Dashboard


Recent Scopes (30 days or less)

Target: Grab
  • Asset type: URL
  • Asset identifier: kartaview.org
  • Max severity: medium
  • Updated at: July 4, 2025, 3:50 a.m.
  • Instructions:

    Any finding related to https://3d.kartaview.org is considered out-of-scope.

Target: Visa
  • Asset type: URL
  • Asset identifier: www.visa.co.nz
  • Max severity: critical
  • Updated at: July 3, 2025, 5:54 p.m.
Target: Newegg
  • Asset type: URL
  • Asset identifier: sellingpilot.com
  • Max severity: critical
  • Updated at: July 1, 2025, 5:23 p.m.
Target: Coda
  • Asset type: URL
  • Asset identifier: coda.grammarly.com
  • Max severity: critical
  • Updated at: July 1, 2025, 1:16 p.m.
  • Instructions:

    Grammarly Coda AI Editor

Target: pixiv
  • Asset type: URL
  • Asset identifier: sketch.pixiv.net
  • Max severity: critical
  • Updated at: July 1, 2025, 6:09 a.m.
  • Instructions:

    /lives/ is out of scope for scheduled to be discontinued.

    * This site is in Japanese.
    * This site uses pixiv account (signup at https://accounts.pixiv.net).
    * PC: https://sketch.pixiv.net/
    * iOS: https://itunes.apple.com/app/pixiv-sketch/id991334925
    * Android: https://play.google.com/store/apps/details?id=jp.pxv.android.sketch

Target: Shopify
  • Asset type: OTHER
  • Asset identifier: Shopify Third Party Apps
  • Max severity: medium
  • Updated at: June 27, 2025, 1:44 p.m.
  • Instructions:

    Environment: Non-core

    Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.

Target: Shopify
  • Asset type: OTHER
  • Asset identifier: Shopify Third Party Store
  • Max severity: medium
  • Updated at: June 27, 2025, 1:43 p.m.
  • Instructions:

    Environment: Non-core

    You may only test against shops you have created.

Target: Shopify
  • Asset type: WILDCARD
  • Asset identifier: *.shopify.com
  • Max severity: medium
  • Updated at: June 27, 2025, 1:39 p.m.
  • Instructions:

    Environment: Non-core

    Reports involving *.shopify.com are reviewed on a per case basis for bounty eligibility, this includes shopifycompass.com. Any services operated by a third party without a proof of concept demonstrating impact on *.myshopify.com users will likely be ineligible for a bounty.

Target: Shopify
  • Asset type: SOURCE_CODE
  • Asset identifier: https://github.com/Shopify/*
  • Max severity: medium
  • Updated at: June 27, 2025, 1:38 p.m.
  • Instructions:

    Environment: Non-core

    Public repositories available under the Shopify organization in Github.

Target: Shopify
  • Asset type: WILDCARD
  • Asset identifier: *.shopify.io
  • Max severity: medium
  • Updated at: June 27, 2025, 1:35 p.m.
  • Instructions:

    Environment: Non-core

    *.shopify.io may include developer test or third party applications. If you are unsure about a domain and it looks like a test or third party application, please email us at bugbounty@shopify.com before spending time on it.

Target: Shopify
  • Asset type: WILDCARD
  • Asset identifier: *.shopifycloud.com
  • Max severity: medium
  • Updated at: June 27, 2025, 1:34 p.m.
  • Instructions:

    Environment: Non-core

    *.shopifycloud.com may include developer test or third party applications. For example, devdegree*.shopifycloud.com, vendorvoice.shopifycloud.com, nsolid-test-console.shopifycloud.com. These types of domains are not considered in scope and reports pertaining to them will be closed Informative. If you are unsure about a domain and it looks like a test application, please email us at bugbounty@shopify.com before spending time on it.

Target: Shopify
  • Asset type: OTHER
  • Asset identifier: Shopify Developed Apps
  • Max severity: medium
  • Updated at: June 27, 2025, 1:34 p.m.
  • Instructions:

    Environment: Non-core

    Shopify apps and sales channels means everything installed via the following link https://apps.shopify.com/collections/made-by-shopify

Target: Shopify
  • Asset type: URL
  • Asset identifier: shopifyinbox.com
  • Max severity: medium
  • Updated at: June 27, 2025, 1:33 p.m.
  • Instructions:

    Environment: Non-core

Target: Shopify
  • Asset type: URL
  • Asset identifier: linkpop.com
  • Max severity: medium
  • Updated at: June 27, 2025, 1:31 p.m.
  • Instructions:

    Environment: Non-core

Target: Shopify
  • Asset type: WILDCARD
  • Asset identifier: *.shopifykloud.com
  • Max severity: medium
  • Updated at: June 27, 2025, 1:30 p.m.
  • Instructions:

    Environment: Non-core

    Shopify Kloud includes all *.shopifykloud.com applications. Please note, there may be developer test or third party applications launched on the domain which may have low security implications for Shopify. If you are unsure about a subdomain on *.shopifykloud.com and it looks like a test application, email us at bugbounty AT shopify.com before spending time on it.

Target: Shopify
  • Asset type: URL
  • Asset identifier: accounts.shopify.com
  • Max severity: critical
  • Updated at: June 27, 2025, 1:30 p.m.
  • Instructions:

    Environment: Core

Target: Shopify
  • Asset type: URL
  • Asset identifier: admin.shopify.com
  • Max severity: critical
  • Updated at: June 27, 2025, 1:28 p.m.
  • Instructions:

    Environment: Core

Target: Shopify
  • Asset type: URL
  • Asset identifier: your-store.myshopify.com
  • Max severity: critical
  • Updated at: June 27, 2025, 1:28 p.m.
  • Instructions:

    Environment: Core

    Your development store hosted at `*.myshopify.com`. Create a development store by signing up at https://partners.shopify.com/

Target: Shopify
  • Asset type: WILDCARD
  • Asset identifier: *.pci.shopifyinc.com
  • Max severity: critical
  • Updated at: June 27, 2025, 1:27 p.m.
  • Instructions:

    Environment: Core

Target: Shopify
  • Asset type: URL
  • Asset identifier: partners.shopify.com
  • Max severity: critical
  • Updated at: June 27, 2025, 1:26 p.m.
  • Instructions:

    Environment: Core

Target: Shopify
  • Asset type: URL
  • Asset identifier: shop.app
  • Max severity: critical
  • Updated at: June 27, 2025, 1:25 p.m.
  • Instructions:

    Environment: Core

Target: Shopify
  • Asset type: URL
  • Asset identifier: arrive-server.shopifycloud.com
  • Max severity: critical
  • Updated at: June 27, 2025, 1:24 p.m.
  • Instructions:

    Environment: Core

Target: Shopify
  • Asset type: WILDCARD
  • Asset identifier: *.shopifycs.com
  • Max severity: critical
  • Updated at: June 27, 2025, 1:22 p.m.
  • Instructions:

    Environment: Non-core

    Shopify's service for handling credit card data in a PCI compliant way.

Target: Shopify
  • Asset type: URL
  • Asset identifier: shopify.plus
  • Max severity: critical
  • Updated at: June 27, 2025, 1:21 p.m.
  • Instructions:

    Environment: Core

Target: Shopify
  • Asset type: OTHER
  • Asset identifier: Shopify Mobile Applications
  • Max severity: critical
  • Updated at: June 27, 2025, 1:21 p.m.
  • Instructions:

    Environment: Non-core

    Android: https://play.google.com/store/apps/dev?id=8929232438554100687
    iOS: https://itunes.apple.com/ca/developer/shopify-inc/id371294475

    Note: any services operated by a third party without a proof of concept demonstrating impact on Shopify users will likely be ineligible for a bounty.

Target: Temu
  • Asset type: URL
  • Asset identifier: seller.temu.com
  • Max severity: critical
  • Updated at: June 26, 2025, 12:43 p.m.
Target: Magic
  • Asset type: URL
  • Asset identifier: newton.xyz
  • Max severity: critical
  • Updated at: June 25, 2025, 3:45 p.m.
  • Instructions:

    Magic Labs has been engaged to manage the Magic Newton Foundation bug bounty for the Newton Protocol.

    Staking Contract: 0x8f0D9acBdf8Dbeea67af639CbC995a9767e14488
    Validator Contract: 0x3846a94F817AcB78fb983f8631E779e49cbE888f

Target: Playtika
  • Asset type: WILDCARD
  • Asset identifier: *.justfall.lol,*.justplay.lol,*.1v1.lol
  • Max severity: critical
  • Updated at: June 25, 2025, 10:39 a.m.
  • Instructions:

    Only critical issues

Target: Playtika
  • Asset type: OTHER
  • Asset identifier: 1v1.lol
  • Max severity: critical
  • Updated at: June 25, 2025, 10:39 a.m.
  • Instructions:

    Only critical issues

Target: Booking.com
  • Asset type: URL
  • Asset identifier: www.sustainability.booking.com
  • Max severity: critical
  • Updated at: June 24, 2025, 12:07 p.m.
Target: Booking.com
  • Asset type: URL
  • Asset identifier: cruises.booking.com
  • Max severity: critical
  • Updated at: June 24, 2025, 12:06 p.m.
  • Asset type: URL
  • Asset identifier: www.expedia-aarp.com
  • Max severity: critical
  • Updated at: June 24, 2025, 4:57 a.m.
Target: Eternal
  • Asset type: URL
  • Asset identifier: bistro-api.blinkit.com
  • Max severity: critical
  • Updated at: June 23, 2025, 6:41 a.m.
Target: Eternal
  • Asset type: APPLE_STORE_APP_ID
  • Asset identifier: 6670203019
  • Max severity: critical
  • Updated at: June 23, 2025, 6:30 a.m.
  • Instructions:

    Bistro by Blinkit: A mobile app offering instant food delivery

    https://apps.apple.com/in/app/bistro-food-in-minutes/id6670203019

Target: Eternal
  • Asset type: GOOGLE_PLAY_APP_ID
  • Asset identifier: com.blinkit.bistro
  • Max severity: critical
  • Updated at: June 23, 2025, 6:26 a.m.
  • Instructions:

    Bistro by Blinkit: A mobile app offering instant food delivery

    https://play.google.com/store/apps/details?id=com.blinkit.bistro

  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Asset identifier: Dia
  • Max severity: critical
  • Updated at: June 20, 2025, 4:34 p.m.
  • Asset type: URL
  • Asset identifier: world.org
  • Max severity: critical
  • Updated at: June 20, 2025, 11:21 a.m.
  • Instructions:

    **Secondary Asset**

    World Foundation-owned asset

  • Asset type: APPLE_STORE_APP_ID
  • Asset identifier: https://apps.apple.com/no/app/world-app-worldcoin-wallet/id1560859847
  • Max severity: critical
  • Updated at: June 20, 2025, 10:52 a.m.
  • Instructions:

    **Primary Asset**

    TFH-owned asset

  • Asset type: GOOGLE_PLAY_APP_ID
  • Asset identifier: https://play.google.com/store/apps/details?id=com.worldcoin
  • Max severity: critical
  • Updated at: June 20, 2025, 10:50 a.m.
  • Instructions:

    **Primary Asset**

    World App for Android. TFH-owned asset

Target: Malwarebytes
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Asset identifier: AdwCleaner
  • Max severity: critical
  • Updated at: June 20, 2025, 9:55 a.m.
  • Instructions:

    AdwCleaner is the world’s most popular adware cleaner finds and removes unwanted programs and junkware so your online experience stays optimal and hassle-free.

    Product page: https://www.malwarebytes.com/adwcleaner

    Documentation:
    https://help.malwarebytes.com/hc/en-us/categories/31589180730139-AdwCleaner

Target: SIX Group
  • Asset type: CIDR
  • Asset identifier: 193.109.229.0/24
  • Max severity: critical
  • Updated at: June 20, 2025, 7:54 a.m.
  • Instructions:

    ## Known Issues
    The following vulnerabilities have been identified and are currently being addressed. Reports of these issues will be closed as duplicates:
    - Cross-Site Scripting (XSS) vulnerabilities on `*.bmeinntech.es`.
    - This includes any reflected or stored XSS in input parameters on any endpoint within this domain.

Target: Payoneer
  • Asset type: URL
  • Asset identifier: myaccount.payoneer.com
  • Max severity: critical
  • Updated at: June 19, 2025, 8:10 a.m.
  • Instructions:

    Please sign-up (self-registration) and use the following test accounts: @wearehackerone.com

Target: X / xAI
  • Asset type: WILDCARD
  • Asset identifier: *.twitter.biz
  • Max severity: critical
  • Updated at: June 17, 2025, 10:18 p.m.
  • Asset type: URL
  • Asset identifier: psp.marriott.com
  • Max severity: critical
  • Updated at: June 16, 2025, 6:02 p.m.
  • Asset type: URL
  • Asset identifier: https://github.com/rsksmart/rsk-powhsm/
  • Max severity: critical
  • Updated at: June 16, 2025, 1:07 p.m.
  • Instructions:

    ## Scope
    * Attacks that allow extracting the seed from the device, including but not limited to:
    Gaining access to the device recovery mode without wiping the seed first.
    * Allowing the installation and use of arbitrary ledger apps without wiping the seed first.
    * Attacks that allow signing arbitrary hashes with the BTC key id.
    * Attacks that gain access to arbitrary BIP32 paths (either for signing or extracting the private key).
    * Attacks that allow the manipulation of the blockchain state's best block without the corresponding PoW.
    * Attacks that allow the manipulation of the blockchain state's ancestor block and/or ancestor receipts root without the corresponding proof of best block ancestry.
    * Attacks that fake an authentic attestation on a device running different versions of either the UI or Signer.
    * Attacks that allow producing an authentic attestation on a device with a pre-generated or well-known seed.
    * Attacks that lead the ledger into a DOS state without the need for physical device access. This does not mean ledger device has open external interface.
    * Attacks that lead the middleware manager into a DOS state without the need for physical access to the host. This does not mean the middleware has open external interface.
    * Transactions in either the RSK or Bitcoin networks that may lead the powHSM into signing arbitrary pegouts or hashes.
    * Side channel attacks.
    * Supply chain attacks that have direct consequences on the production software.
    * Identification and reporting of vulnerabilities in the Ledger source code will be eligible for rewards after 90 days from the initial disclosure from Ledger.
    * Vulnerabilities discovered in the Ledger source code will be rewarded according to the general reward table specified for the bug bounty program, rather than the powHSM project reward table.
    * Vulnerabilities found in the Ledger source code will not qualify for the bonus reward associated with Remote Execution Code.

    ## Out of Scope
    * Vulnerabilities related to the ledger devices used by the rsk-powhsm; this includes their physical security.
    * Vulnerabilities that don't ultimately allow for the arbitrary or unsecure use of any of the keys derived from the device seed.
    * Vulnerabilities in TCPSigner component, which is made solely for testing and fuzzing purposes.
    * Vulnerabilities located in code under the following path `firmware/src/hal/src/x86/` since is code related to the TCPSigner component.
    * All code related to SGX is out of scope.

    Due to the complexity of the project some of the points may be interpreted ambiguously, therefore we reserve a right to make a final decision on the report regarding its relevance to the scope and specified severity. Please, reach us if you have any doubts on the scope.

Target: Stripe
  • Asset type: WILDCARD
  • Asset identifier: *.bridge.xyz
  • Max severity: critical
  • Updated at: June 16, 2025, 12:33 p.m.
  • Instructions:

    Stripe [acquired](https://stripe.com/ae/newsroom/news/stripe-completes-bridge-acquisition) Bridge in February 2025.

    Bridge does not currently have a self-service sign-up option. Scope for the bug bounty program is limited to researchers testing api.bridge.xyz ([documentation](https://apidocs.bridge.xyz/docs/api-summary)) or Dashboard ([login](https://dashboard.bridge.xyz/)) without credentials at this time. Because of this, the program is interested in potential authentication bypasses or vulnerabilities that surface without valid credentials. In the future, the program may expand to include credentialed testing.

    Other static content domains like Bridge's [marketing](https://www.bridge.xyz/) or [docs](https://apidocs.bridge.xyz/) site are out-of-scope.

Target: Dynatrace
  • Asset type: SOURCE_CODE
  • Asset identifier: https://github.com/Dynatrace
  • Max severity: critical
  • Updated at: June 16, 2025, 8:50 a.m.
  • Instructions:

    Please note that only following repositories are in scope:
    - [OneAgent-Ansible](https://github.com/Dynatrace/Dynatrace-OneAgent-Ansible)
    - [configuration-as-code](https://github.com/Dynatrace/dynatrace-configuration-as-code)
    - [configuration-as-code-core](https://github.com/Dynatrace/dynatrace-configuration-as-code-core)
    - [dynatrace-operator](https://github.com/Dynatrace/dynatrace-operator)
    - [dynatrace-otel-collector](https://github.com/Dynatrace/dynatrace-otel-collector)
    - [heroku-buildpack-dynatrace](https://github.com/Dynatrace/heroku-buildpack-dynatrace)
    - [backstage-plugin](https://github.com/Dynatrace/backstage-plugin)
    - [swift-mobile-sdk](https://github.com/Dynatrace/swift-mobile-sdk)
    - [dynatrace-bootstrapper](https://github.com/Dynatrace/dynatrace-bootstrapper)
    - [OneAgent-SDK-for-Java](https://github.com/Dynatrace/OneAgent-SDK-for-Java)
    - [openkit-js](https://github.com/Dynatrace/openkit-js)
    - [agent-nodejs](https://github.com/Dynatrace/agent-nodejs)
    - [Log-Security-Rules-Checker](https://github.com/Dynatrace/Dynatrace-Log-Security-Rules-Checker)

    Do not perform any tests against [https://github.com.](https://github.com/).

Target: MongoDB
  • Asset type: OTHER
  • Asset identifier: *.account.mongodb.com/*
  • Max severity: critical
  • Updated at: June 13, 2025, 2:01 p.m.
Target: HubSpot
  • Asset type: WILDCARD
  • Asset identifier: api*.hubapi.com
  • Max severity: critical
  • Updated at: June 12, 2025, 2:50 p.m.
Target: HubSpot
  • Asset type: WILDCARD
  • Asset identifier: api*.hubspot.com
  • Max severity: critical
  • Updated at: June 12, 2025, 2:49 p.m.
Target: HubSpot
  • Asset type: WILDCARD
  • Asset identifier: app*.hubspot.com
  • Max severity: critical
  • Updated at: June 12, 2025, 2:48 p.m.
Target: SIX Group
  • Asset type: CIDR
  • Asset identifier: 153.46.240.0/20
  • Max severity: critical
  • Updated at: June 12, 2025, 1:53 p.m.
  • Instructions:

    ## Known Issues

    The following vulnerabilities have been identified and are currently being addressed. Reports of these issues will be closed as duplicates:

    - Cross-Site Scripting (XSS) vulnerabilities on `secure.tkfweb.com`.
    - This includes any reflected or stored XSS in input parameters on any endpoint within this domain.

Target: hostinger
  • Asset type: URL
  • Asset identifier: reach.hostinger.com
  • Max severity: critical
  • Updated at: June 12, 2025, 7:33 a.m.
Target: Stripe
  • Asset type: WILDCARD
  • Asset identifier: *.lemonsqueezy.com
  • Max severity: critical
  • Updated at: June 11, 2025, 5:41 p.m.
  • Instructions:

    Lemon Squeezy is the all-in-one platform for running your SaaS business. Payments, subscriptions, global tax compliance, fraud prevention, multi-currency support, failed payment recovery, PayPal integration and more.

    Lemon Squeezy was acquired by Stripe in July 2024. As an acquisition, Lemon Squeezy pays out at the rate schedule listed on our [program page](https://hackerone.com/stripe?type=team#:~:text=In%2Dscope%20acquisition%20bounty%20ranges%20(e.g.%2C%20TaxJar%2C%20Recko%2C%20Bouncer%2C%20Lemon%20Squeezy)).

Target: Nintendo
  • Asset type: HARDWARE
  • Asset identifier: Nintendo Switch 2 System Processes
  • Max severity: critical
  • Updated at: June 11, 2025, 5:59 a.m.
Target: Nintendo
  • Asset type: HARDWARE
  • Asset identifier: Nintendo Switch 2 System Processes allowing piracy
  • Max severity: critical
  • Updated at: June 11, 2025, 5:57 a.m.
Target: Nintendo
  • Asset type: HARDWARE
  • Asset identifier: Nintendo Switch 2 Kernel / ARM® TrustZone®
  • Max severity: critical
  • Updated at: June 11, 2025, 5:57 a.m.
Target: Nintendo
  • Asset type: HARDWARE
  • Asset identifier: Nintendo Switch 2 Security controller known as PSC or Platform Security Controller (any component) / Security controller known as TSEC (bootROM only)
  • Max severity: critical
  • Updated at: June 11, 2025, 5:53 a.m.
Target: Nintendo
  • Asset type: HARDWARE
  • Asset identifier: Nintendo Switch 2 applications for which Nintendo is the publisher worldwide
  • Max severity: critical
  • Updated at: June 11, 2025, 5:19 a.m.
Target: Nintendo
  • Asset type: HARDWARE
  • Asset identifier: Nintendo Switch 2 System
  • Max severity: critical
  • Updated at: June 11, 2025, 5:18 a.m.
Target: Visa
  • Asset type: URL
  • Asset identifier: https://ebctest.cybersource.com/ums
  • Max severity: critical
  • Updated at: June 10, 2025, 5:29 p.m.
  • Asset type: WILDCARD
  • Asset identifier: *.uisp.com
  • Max severity: critical
  • Updated at: June 10, 2025, 12:46 p.m.
Target: MongoDB
  • Asset type: OTHER
  • Asset identifier: All Evergreen Assets (Excluding staging)
  • Max severity: critical
  • Updated at: June 10, 2025, 9:11 a.m.
Target: OPPO
  • Asset type: GOOGLE_PLAY_APP_ID
  • Asset identifier: com.heytap.mall
  • Max severity: critical
  • Updated at: June 10, 2025, 9:02 a.m.
Target: OPPO
  • Asset type: GOOGLE_PLAY_APP_ID
  • Asset identifier: com.heytap.store
  • Max severity: critical
  • Updated at: June 10, 2025, 8:39 a.m.
Target: OPPO
  • Asset type: URL
  • Asset identifier: https://www.oppo.com/th/store
  • Max severity: critical
  • Updated at: June 10, 2025, 8:35 a.m.
Target: OPPO
  • Asset type: URL
  • Asset identifier: https://www.oppo.com/id/store
  • Max severity: critical
  • Updated at: June 10, 2025, 8:32 a.m.
Target: OPPO
  • Asset type: URL
  • Asset identifier: https://www.oppo.com/my/store
  • Max severity: critical
  • Updated at: June 10, 2025, 8:31 a.m.
Target: OPPO
  • Asset type: URL
  • Asset identifier: https://www.oppo.com/th
  • Max severity: critical
  • Updated at: June 10, 2025, 8:29 a.m.
Target: Trip.com
  • Asset type: WILDCARD
  • Asset identifier: *.trip.biz
  • Max severity: critical
  • Updated at: June 10, 2025, 5:30 a.m.
  • Asset type: DOWNLOADABLE_EXECUTABLES
  • Asset identifier: UISP
  • Max severity: critical
  • Updated at: June 6, 2025, 4:01 p.m.
Target: Visa
  • Asset type: URL
  • Asset identifier: https://ebctest.cybersource.com/merchant-mgmt/
  • Max severity: critical
  • Updated at: June 6, 2025, 3:38 p.m.
Target: Mozilla
  • Asset type: URL
  • Asset identifier: accounts.firefox.com
  • Max severity: critical
  • Updated at: June 6, 2025, 1:16 p.m.
  • Instructions:

    ** Critical Site**

    Mozilla Accounts (previously known as Firefox Accounts)

    Additional domains in scope for Firefox Accounts:
    * api.accounts.firefox.com
    * oauth.accounts.firefox.com
    * profile.accounts.firefox.com
    * verifier.accounts.firefox.com
    * graphql.accounts.firefox.com
    * subscriptions.firefox.com

    Source Code: https://github.com/mozilla/fxa

Target: CS Money
  • Asset type: URL
  • Asset identifier: blog.cs.money
  • Max severity: critical
  • Updated at: June 6, 2025, 10:09 a.m.
  • Instructions:

    By visiting this domain you will be redirected to our blog at [cs.money/blog/](https://cs.money/blog/). This is a web application built on Wordpress.

    Out of Scope
    WordPress Core Vulnerabilities
    Any vulnerabilities resulting from bugs or shortcomings in the WordPress core itself (e.g., issues with form validation, incorrect API implementations, vulnerabilities in the base architecture of WordPress, etc.).
    This also includes cases where an outdated and potentially vulnerable version of WordPress is being used.

    Plugin Vulnerabilities
    Vulnerabilities in third-party or built-in WordPress plugins that extend the blog's functionality (e.g., SEO plugins, contact form plugins, etc.).
    Also included are configuration errors or flaws that are directly related to issues within the plugin itself.

    Theme Vulnerabilities
    Vulnerabilities associated with custom or default WordPress themes (e.g., broken or unsafe layout structure, vulnerable JavaScript or PHP files within the theme, templating issues, etc.).
    Any flaws in the operation of themes (standard or custom) that may lead to site compromise via known or outdated theme components are considered out of scope.

    Version Conflicts or WordPress Setup Issues
    All cases where the problem stems solely from an improperly installed or conflicting version of WordPress and can be resolved by updating or switching to another version.

    Manual Installation or Modification of WordPress
    Vulnerabilities that require manual code changes to the WordPress core, or installing/configuring third-party plugins or themes solely to reproduce the issue.