Except for subdomains managed by third parties, such as help.quora.com, careers.quora.com, and business.quora.com.
- This site uses pixiv account (signup at https://accounts.pixiv.net).
- PC: https://pastela.app
- iPadOS: https://apps.apple.com/app/pastela/id6478907270
Krisp Windows electron app.
Bypassing free minutes limitation via changing frontend applications' logic is out of scope
Krisp MacOS electron app.
Bypassing free minutes limitation via changing frontend applications' logic is out of scope
We are introducing a new testing scope for our Hosting Infrastructure tailored for WordPress websites.
Portal for management of your 8x8 account, billing, orders, and support cases
⚠️ when testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum
⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
1- Check if you can pass the two authentications provided by Secure Gateway mobile APP, Try any possible way to login without receiving the code, or try brute force the code or pass the rate limit.
2- Check if you can pass upload prevention system, try any file extension out of the list (jpg,jpeg,png,gif,jfif,mp4,doc,docx,pdf,xls,xlsx,ppsx,ppt,pptx,flv,rar,zip,htm,html) And the file you uploaded should function in a browser when visiting the file.
3- Check whether you can pass the Secure Gateway upload detector system, for example upload '.jpg' file It has the word [php_uname] in the file content (not in file name).
Instructions
For 2FA, you need to install 'Secure Gateway' APP on your phone to get onetime a code. Secure Gateway APP can be downloaded by clicking on the link below.
For Apple Devices
https://apps.apple.com/us/app/secure-gateway/id1633721151
For Android Devices
https://play.google.com/store/apps/details?id=com.alscotoday.SecureGateway
Then contact us to provide you with a test account to login to Secure Gateway APP.
Guidelines:
1-Only full hack scenario will be accepted, e.g., edit the index page, or download the database.
2-Upload html file contain JavaScript are not considered as vulnerability, Unless you can change an index page, database or file on our system.
3-A recorded video must be included with every report submitted.
4- If you don't follow these guidelines we will not award a bounty for the report.
5-Business logic errors and misconfigurations are out of scope, but you are welcome to submit reports.
Required Reporting Format
Affected target, feature, or URL:
Description of problem:
Impact of the issue:
Steps to reproduce:
Proof of Concept:
Is knowledge of this issue currently public?
Only complete hacking scenarios will be accepted; otherwise, the report will be closed.
Any report that does not follow these guidelines will be rejected and closed.
While demo.dynamic.xyz is set to low severity, do note that we consider reports where using demo.dynamic.xyz to expose an issue with the backend api (https://app.dynamic.xyz and https://app.dynamicauth.com) to be critical.
For example, any issues that are specific to demo only are considered low.
Please refer to Photoshop Web Test Plan on how to access/test the environment.
Please refer to Adobe Learning Manager Test Plan on how to access/test the environment.
Please refer to ColdFusion Test Plan on how to access/test the environment.
Includes:
*.gs.de
*.gsmarkets.de
*.gsmarkets.nl
*.gsmarkets.at
*.gsmarkets.be
Excludes the 3rd party hosted site:
classic.gs.de
In scope sites may display a page overlay to US visitors which can be hidden using an adblocker like uBlock Origin
▶︎ https://partnerxchange.8x8.com/
▶︎ https://8x8.my.site.com/partnerxchange/
▶︎ https://8x8.force.com/partnerxchange/
⚠️ out of scope: Disclosure of non-sensitive information, such as `Name`, `City`, etc.
⚠️ out of scope: `ContentDocument` if considered non-sensitive (e.g. marketing collateral)
⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
8x8 Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials, such as name and password, to access multiple 8x8 applications.
⚠️ MFA-bypasses requiring prior knowledge of credentials will be treated with `MEDIUM` severity.
8x8 Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials, such as name and password, to access multiple 8x8 applications.
⚠️ MFA-bypasses requiring prior knowledge of credentials will be treated with `MEDIUM` severity.
** Critical Site **
Mozilla Ad Routing Service (MARS) under the below domains:
- mars.prod.ads.prod.webservices.mozgcp.net
- mars.stage.ads.nonprod.webservices.mozgcp.net
- mars.qa.ads.nonprod.webservices.mozgcp.net
- ads-img.mozilla.org
- ads-img.allizom.org
- contile.services.mozilla.com
- spocs.getpocket.com
- spocs.getpocket.dev
- spocs.mozilla.net
- spocs.allizom.net
Testing to be done on the staging instance:
- mars.stage.ads.nonprod.webservices.mozgcp.net
These domains shouldn't be accessible, so if you're able to get a 200 response and get the actual page contents and not something like "You need to enable JavaScript to run this app. ", please don't hesitate to submit a report.
https://app.bitrise.io/app/5bec038cb1e318cd/build/66388a74-e438-4122-9d61-b32c26bbe8c9/artifact/2056514eda872997/p/789676b08317aea2499d7696845b40cf
https://app.bitrise.io/app/5bec038cb1e318cd/build/2d02c60d-2969-44c6-b107-455271135ac3/artifact/039822d285b5f226/p/e73d97370b6c1a453423fedba7b312f6
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
## Exploring our repository:
- Blockchain: Manages the blockchain structure, block validation, and chain state.
- Consensus: Implements the consensus mechanism and synchronization.
- Validator: Contains logic for the validator role, including signing and verification processes.
- Primitives: Includes fundamental types and utilities used across other crates, such as data structures for accounts, blocks, transactions, and various cryptographic functions.
## Quick start:
- Prerequisites:
- Install the latest version of Rust by following the instructions on the [Rust website](https://www.rust-lang.org/learn/get-started#installing-rust).
- Installation:
- Clone the Repository: `git clone https://github.com/nimiq/core-rs-albatross.git`
- Move to the Repository: `cd core-rs-albatross`
- Build the project and start a basic full node: `cargo run --release --bin nimiq-
client`
For more details, check the repository [Reame file](https://github.com/nimiq/core-rs-albatross/blob/albatross/README.md).
Customer Experience and Post-Call Survey Analytics
front-end, e.g.: https://vcc-ce.8x8.com/analytix/rt-dashboard.htm
Analytics for Contact Center
⚠️ shareable Wallboard links are out of scope
[Non-core asset]
Reddit maintains a SFDC tenant for customer management for our advertisers. SFDC bugs aren't eligible for payout, but misconfigurations that are Reddit's responsibility are.
The User Storage API helps developers synchronize data across multiple clients and devices in a privacy-preserving way. All data saved in the user storage database is encrypted client-side to preserve privacy.
Documentation can be found in this [Doc](https://docs.google.com/document/u/1/d/e/2PACX-1vRzlbxKTKQ4x8mvUEUs8hv-fcGsi0W717Pbg2_Rk3lcoM5PuSCI66JUWaWdL_Vz0GNMbZU4aYaC2rcQ/pub)
The Authentication component is used to provide MetaMask users services that require to be logged in and/or identified.
It is comprised of an Authentication API at: https://authentication.api.cx.metamask.io/ and an ORY Hydra OAuth server at: https://oidc.api.cx.metamask.io.
Documentation can be found in this [Doc]( https://docs.google.com/document/u/1/d/e/2PACX-1vRzlbxKTKQ4x8mvUEUs8hv-fcGsi0W717Pbg2_Rk3lcoM5PuSCI66JUWaWdL_Vz0GNMbZU4aYaC2rcQ/pub)
▶︎ API usage via sign-up on [8x8 Connect](https://connect.8x8.com/login/signup)
▶︎ Usage is described in [8x8 CPaaS developer portal](https://developer.8x8.com/connect)
▶︎ All related APIs under `8x8 Connect` (e.g. SMS API, Verification API, Chatapps API, Voice API, …) are in-scope
⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
⚠️ out of scope: IDORs based on `AccountId` and `subAccountId`
⚠️ when testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum
► Contact Center Agent Workspace:
`./AGUI/login.php`
► Configuration Manager:
`./CM/login.php`
⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/
⚠️ shareable Wallboard links are out of scope
Administration portal for managing your 8x8 service including users and telephony features
Except for subdomains managed by third parties, such as help.quora.com, careers.quora.com, and business.quora.com.
- This site uses pixiv account (signup at https://accounts.pixiv.net).
- PC: https://pastela.app
- iPadOS: https://apps.apple.com/app/pastela/id6478907270
Krisp Windows electron app.
Bypassing free minutes limitation via changing frontend applications' logic is out of scope
Krisp MacOS electron app.
Bypassing free minutes limitation via changing frontend applications' logic is out of scope
Except for OOS domains
Krisp API
Teams API
Download endpoints
Krisp analytics
Websocket API
Krisp account frontend
Krisp account frontend
We are introducing a new testing scope for our Hosting Infrastructure tailored for WordPress websites.
Portal for management of your 8x8 account, billing, orders, and support cases
⚠️ when testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum
⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
1- Check if you can pass the two authentications provided by Secure Gateway mobile APP, Try any possible way to login without receiving the code, or try brute force the code or pass the rate limit.
2- Check if you can pass upload prevention system, try any file extension out of the list (jpg,jpeg,png,gif,jfif,mp4,doc,docx,pdf,xls,xlsx,ppsx,ppt,pptx,flv,rar,zip,htm,html) And the file you uploaded should function in a browser when visiting the file.
3- Check whether you can pass the Secure Gateway upload detector system, for example upload '.jpg' file It has the word [php_uname] in the file content (not in file name).
Instructions
For 2FA, you need to install 'Secure Gateway' APP on your phone to get onetime a code. Secure Gateway APP can be downloaded by clicking on the link below.
For Apple Devices
https://apps.apple.com/us/app/secure-gateway/id1633721151
For Android Devices
https://play.google.com/store/apps/details?id=com.alscotoday.SecureGateway
Then contact us to provide you with a test account to login to Secure Gateway APP.
Guidelines:
1-Only full hack scenario will be accepted, e.g., edit the index page, or download the database.
2-Upload html file contain JavaScript are not considered as vulnerability, Unless you can change an index page, database or file on our system.
3-A recorded video must be included with every report submitted.
4- If you don't follow these guidelines we will not award a bounty for the report.
5-Business logic errors and misconfigurations are out of scope, but you are welcome to submit reports.
Required Reporting Format
Affected target, feature, or URL:
Description of problem:
Impact of the issue:
Steps to reproduce:
Proof of Concept:
Is knowledge of this issue currently public?
Only complete hacking scenarios will be accepted; otherwise, the report will be closed.
Any report that does not follow these guidelines will be rejected and closed.
While demo.dynamic.xyz is set to low severity, do note that we consider reports where using demo.dynamic.xyz to expose an issue with the backend api (https://app.dynamic.xyz and https://app.dynamicauth.com) to be critical.
For example, any issues that are specific to demo only are considered low.
Please refer to Photoshop Web Test Plan on how to access/test the environment.
Please refer to Adobe Learning Manager Test Plan on how to access/test the environment.
Please refer to ColdFusion Test Plan on how to access/test the environment.
Includes:
*.gs.de
*.gsmarkets.de
*.gsmarkets.nl
*.gsmarkets.at
*.gsmarkets.be
Excludes the 3rd party hosted site:
classic.gs.de
In scope sites may display a page overlay to US visitors which can be hidden using an adblocker like uBlock Origin
▶︎ https://partnerxchange.8x8.com/
▶︎ https://8x8.my.site.com/partnerxchange/
▶︎ https://8x8.force.com/partnerxchange/
⚠️ out of scope: Disclosure of non-sensitive information, such as `Name`, `City`, etc.
⚠️ out of scope: `ContentDocument` if considered non-sensitive (e.g. marketing collateral)
⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
8x8 Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials, such as name and password, to access multiple 8x8 applications.
⚠️ MFA-bypasses requiring prior knowledge of credentials will be treated with `MEDIUM` severity.
8x8 Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials, such as name and password, to access multiple 8x8 applications.
⚠️ MFA-bypasses requiring prior knowledge of credentials will be treated with `MEDIUM` severity.
** Critical Site **
Mozilla Ad Routing Service (MARS) under the below domains:
- mars.prod.ads.prod.webservices.mozgcp.net
- mars.stage.ads.nonprod.webservices.mozgcp.net
- mars.qa.ads.nonprod.webservices.mozgcp.net
- ads-img.mozilla.org
- ads-img.allizom.org
- contile.services.mozilla.com
- spocs.getpocket.com
- spocs.getpocket.dev
- spocs.mozilla.net
- spocs.allizom.net
Testing to be done on the staging instance:
- mars.stage.ads.nonprod.webservices.mozgcp.net
These domains shouldn't be accessible, so if you're able to get a 200 response and get the actual page contents and not something like "You need to enable JavaScript to run this app. ", please don't hesitate to submit a report.
https://app.bitrise.io/app/5bec038cb1e318cd/build/66388a74-e438-4122-9d61-b32c26bbe8c9/artifact/2056514eda872997/p/789676b08317aea2499d7696845b40cf
https://app.bitrise.io/app/5bec038cb1e318cd/build/2d02c60d-2969-44c6-b107-455271135ac3/artifact/039822d285b5f226/p/e73d97370b6c1a453423fedba7b312f6
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
## Exploring our repository:
- Blockchain: Manages the blockchain structure, block validation, and chain state.
- Consensus: Implements the consensus mechanism and synchronization.
- Validator: Contains logic for the validator role, including signing and verification processes.
- Primitives: Includes fundamental types and utilities used across other crates, such as data structures for accounts, blocks, transactions, and various cryptographic functions.
## Quick start:
- Prerequisites:
- Install the latest version of Rust by following the instructions on the [Rust website](https://www.rust-lang.org/learn/get-started#installing-rust).
- Installation:
- Clone the Repository: `git clone https://github.com/nimiq/core-rs-albatross.git`
- Move to the Repository: `cd core-rs-albatross`
- Build the project and start a basic full node: `cargo run --release --bin nimiq-
client`
For more details, check the repository [Reame file](https://github.com/nimiq/core-rs-albatross/blob/albatross/README.md).
Quality Management & Speech Analytics
Customer Experience and Post-Call Survey Analytics
front-end, e.g.: https://vcc-ce.8x8.com/analytix/rt-dashboard.htm
Analytics for Contact Center
⚠️ shareable Wallboard links are out of scope
Analytics for 8x8 Work
Tier 1
[Non-core asset]
Reddit maintains a SFDC tenant for customer management for our advertisers. SFDC bugs aren't eligible for payout, but misconfigurations that are Reddit's responsibility are.
The User Storage API helps developers synchronize data across multiple clients and devices in a privacy-preserving way. All data saved in the user storage database is encrypted client-side to preserve privacy.
Documentation can be found in this [Doc](https://docs.google.com/document/u/1/d/e/2PACX-1vRzlbxKTKQ4x8mvUEUs8hv-fcGsi0W717Pbg2_Rk3lcoM5PuSCI66JUWaWdL_Vz0GNMbZU4aYaC2rcQ/pub)
The Authentication component is used to provide MetaMask users services that require to be logged in and/or identified.
It is comprised of an Authentication API at: https://authentication.api.cx.metamask.io/ and an ORY Hydra OAuth server at: https://oidc.api.cx.metamask.io.
Documentation can be found in this [Doc]( https://docs.google.com/document/u/1/d/e/2PACX-1vRzlbxKTKQ4x8mvUEUs8hv-fcGsi0W717Pbg2_Rk3lcoM5PuSCI66JUWaWdL_Vz0GNMbZU4aYaC2rcQ/pub)
▶︎ API usage via sign-up on [8x8 Connect](https://connect.8x8.com/login/signup)
▶︎ Usage is described in [8x8 CPaaS developer portal](https://developer.8x8.com/connect)
▶︎ All related APIs under `8x8 Connect` (e.g. SMS API, Verification API, Chatapps API, Voice API, …) are in-scope
⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
⚠️ out of scope: IDORs based on `AccountId` and `subAccountId`
⚠️ when testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum
► Contact Center Agent Workspace:
`./AGUI/login.php`
► Configuration Manager:
`./CM/login.php`
⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/
⚠️ shareable Wallboard links are out of scope
Administration portal for managing your 8x8 service including users and telephony features