** Critical Site**
Mozilla Accounts (previously known as Firefox Accounts)
Additional domains in scope for Firefox Accounts:
* api.accounts.firefox.com
* oauth.accounts.firefox.com
* profile.accounts.firefox.com
* verifier.accounts.firefox.com
* graphql.accounts.firefox.com
* subscriptions.firefox.com
Source Code: https://github.com/mozilla/fxa
By visiting this domain you will be redirected to our blog at [cs.money/blog/](https://cs.money/blog/). This is a web application built on Wordpress.
Out of Scope
WordPress Core Vulnerabilities
Any vulnerabilities resulting from bugs or shortcomings in the WordPress core itself (e.g., issues with form validation, incorrect API implementations, vulnerabilities in the base architecture of WordPress, etc.).
This also includes cases where an outdated and potentially vulnerable version of WordPress is being used.
Plugin Vulnerabilities
Vulnerabilities in third-party or built-in WordPress plugins that extend the blog's functionality (e.g., SEO plugins, contact form plugins, etc.).
Also included are configuration errors or flaws that are directly related to issues within the plugin itself.
Theme Vulnerabilities
Vulnerabilities associated with custom or default WordPress themes (e.g., broken or unsafe layout structure, vulnerable JavaScript or PHP files within the theme, templating issues, etc.).
Any flaws in the operation of themes (standard or custom) that may lead to site compromise via known or outdated theme components are considered out of scope.
Version Conflicts or WordPress Setup Issues
All cases where the problem stems solely from an improperly installed or conflicting version of WordPress and can be resolved by updating or switching to another version.
Manual Installation or Modification of WordPress
Vulnerabilities that require manual code changes to the WordPress core, or installing/configuring third-party plugins or themes solely to reproduce the issue.
**Core Site**
Please use the staging instance for intrusive tests or for tests which change the content: https://developer.allizom.org
Source Code:
Main application: https://github.com/mdn/mdn
Repos under https://github.com/mdn
Open source repositories that support [Jitsi](https://github.com/jitsi/).
Jitsi Meet offers free, secure and open-source video conferencing.
⚠️ Good faith review of source that a reporter must have no association with the existence of the vulnerability in question.
**Proof of Concept Requirements:**
⚠️ Vulnerability submissions must include practical exploitation demonstrations on one of the following environments
▶︎ The public Jitsi Meet instance ([meet.jit.si](https://meet.jit.si/))
▶︎ 8x8 Video Meetings platform ([8x8.vc](https://8x8.vc/))
▶︎ A self-hosted Jitsi deployment
**Out of Scope:**
▶︎ Not actively maintained or archived repositories
▶︎ [github.com/jitsi/jitsi](https://github.com/jitsi/jitsi/)
[Jitsi Desktop](https://github.com/jitsi/jitsi/) is the heritage of [Jitsi Meet](https://github.com/jitsi/jitsi-meet). While some components are still used in e.g. Jigasi, the project is not actively developed anymore. Improvements, bugfixes and builds are entirely based on community contributions.
Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. We are best known for our Jitsi Meet video conferencing platform, [meet.jit.si](https://meet.jit.si/) where we host a Jitsi Meet instance that the community can use for totally free video conferences , and the Jitsi Videobridge that powers all of our multi-party video capabilities.
**Out of Scope:**
⚠️ Application logic bugs or non-production features in [beta.meet.jit.si](https://beta.meet.jit.si/)
Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. We are best known for our Jitsi Meet video conferencing platform.
**Out of Scope:**
⚠️ Application logic bugs or non-production features in [moderated-pilot.jitsi.net](https://moderated-pilot.jitsi.net/)
Only Critical reports will be accepted and paid
Please use @wearehackerone.com for test accounts.
Website available only from Belgium
You need a real/fake Belgium ID to register an account on the main casino/sport app. You can generate a fake ID here - http://rsolution.be/rijksregister-nummer-generator.RSolution
Website available only from Belgium.
You need a real/fake Belgium ID to register an account on the main casino/sport app. You can generate a fake ID here - http://rsolution.be/rijksregister-nummer-generator.RSolution
Website available only from Belgium. You need a real/fake Belgium ID to register an account on the main casino/sport app. You can generate a fake ID here - http://rsolution.be/rijksregister-nummer-generator.RSolution
Website available only from Belgium
You need a real/fake Belgium ID to register an account on the main casino/sport app. You can generate a fake ID here - http://rsolution.be/rijksregister-nummer-generator.RSolution
For our main application superbet.ro You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.
Or use a test account from this list( some of them might not work so try multiple ones):
hackeronesuperbet02 - jV%J5ypt9mJVe$
hackeronesuperbet03 - CSK2ZhG3LetSD8O
hackeronesuperbet04 - qKSi52$YkdXv58
hackeronesuperbet05 - ZgZc9jbgZ82Bh&
hackeronesuperbet06 - !u#^ogsrh9vt9N
● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.
Website available only for Brazil.
hackeronesuperbet01 - 7Es3tkFrDaUfw#
hackeronesuperbet02 - &$6i@Co$iMcn&S
hackeronesuperbet03 - Uz5S#Eu32@w4yQ
hackeronesuperbet04 - xb9^^aTAw83Ec&
hackeronesuperbet05 - m54C9u^%J87oie
hackeronesuperbet07 - jFat!DHhn4XcpL
hackeronesuperbet08 - sc#N9w7Dx*76^X
hackeronesuperbet09 - R6ifcvTZTv%v%Y
Here is the link to purchase an Arduino Hardware: https://store-usa.arduino.cc/products/nano-matter
https://github.com/SiliconLabs/arduino
Submissions are limited to issues discovered on matter nano boards listed above.
Alpha quality code and not part of the program
[Priceline iOS App](https://apps.apple.com/us/app/priceline-hotel-travel-deals/id336381998)
**Rezserver API**
_Policy Guidance_
We are not currently providing credentials for this asset.
_Rules_
- Don't use automated tools or scanners
- Don't DDoS
_Out of scope vulnerabilities_
- Missing best practices in HTTP header configuration.
- Any activity that could lead to the disruption of our service (DoS)
- Missing best practices in SSL/TLS configuration
- Account/email enumeration issues
- Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly)
- Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure
_Endpoints out of scope_
- Hotel: BookRequest
- Air: All endpoints
- Car: All endpoints
- Custom: All endpoints
Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.
Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.
Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.
*.taralite.com has been rebranded as OVO Finansial
The Support Tool troubleshoots and repairs issues with Malwarebytes Desktop Security for Windows devices.
Product page: https://help.malwarebytes.com/hc/en-us/articles/31589431159579-Repair-Desktop-Security-with-the-Support-Tool
HungryGoWhere is a food discovery platform that helps users explore dining options, reviews, and deals, primarily in Singapore.
MoveIt is an independent two-wheeler taxi platform serving the Philippines.
MoveIt is an independent two-wheeler taxi platform serving the Philippines.
⚠️ **Temporary Scope Exclusion**: campaign.wavecell.com, contacts.8x8.com
---
⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
⚠️ out of scope: IDORs based on `AccountId` and `subAccountId`
⚠️ when testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum
This is our static documentation website.
** Critical Site**
Mozilla Accounts (previously known as Firefox Accounts)
Additional domains in scope for Firefox Accounts:
* api.accounts.firefox.com
* oauth.accounts.firefox.com
* profile.accounts.firefox.com
* verifier.accounts.firefox.com
* graphql.accounts.firefox.com
* subscriptions.firefox.com
Source Code: https://github.com/mozilla/fxa
By visiting this domain you will be redirected to our blog at [cs.money/blog/](https://cs.money/blog/). This is a web application built on Wordpress.
Out of Scope
WordPress Core Vulnerabilities
Any vulnerabilities resulting from bugs or shortcomings in the WordPress core itself (e.g., issues with form validation, incorrect API implementations, vulnerabilities in the base architecture of WordPress, etc.).
This also includes cases where an outdated and potentially vulnerable version of WordPress is being used.
Plugin Vulnerabilities
Vulnerabilities in third-party or built-in WordPress plugins that extend the blog's functionality (e.g., SEO plugins, contact form plugins, etc.).
Also included are configuration errors or flaws that are directly related to issues within the plugin itself.
Theme Vulnerabilities
Vulnerabilities associated with custom or default WordPress themes (e.g., broken or unsafe layout structure, vulnerable JavaScript or PHP files within the theme, templating issues, etc.).
Any flaws in the operation of themes (standard or custom) that may lead to site compromise via known or outdated theme components are considered out of scope.
Version Conflicts or WordPress Setup Issues
All cases where the problem stems solely from an improperly installed or conflicting version of WordPress and can be resolved by updating or switching to another version.
Manual Installation or Modification of WordPress
Vulnerabilities that require manual code changes to the WordPress core, or installing/configuring third-party plugins or themes solely to reproduce the issue.
**Core Site**
Please use the staging instance for intrusive tests or for tests which change the content: https://developer.allizom.org
Source Code:
Main application: https://github.com/mdn/mdn
Repos under https://github.com/mdn
Open source repositories that support [Jitsi](https://github.com/jitsi/).
Jitsi Meet offers free, secure and open-source video conferencing.
⚠️ Good faith review of source that a reporter must have no association with the existence of the vulnerability in question.
**Proof of Concept Requirements:**
⚠️ Vulnerability submissions must include practical exploitation demonstrations on one of the following environments
▶︎ The public Jitsi Meet instance ([meet.jit.si](https://meet.jit.si/))
▶︎ 8x8 Video Meetings platform ([8x8.vc](https://8x8.vc/))
▶︎ A self-hosted Jitsi deployment
**Out of Scope:**
▶︎ Not actively maintained or archived repositories
▶︎ [github.com/jitsi/jitsi](https://github.com/jitsi/jitsi/)
[Jitsi Desktop](https://github.com/jitsi/jitsi/) is the heritage of [Jitsi Meet](https://github.com/jitsi/jitsi-meet). While some components are still used in e.g. Jigasi, the project is not actively developed anymore. Improvements, bugfixes and builds are entirely based on community contributions.
Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. We are best known for our Jitsi Meet video conferencing platform, [meet.jit.si](https://meet.jit.si/) where we host a Jitsi Meet instance that the community can use for totally free video conferences , and the Jitsi Videobridge that powers all of our multi-party video capabilities.
**Out of Scope:**
⚠️ Application logic bugs or non-production features in [beta.meet.jit.si](https://beta.meet.jit.si/)
Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. We are best known for our Jitsi Meet video conferencing platform.
**Out of Scope:**
⚠️ Application logic bugs or non-production features in [moderated-pilot.jitsi.net](https://moderated-pilot.jitsi.net/)
Only Critical reports will be accepted and paid
Please use @wearehackerone.com for test accounts.
Website available only from Serbia.
Website available only from Belgium
You need a real/fake Belgium ID to register an account on the main casino/sport app. You can generate a fake ID here - http://rsolution.be/rijksregister-nummer-generator.RSolution
Website available only from Belgium.
You need a real/fake Belgium ID to register an account on the main casino/sport app. You can generate a fake ID here - http://rsolution.be/rijksregister-nummer-generator.RSolution
Website available only from Belgium. You need a real/fake Belgium ID to register an account on the main casino/sport app. You can generate a fake ID here - http://rsolution.be/rijksregister-nummer-generator.RSolution
Website available only from Belgium
You need a real/fake Belgium ID to register an account on the main casino/sport app. You can generate a fake ID here - http://rsolution.be/rijksregister-nummer-generator.RSolution
Website available only from Poland
For our main application superbet.ro You can use a Romanian fake CNP generator in order to create an account, such as - https://isj.educv.ro/cnp/ in order to create an account. Make sure you are using a Romanian VPN as the portal works only for Romanian IP’s.
Or use a test account from this list( some of them might not work so try multiple ones):
hackeronesuperbet02 - jV%J5ypt9mJVe$
hackeronesuperbet03 - CSK2ZhG3LetSD8O
hackeronesuperbet04 - qKSi52$YkdXv58
hackeronesuperbet05 - ZgZc9jbgZ82Bh&
hackeronesuperbet06 - !u#^ogsrh9vt9N
● Please add the following User-Agent header when you are using any automated tools or scripts - User-agent: hackerone -. Requests that will not contain this cookie header might get blocked by our tools/SOC team.
Website available only for Brazil.
hackeronesuperbet01 - 7Es3tkFrDaUfw#
hackeronesuperbet02 - &$6i@Co$iMcn&S
hackeronesuperbet03 - Uz5S#Eu32@w4yQ
hackeronesuperbet04 - xb9^^aTAw83Ec&
hackeronesuperbet05 - m54C9u^%J87oie
hackeronesuperbet07 - jFat!DHhn4XcpL
hackeronesuperbet08 - sc#N9w7Dx*76^X
hackeronesuperbet09 - R6ifcvTZTv%v%Y
Here is the link to purchase an Arduino Hardware: https://store-usa.arduino.cc/products/nano-matter
https://github.com/SiliconLabs/arduino
Submissions are limited to issues discovered on matter nano boards listed above.
Alpha quality code and not part of the program
[Priceline iOS App](https://apps.apple.com/us/app/priceline-hotel-travel-deals/id336381998)
https://www.priceline.com/penny
**Rezserver API**
_Policy Guidance_
We are not currently providing credentials for this asset.
_Rules_
- Don't use automated tools or scanners
- Don't DDoS
_Out of scope vulnerabilities_
- Missing best practices in HTTP header configuration.
- Any activity that could lead to the disruption of our service (DoS)
- Missing best practices in SSL/TLS configuration
- Account/email enumeration issues
- Disclosure of software version numbers (we maintain forks of several tools, and apply security patches accordingly)
- Content Spoofing/Text Injection that cannot be leveraged for XSS or sensitive data disclosure
_Endpoints out of scope_
- Hotel: BookRequest
- Air: All endpoints
- Car: All endpoints
- Custom: All endpoints
Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.
Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.
Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.
*.taralite.com has been rebranded as OVO Finansial
The Support Tool troubleshoots and repairs issues with Malwarebytes Desktop Security for Windows devices.
Product page: https://help.malwarebytes.com/hc/en-us/articles/31589431159579-Repair-Desktop-Security-with-the-Support-Tool
HungryGoWhere is a food discovery platform that helps users explore dining options, reviews, and deals, primarily in Singapore.
MoveIt is an independent two-wheeler taxi platform serving the Philippines.
MoveIt is an independent two-wheeler taxi platform serving the Philippines.
⚠️ **Temporary Scope Exclusion**: campaign.wavecell.com, contacts.8x8.com
---
⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
⚠️ out of scope: IDORs based on `AccountId` and `subAccountId`
⚠️ when testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum
This is our static documentation website.