n* spot.im (Third Party, OpenWeb)\n* Individual AOL Games pages are rendered by us, but we iFrame in the Masque game urls. (Third Party, Masque)\n* games.com, fungames.aol.com & fungames.com (Third Party, Masque)\n* Comparecards.aol.com is CNAME’d to our own ATS cluster which forward maps requests to the comparecards cloudfront distribution. (Third Party, CompareCards)\n* JS widget on the AOL.com homepage providing news stories. (Third Party, Zergnet)\n* Serverside rendered module on aol.com/real-estate, data comes from Zillow api. (Third Party, Zillow)\n* Serverside rendered module on www.aol.com/travel, data comes from TravelZoo api. (Third Party, Travel Zoo)\n* rezserver.com (Third Party, Travel Zoo)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "AOL Mail",
"description": "## In Scope ##\n* *.mail.aol.com (see exclusions below)\n* Rpc.mail.aol.com\n* [AOL iOS](https://apps.apple.com/us/app/aol-news-email-weather-video/id646100661)\n* [AOL Android](https://play.google.com/store/apps/details?id=com.aol.mobile.aolapp&hl=en_US)\n* [AOL FireOS](https://www.amazon.com/AOL-Inc-Mail-News-Video/dp/B011VYAGSY)\n\n ## Notes ## \n* oidc.mail.aol.com (Hosted by Mail, but belongs to Membership)\n\n ## Out of Scope ## \n* mail.aol.com/calsvc\n* AOL Desktop Gold\n* apis.mail.aol.com\n* test-apis.mail.aol.com\n* *.aolmail.com\n* mail.aol.com/classicab\n* mail.aol.com/getmydata\n* mail.aol.com/ws\n* *.aol.com",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "AOL Search",
"description": "## In Scope ##\n* search.aol.ca\n* search.aol.co.uk\n* search.aol.com\n* recherche.aol.fr\n* suche.aol.de\n\n## Notes ##\nAny bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.\n",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "apis.mail.yahoo.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "data.mail.yahoo.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Engadget",
"description": "## In Scope ##\n* [APIs](https://api.engadget.com/api)\n* *.engadget.com\n\n## Notes ##\n* Separate reports for the same or similar payload/issue against multiple international editions, will be marked as duplicates and paid only once for Engadget international editions.\n\n## Out of Scope ##\n* *.spot.im (3rd party, Spot.IM)\n* *.cn.engadget.com (Engadget International Edition)\n* *.chinese.engadget.com (Engadget International Edition)\n* *.japanese.engadget.com (Engadget International Edition)\n* jobs.engadget.com (3rd party, Jobboard.io)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Gemini",
"description": "* *.gemini.yahoo.com\n* *.admanager.yahoo.com",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Low Cost Access",
"description": "## In Scope ##\n* *.isp.netscape.com\n* *.lite.aol.com\n* *.compuserve.com\n* www.wmconnect.com\n\n## Other places to look ##\n* www.getnetscape.com\n* netscape.compuserve.com\n\n## Out of Scope ##\n* Subdomains of wmconnect.com outside of www\n\n## Notes ##\n* These services are designed for delivery through slow internet connections.\n* Registration for these services has been disabled.\n* Help-related pages/domains should be reported to the AOL Help asset.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Membership",
"description": "## In Scope ##\n* https://login.yahoo.com\n* https://login.aol.com\n* https://api.login.yahoo.com\n* https://api.login.aol.com\n* http://credstore.yahoo.com/\n\nSome documentation that may help:\nhttps://developer.yahoo.com/oauth2/guide/\nSpecific paths to target….\nFor `login.*.com`\n* /account/logout\n* /auth/2.0/credentials\n* /auth/1.0/\n* /saml2/\n* /account\n* /oauth2\n* /ylc\n* /account/challenges\n* /account/access\n* /oauth2/device_auth\n* /ctv\n* /activate\n* /forgot\n\nFor `api.login.*.com`\n* /api\n* /oauth2/get_token\n* /oauth2/web_session\n* /oauth2/device_sessions\n* /oauth2/device_authorization\n* /oauth2/device_auth\n* /oauth2/revoke\n* /oauth2/introspect\n\n## Out of Scope ##\n* Any rate limits for authentication attempts. \n* Any differentiated treatment based on account, browser, IP address etc.\n\n## Limits ##\n* Limit traffic against our services to < 10/second when probing or testing.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "onepush.query.yahoo.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Online Marketplace",
"description": "Online Marketplace (MyAccount) supports many AOL properties and can be accessed by a variety of CNAME records.\n* billupdate.aol.com\n* myaccount.aol.com\n* myservices.aol.com\n* payments.aol.com\n* mybenefits.aol.com\n* cancel.aol.com\n* bill.aol.com\n\nPlease consolidate your reports.\n**Note: Reporting the same issue separately for multiple CNAMEs will result in reports being marked as `Duplicate` at best.**",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Other (Misc)",
"description": "Only use this asset when nothing else can be reasonably selected. \n\nBugs with Yahoo products that are not listed in scope of our [Public Program](https://app.intigriti.com/company/programs/yahoo/yahoobugbounty/detail) can still be submitted to this asset and _*might*_ be eligible for award, at the sole discretion of the Yahoo Bug Bounty team .\n\nUse this asset for:\n* `*.oath.cloud`\n* `*.yahoo.cloud`\n\n## Bastion Subdomains:\n* `bastion.*.oath.cloud`\n* `bastion.*.yahoo.cloud`\n\nNote: Reports of Bastion host subdomain takeovers submitted that only show takeover of the destination IP are most likely to be closed as `Informative` and not eligible for bounty. Most valid bugs will require a proof-of-concept or proof-of-exploit that escalates into one of the primary brand or product domains(e.g., yahoo.com, aol.com, etc) to be potentially eligible for bounty.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "proddata.xobni.yahoo.com",
"description": null,
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Social Media Accounts",
"description": "## Requirements\n* Account in question has posted content within 365 days of report submission\n* Account in question is related to a company, brand, or product\n* Exposed (valid/functional/active) credentials that allow login to an account\n\n## In Scope \n* Bounty: **Must meet all** `Requirements` above\n* Reputation: Meets at least one of the `Requirements` above\n* Note: “Account in question” means the account you are reporting as \"vulnerable.\"\n\n## Out of Scope\n* Account in question is related to an individual (employee, freelancer or otherwise)\n* Brute forcing account credentials",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TW eCommerce: Auctions",
"description": "## In Scope\n* [Yahoo TW Auctions Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecauction)\n* [Yahoo TW Auctions iOS](https://itunes.apple.com/tw/app/yahoo%E6%8B%8D%E8%B3%A3-%E5%88%8A%E7%99%BB%E5%85%8D%E8%B2%BB/id1033771352?mt=8)\n* Yahoo TW Auctions: \n * *.bid.yahoo.com\n * https://tw.bid.yahoo.com\n* Yahoo TW Auctions APIs:\n * https://tw.bid.yahoo.com/api/\n * https://tw.api.bid.yahoo.com:4443\n* Search API: tw.search.ec.yahoo.com\n\n## Notes\n* Access to the Taiwan sites from some countries in Europe may be blocked. \n* `Buyer` accounts can be set up for any Yahoo user.\n* `Seller` accounts require a TW phone number and 2FA.\n* **Do not** use fake data (like nid) when operating the cash functions, it may cause real money to be stuck; **we will hold you accountable for broken workflows.**\n* You are required to clean up all the testing data related to posting new products. \n* You **must** include the following “test” label in **ALL** posts (in the most visible location) to prevent regular users from interacting with hacker-created content: `[PARANOIDS-勿下標][TEST]`\n-- *Any reports identified that are missing this label, will not receive a bounty.*\n\n## Out of Scope\n* *.yahoo.com.tw\n* ismarus-ap-94600.tw.juiker.net\n* *.tw.juiker.net\n* auth.tw.juiker.net/oauth2/getUserTokenByTurnkey\n* *.straas.net\n* iOS: JuikerIMSDK.framework, StraaS-iOS-SDK\n* Android: io.straas.android.sdk\n* ecfme.famiport.com.tw (Third Party)\r\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TW eCommerce: Shopping",
"description": "## In Scope\n* [Yahoo TW Shopping Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecshopping)\n* [Yahoo TW Shopping iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%B3%BC%E7%89%A9%E4%B8%AD%E5%BF%83/id1061577845?mt=8)\n* Yahoo TW Shopping\n * twpay.buy.yahoo.com \n * Web: https://tw.buy.yahoo.com/\n * Mobile Web: https://m.tw.buy.yahoo.com/\n * API: https://tw.mapi.shp.yahoo.com and https://tw.ews.mall.yahooapis.com/\n* Search API: tw.search.ec.yahoo.com \n* Rushbuy API: rushbuy.buy.yahoo.com\n\n## Out of Scope\n* *.yahoo.com.tw\n* iOS: TPDirect.framework\n* Android: tech.cherri.tpdirect.api",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TW eCommerce: Used Car",
"description": "## In Scope\n* tw.usedcar.yahoo.com\n\n## Notes\nRefer to the ## Notes ## section in the `TW eCommerce: Auctions` listing.\n\n## Out of Scope\n* *.yahoo.com.tw\n* autos.yahoo.com.tw\n* tw.serviceplus.yahoo.com",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TW Media: Front Page",
"description": "## In Scope\n* tw.mobi.yahoo.com\n* tw.yahoo.com\n* Content API: https://ncp-gw-abu.media.yahoo.com/\n\n## Out of Scope\n* *.yahoo.com.tw",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TW Media: News",
"description": "## In Scope\n* [Yahoo TW News Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.newstw)\n* [Yahoo TW News iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9-%E7%9B%B4%E6%92%ADlive-%E5%8D%B3%E6%99%82%E6%96%B0%E8%81%9E/id864844562?mt=8)\n* Yahoo TW News \n * *.tw.news.yahoo.com\n * Backend API: https://news-app.abumedia.yql.yahoo.com:443/ \n * Web: https://tw.news.yahoo.com\n * Content API: https://ncp-gw-abu.media.yahoo.com/\n\n## Out of Scope\n* news.campaign.yahoo.com.tw\n* *.yahoo.com.tw",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "TW Media: Stock",
"description": "## In Scope\n* [Yahoo TW Stock Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.TWStock)\n* [Yahoo TW Stock iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%82%A1%E5%B8%82/id790214428?mt=8)\n* Yahoo TW Stock\n * tw.stock.yahoo.com\n * API: https://stock-app.abumedia.yql.yahoo.com\n * API: https://tw-finance-yql.media.yahoo.com\n\n## Notes\n* `stock.yahoo.com` and `finance.yahoo.com` are identical; Reports will NOT be credited same-bug-different-host bonuses when issues are found on both domains.\n* TW Stock Apps have a strong dependency with third party SDK(s) for receiving the real-time quote data in the market. Every page containing values (volume, prices, up/down flag, …) of index, tickers, etfs, …, ticker information, line chart, notifications setting are all from the SDK. And the connection with the SDK service is established when the app launches and lasts the app's whole lifetime. **These SDK service(s) are out of scope.**\n\n## Out of Scope\n* *.yahoo.com.tw\n* tw.finance.yahoo.com\n* Quote SDK (from Systex inc.)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Calendar",
"description": "## In Scope\n* *.calendar.yahoo.com\n* *.caldav.calendar.yahoo.com\n\nSpecific paths to look at:\n* https://calendar.yahoo.com/ws/v3/users/\n* https://caldav.calendar.yahoo.com/principals/users/\n* https://caldav.calendar.yahoo.com/dav/*/calendar/\n\n## Limits\nLimit traffic against our services to < 10/second when probing or testing.",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Finance",
"description": "* [iOS](https://itunes.apple.com/us/app/yahoo-finance/id328412701?mt=8)\n* [Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.finance&hl=en_US)\n* *.finance.yahoo.com\n* OBI Premium Checkout: https://checkout.finance.yahoo.com/checkout/v1\n* API WebSockets Streaming Market Data: http://streamer.finance.yahoo.com\n* finance.mobile.yahoo.com\n* finance.query.yahoo.com",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo HK News",
"description": "* [Yahoo HK News Android](https://play.google.com/store/apps/details?id=com.yahoo.infohub)\n* [Yahoo HK News iOS](https://itunes.apple.com/hk/app/yahoo%E6%96%B0%E8%81%9E-%E9%A6%99%E6%B8%AF%E5%8D%B3%E6%99%82%E7%84%A6%E9%BB%9E/id425655609?mt=8)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Mail",
"description": "## In Scope\n* [Yahoo Mail (web)](https://mail.yahoo.com/)\n* [Yahoo Mail Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail)\n* [Yahoo Mail AndroidGo](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail.lite)\n* [Yahoo Mail iOS](https://itunes.apple.com/us/app/yahoo-mail-keeps-you-organized/id577586159?mt=8)\n* [Yahoo Mail FireOS](https://www.amazon.com/Yahoo-Mail-Keeps-you-organized/dp/B00632HWOG/)\n\n## Out of Scope:\n* mail.yahoo.com/cal/ (this is the same as `calendar.yahoo.com` and should be reported as Yahoo Calendar)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo News",
"description": "* [Newsroom Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.yahoo)\n* [Newsroom iOS](https://itunes.apple.com/us/app/newsroom-news-that-gets-you-talking/id304158842?mt=8)\n* *.news.yahoo.com\n* yahoo.com/news",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Open Source Projects",
"description": "Select open source projects are now eligible for bounties.\nThe [rest of our open source projects](https://developer.yahoo.com/opensource/projectindex/) are technically in scope, but at a reduced rate for the time being. \n ",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Search",
"description": "* [Yahoo Search Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.search)\n* [Yahoo Search iOS](https://itunes.apple.com/us/app/yahoo-search/id361071600?mt=8)\n* [Yahoo Search (web)](https://search.yahoo.com/)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Sports: Best Ball",
"description": "## In Scope ##\n* https://bestball.fantasysports.yahoo.com/\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Sports: Daily Fantasy",
"description": "## In Scope ##\n* https://sports.yahoo.com/dailyfantasy/\n* https://sports.yahoo.com/dailyfantasy/contest/create\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Sports: Editorial",
"description": "## In Scope ##\n* https://sports.yahoo.com/\n* https://api-secure.sports.yahoo.com\n\n ## Out of scope ##\n* shop.yahoosports.com (Third party)\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Sports: Fantasy Games",
"description": "## In Scope ##\n* https://sports.yahoo.com/fantasy/\n* [Fantasy Basketball](https://basketball.fantasysports.yahoo.com/)\n* [Fantasy Hockey](https://hockey.fantasysports.yahoo.com/)\n* [Fantasy User Profiles](https://profiles.sports.yahoo.com/)\n* [Fantasy Football](https://football.fantasysports.yahoo.com/) (out of season)\n* [Public cookie-based API endpoints](https://pub-api-ro.fantasysports.yahoo.com/) (used by some FE stacks)\n* [Public OAuth2 endpoints](https://fantasysports.yahooapis.com/)\n* tournament.fantasysports.yahoo.com\n\n ## Out of Scope ##\n* *.sendbird.com (Third Party, SendBird)\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Sports: Fantasy Slate/PicknWin",
"description": " ## In Scope ## \n* https://sports.yahoo.com/fantasyslate\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Sports: Fantasy Sports",
"description": " ## In Scope ## \n* [Yahoo Fantasy Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.fantasyfootball)\n* [Yahoo Fantasy Sports iOS](https://itunes.apple.com/us/app/yahoo-fantasy-sports/id328415391?mt=8)\n* [Yahoo Fantasy Sports (web)](https://sports.yahoo.com/fantasy/)\n* https://sports.yahoo.com/odds/\n\n ## Notes ## \nThe betting feature in Fantasy is provided by a third party, BetMGM. https://sports.yahoo.com/odds/, is the page from where it redirects the user to the BetMGM. This is geographically restricted.\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Sports: Fantasy Wallet",
"description": " ## In Scope ## \n* https://sports.yahoo.com/dailyfantasy/account/addfunds\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Sports: Mobile",
"description": " ## In Scope ## \n* [Yahoo Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.sportacular)\n* [Yahoo Sports iOS](https://itunes.apple.com/us/app/yahoo-sports-teams-scores-news-highlights/id286058814?mt=8)\n* *.protrade.com\n",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Video",
"description": "* [Yahoo Video FireTV](https://www.amazon.com/Yahoo-for-Fire-TV/dp/B014X5UGPQ/)\n* [Yahoo Video tvOS](https://itunes.apple.com/us/app/yahoo-watch-free-live-concerts-sports-video-clips-and-more/id1046996690?mt=8)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo Weather",
"description": "* [Yahoo Weather Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.weather)\n* [Yahoo Weather iOS](https://itunes.apple.com/us/app/yahoo-weather/id628677149?mt=8)\n* [Yahoo Weather (web)](https://www.yahoo.com/news/weather/)",
"impact": "Tier 2"
},
{
"type": "other",
"endpoint": "Yahoo! (Misc)",
"description": "## Notes\nOnly use this asset when nothing else can be reasonably selected.\n\nBugs with Yahoo! that are not listed in scope of our other Yahoo-related assets can still be submitted to this asset and **_*might*_** be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "yimg.com",
"description": "yimg is a resource storage and content distribution network (CDN).\n** Note: Reports submitted that exploit bugs only in the context of the `yimg.com` domain are most likely to be closed as `Informative`. Most bugs in `*.yimg.com` will require a proof-of-concept or proof-of-exploit that escalates into one of the primary brand or product domains (e.g. yahoo.com or aol.com) to be eligible for bounty. CVSS Environmental scores have been set to account for this limitation.**\n\nWhat does that mean for my report?\n1. If you show escalation into a trusted domain's context (such as yahoo.com) it will be accepted at 100% bounty rate. A bonus may be applied for different instances within the trusted domain list only; not for other instances of vulnerabilities content on yimg.com.\n2. If you show execution in the context of *.yimg.com only, the vulnerability MAY be accepted by the business owner in some instances. In that case, a minimum bounty would be offered only if the content is removed. There are no \"same bug different host\" or other vulnerability grouping bonus offers for this asset.",
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "other",
"endpoint": "Flurry",
"description": "* [Flurry Android](https://play.google.com/store/apps/details?id=com.yahoo.flurry)\n* [Flurry iOS](https://itunes.apple.com/us/app/flurry-analytics/id1079687315?mt=8)\n* *.flurry.com\n* monetization.flurry.com",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "TW eCommerce: Store",
"description": "## In Scope\n* [Yahoo TW Store Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecstore)\n* [Yahoo TW Store iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%B6%85%E7%B4%9A%E5%95%86%E5%9F%8E/id778296354?mt=8)\n* Yahoo TW Store\n * *.tw.mall.yahoo.com\n * m.mall.yahoo.com\n * Web: https://tw.mall.yahoo.com/\n * Mobile Web: https://m.tw.mall.yahoo.com/\n * API: https://tw.ews.mall.yahooapis.com/\n* Search API: tw.search.ec.yahoo.com\n\n## Out of Scope\n* *.yahoo.com.tw",
"impact": "Out of scope"
}
]
}
},
{
"id": "f8b4efd3-7722-40b1-8a96-faedf489c9d5",
"name": "Zabka Group Vulnerability Disclosure Program",
"company_handle": "zabkapolska",
"handle": "zabkagroup-vdp",
"url": "https://www.intigriti.com/programs/zabkapolska/zabkagroup-vdp/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.zabka.pl",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://delio.com.pl",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://dietly.pl",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://jush.pl",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://lite.tech",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://maczfit.pl",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://masterlifecrm.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://zabka.pl",
"description": null,
"impact": "No Bounty"
},
{
"type": "url",
"endpoint": "https://zabkagroup.com",
"description": null,
"impact": "No Bounty"
},
{
"type": "other",
"endpoint": "Mobile applications",
"description": "[Żabka Jush Android](https://play.google.com/store/apps/details?id=pl.jush.app)\n[Żabka Jush iOS](https://apps.apple.com/pl/app/%C5%BCabka-jush-zakupy-z-dostaw%C4%85/id1585639034)\n[Bink Android](https://play.google.com/store/apps/details?id=app.lite.bink)\n[Maczfit Android](https://play.google.com/store/apps/details?id=com.maczfit.app2)\n[Maczfit iOS](https://apps.apple.com/pl/app/maczfit/id1519195072)\n[MaczDostawca Android](https://play.google.com/store/apps/details?id=pl.maczfit.maczdostawca2)\n[MaczDostawca iOS](https://apps.apple.com/pl/app/maczdostawca/id1621061172?)\n[Dietly Android](https://play.google.com/store/apps/details?id=com.dietly.panel)\n[Dietly iOS](https://apps.apple.com/pl/app/dietly/id1642713520)\n[Cyberstore Android](https://play.google.com/store/apps/details?id=pl.zabka.cyberstore&hl=pl)",
"impact": "No Bounty"
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.zabka-snrs.zabka.pl",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "195.94.213.80 - 195.94.213.95",
"description": null,
"impact": "Out of scope"
},
{
"type": "iprange",
"endpoint": "217.153.50.112 - 217.153.50.127",
"description": null,
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "Żabka Nano stores",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "zabka-snrs.zabka.pl",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "https://foodziki.zabka.pl",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "a09e497e-fd75-4b56-afa0-7a6689389b76",
"name": "e-tracker",
"company_handle": "bpost",
"handle": "e-tracker",
"url": "https://www.intigriti.com/programs/bpost/e-tracker/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 0,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "url",
"endpoint": "https://etracker.bpost.cloud/pro",
"description": null,
"impact": "No Bounty"
}
],
"out_of_scope": []
}
},
{
"id": "cefc1013-9927-4e4a-b306-e5d57f06d34a",
"name": "eHealth Hub VZN KUL",
"company_handle": "uz leuven",
"handle": "ehealthhub&meta-hubvznkul",
"url": "https://www.intigriti.com/programs/uz%20leuven/ehealthhub%26meta-hubvznkul/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 2000,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "hub.vznkul.be/* ",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "hub.vznkul.be/services/interhub/InterHubService",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "hub.vznkul.be/services/intrahub/IntraHubService",
"description": null,
"impact": "Tier 2"
},
{
"type": "wildcard",
"endpoint": "hubacc.vznkul.be/*",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "hubacc.vznkul.be/services/acceptance/interhub/InterHubService",
"description": null,
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "hubacc.vznkul.be/services/acceptance/intrahub/IntraHubService",
"description": null,
"impact": "Tier 2"
}
],
"out_of_scope": [
{
"type": "url",
"endpoint": "www.vznkul.be",
"description": null,
"impact": "Out of scope"
}
]
}
},
{
"id": "6558543a-236f-4e98-91a3-4536e39b9c1e",
"name": "intigriti",
"company_handle": "intigriti",
"handle": "intigriti",
"url": "https://www.intigriti.com/programs/intigriti/intigriti/detail",
"status": "open",
"confidentiality_level": "public",
"tacRequired": false,
"twoFactorRequired": false,
"min_bounty": {
"value": 0,
"currency": "EUR"
},
"max_bounty": {
"value": 13337,
"currency": "EUR"
},
"targets": {
"in_scope": [
{
"type": "wildcard",
"endpoint": "*.pwn.intigriti.rocks",
"description": "This is our test (PWN) environment that replicates production.",
"impact": "Tier 2"
},
{
"type": "url",
"endpoint": "www.intigriti.com",
"description": "This is our marketing website.",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "*.intigriti.me",
"description": "Asset used for our [mail-forwarding system](https://kb.intigriti.com/en/articles/2642598-intigriti-me-email-alias)",
"impact": "Tier 3"
},
{
"type": "wildcard",
"endpoint": "https://vpn.intigriti.rocks/*",
"description": "This is based of an open source project which you can find here https://wgportal.org/latest/",
"impact": null
}
],
"out_of_scope": [
{
"type": "wildcard",
"endpoint": "*.intigriti.io",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.intigriti.net",
"description": null,
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "any intigriti CTF or challenge",
"description": null,
"impact": "Out of scope"
},
{
"type": "wildcard",
"endpoint": "*.intercom.io",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "autodiscover.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "careers.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "click.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "go.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "kb.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "mail.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "newsletter.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "status.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "swag.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "trust.intigriti.com",
"description": null,
"impact": "Out of scope"
},
{
"type": "url",
"endpoint": "posthog.intigriti.com",
"description": "PostHog proxy: https://posthog.com/docs/advanced/proxy\nAlso the PostHog token is meant to be publicly available see: https://posthog.com/docs/api\n\nPlease don't test against this subdomain since you are directly testing PostHog which we don't control.",
"impact": "Out of scope"
},
{
"type": "other",
"endpoint": "our hubspot pages (/hs-fs/, /hubfs/, /hs/, /_hcms/, landing/, report/, webinar/, /datasheet, /customer/, /video/...)",
"description": null,
"impact": "Out of scope"
}
]
}
}
]