Any finding related to https://3d.kartaview.org is considered out-of-scope.
/lives/ is out of scope for scheduled to be discontinued.
* This site is in Japanese.
* This site uses pixiv account (signup at https://accounts.pixiv.net).
* PC: https://sketch.pixiv.net/
* iOS: https://itunes.apple.com/app/pixiv-sketch/id991334925
* Android: https://play.google.com/store/apps/details?id=jp.pxv.android.sketch
Environment: Non-core
Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.
Environment: Non-core
You may only test against shops you have created.
Environment: Non-core
Reports involving *.shopify.com are reviewed on a per case basis for bounty eligibility, this includes shopifycompass.com. Any services operated by a third party without a proof of concept demonstrating impact on *.myshopify.com users will likely be ineligible for a bounty.
Environment: Non-core
Public repositories available under the Shopify organization in Github.
Environment: Non-core
*.shopify.io may include developer test or third party applications. If you are unsure about a domain and it looks like a test or third party application, please email us at bugbounty@shopify.com before spending time on it.
Environment: Non-core
*.shopifycloud.com may include developer test or third party applications. For example, devdegree*.shopifycloud.com, vendorvoice.shopifycloud.com, nsolid-test-console.shopifycloud.com. These types of domains are not considered in scope and reports pertaining to them will be closed Informative. If you are unsure about a domain and it looks like a test application, please email us at bugbounty@shopify.com before spending time on it.
Environment: Non-core
Shopify apps and sales channels means everything installed via the following link https://apps.shopify.com/collections/made-by-shopify
Environment: Non-core
Shopify Kloud includes all *.shopifykloud.com applications. Please note, there may be developer test or third party applications launched on the domain which may have low security implications for Shopify. If you are unsure about a subdomain on *.shopifykloud.com and it looks like a test application, email us at bugbounty AT shopify.com before spending time on it.
Environment: Core
Your development store hosted at `*.myshopify.com`. Create a development store by signing up at https://partners.shopify.com/
Environment: Non-core
Shopify's service for handling credit card data in a PCI compliant way.
Environment: Non-core
Android: https://play.google.com/store/apps/dev?id=8929232438554100687
iOS: https://itunes.apple.com/ca/developer/shopify-inc/id371294475
Note: any services operated by a third party without a proof of concept demonstrating impact on Shopify users will likely be ineligible for a bounty.
Magic Labs has been engaged to manage the Magic Newton Foundation bug bounty for the Newton Protocol.
Staking Contract: 0x8f0D9acBdf8Dbeea67af639CbC995a9767e14488
Validator Contract: 0x3846a94F817AcB78fb983f8631E779e49cbE888f
Only critical issues
Bistro by Blinkit: A mobile app offering instant food delivery
https://apps.apple.com/in/app/bistro-food-in-minutes/id6670203019
Bistro by Blinkit: A mobile app offering instant food delivery
https://play.google.com/store/apps/details?id=com.blinkit.bistro
**Secondary Asset**
World Foundation-owned asset
**Primary Asset**
TFH-owned asset
**Primary Asset**
World App for Android. TFH-owned asset
AdwCleaner is the world’s most popular adware cleaner finds and removes unwanted programs and junkware so your online experience stays optimal and hassle-free.
Product page: https://www.malwarebytes.com/adwcleaner
Documentation:
https://help.malwarebytes.com/hc/en-us/categories/31589180730139-AdwCleaner
## Known Issues
The following vulnerabilities have been identified and are currently being addressed. Reports of these issues will be closed as duplicates:
- Cross-Site Scripting (XSS) vulnerabilities on `*.bmeinntech.es`.
- This includes any reflected or stored XSS in input parameters on any endpoint within this domain.
Please sign-up (self-registration) and use the following test accounts: @wearehackerone.com
## Scope
* Attacks that allow extracting the seed from the device, including but not limited to:
Gaining access to the device recovery mode without wiping the seed first.
* Allowing the installation and use of arbitrary ledger apps without wiping the seed first.
* Attacks that allow signing arbitrary hashes with the BTC key id.
* Attacks that gain access to arbitrary BIP32 paths (either for signing or extracting the private key).
* Attacks that allow the manipulation of the blockchain state's best block without the corresponding PoW.
* Attacks that allow the manipulation of the blockchain state's ancestor block and/or ancestor receipts root without the corresponding proof of best block ancestry.
* Attacks that fake an authentic attestation on a device running different versions of either the UI or Signer.
* Attacks that allow producing an authentic attestation on a device with a pre-generated or well-known seed.
* Attacks that lead the ledger into a DOS state without the need for physical device access. This does not mean ledger device has open external interface.
* Attacks that lead the middleware manager into a DOS state without the need for physical access to the host. This does not mean the middleware has open external interface.
* Transactions in either the RSK or Bitcoin networks that may lead the powHSM into signing arbitrary pegouts or hashes.
* Side channel attacks.
* Supply chain attacks that have direct consequences on the production software.
* Identification and reporting of vulnerabilities in the Ledger source code will be eligible for rewards after 90 days from the initial disclosure from Ledger.
* Vulnerabilities discovered in the Ledger source code will be rewarded according to the general reward table specified for the bug bounty program, rather than the powHSM project reward table.
* Vulnerabilities found in the Ledger source code will not qualify for the bonus reward associated with Remote Execution Code.
## Out of Scope
* Vulnerabilities related to the ledger devices used by the rsk-powhsm; this includes their physical security.
* Vulnerabilities that don't ultimately allow for the arbitrary or unsecure use of any of the keys derived from the device seed.
* Vulnerabilities in TCPSigner component, which is made solely for testing and fuzzing purposes.
* Vulnerabilities located in code under the following path `firmware/src/hal/src/x86/` since is code related to the TCPSigner component.
* All code related to SGX is out of scope.
Due to the complexity of the project some of the points may be interpreted ambiguously, therefore we reserve a right to make a final decision on the report regarding its relevance to the scope and specified severity. Please, reach us if you have any doubts on the scope.
Stripe [acquired](https://stripe.com/ae/newsroom/news/stripe-completes-bridge-acquisition) Bridge in February 2025.
Bridge does not currently have a self-service sign-up option. Scope for the bug bounty program is limited to researchers testing api.bridge.xyz ([documentation](https://apidocs.bridge.xyz/docs/api-summary)) or Dashboard ([login](https://dashboard.bridge.xyz/)) without credentials at this time. Because of this, the program is interested in potential authentication bypasses or vulnerabilities that surface without valid credentials. In the future, the program may expand to include credentialed testing.
Other static content domains like Bridge's [marketing](https://www.bridge.xyz/) or [docs](https://apidocs.bridge.xyz/) site are out-of-scope.
Please note that only following repositories are in scope:
- [OneAgent-Ansible](https://github.com/Dynatrace/Dynatrace-OneAgent-Ansible)
- [configuration-as-code](https://github.com/Dynatrace/dynatrace-configuration-as-code)
- [configuration-as-code-core](https://github.com/Dynatrace/dynatrace-configuration-as-code-core)
- [dynatrace-operator](https://github.com/Dynatrace/dynatrace-operator)
- [dynatrace-otel-collector](https://github.com/Dynatrace/dynatrace-otel-collector)
- [heroku-buildpack-dynatrace](https://github.com/Dynatrace/heroku-buildpack-dynatrace)
- [backstage-plugin](https://github.com/Dynatrace/backstage-plugin)
- [swift-mobile-sdk](https://github.com/Dynatrace/swift-mobile-sdk)
- [dynatrace-bootstrapper](https://github.com/Dynatrace/dynatrace-bootstrapper)
- [OneAgent-SDK-for-Java](https://github.com/Dynatrace/OneAgent-SDK-for-Java)
- [openkit-js](https://github.com/Dynatrace/openkit-js)
- [agent-nodejs](https://github.com/Dynatrace/agent-nodejs)
- [Log-Security-Rules-Checker](https://github.com/Dynatrace/Dynatrace-Log-Security-Rules-Checker)
Do not perform any tests against [https://github.com.](https://github.com/).
## Known Issues
The following vulnerabilities have been identified and are currently being addressed. Reports of these issues will be closed as duplicates:
- Cross-Site Scripting (XSS) vulnerabilities on `secure.tkfweb.com`.
- This includes any reflected or stored XSS in input parameters on any endpoint within this domain.
Lemon Squeezy is the all-in-one platform for running your SaaS business. Payments, subscriptions, global tax compliance, fraud prevention, multi-currency support, failed payment recovery, PayPal integration and more.
Lemon Squeezy was acquired by Stripe in July 2024. As an acquisition, Lemon Squeezy pays out at the rate schedule listed on our [program page](https://hackerone.com/stripe?type=team#:~:text=In%2Dscope%20acquisition%20bounty%20ranges%20(e.g.%2C%20TaxJar%2C%20Recko%2C%20Bouncer%2C%20Lemon%20Squeezy)).
** Critical Site**
Mozilla Accounts (previously known as Firefox Accounts)
Additional domains in scope for Firefox Accounts:
* api.accounts.firefox.com
* oauth.accounts.firefox.com
* profile.accounts.firefox.com
* verifier.accounts.firefox.com
* graphql.accounts.firefox.com
* subscriptions.firefox.com
Source Code: https://github.com/mozilla/fxa
By visiting this domain you will be redirected to our blog at [cs.money/blog/](https://cs.money/blog/). This is a web application built on Wordpress.
Out of Scope
WordPress Core Vulnerabilities
Any vulnerabilities resulting from bugs or shortcomings in the WordPress core itself (e.g., issues with form validation, incorrect API implementations, vulnerabilities in the base architecture of WordPress, etc.).
This also includes cases where an outdated and potentially vulnerable version of WordPress is being used.
Plugin Vulnerabilities
Vulnerabilities in third-party or built-in WordPress plugins that extend the blog's functionality (e.g., SEO plugins, contact form plugins, etc.).
Also included are configuration errors or flaws that are directly related to issues within the plugin itself.
Theme Vulnerabilities
Vulnerabilities associated with custom or default WordPress themes (e.g., broken or unsafe layout structure, vulnerable JavaScript or PHP files within the theme, templating issues, etc.).
Any flaws in the operation of themes (standard or custom) that may lead to site compromise via known or outdated theme components are considered out of scope.
Version Conflicts or WordPress Setup Issues
All cases where the problem stems solely from an improperly installed or conflicting version of WordPress and can be resolved by updating or switching to another version.
Manual Installation or Modification of WordPress
Vulnerabilities that require manual code changes to the WordPress core, or installing/configuring third-party plugins or themes solely to reproduce the issue.
Any finding related to https://3d.kartaview.org is considered out-of-scope.
Grammarly Coda AI Editor
/lives/ is out of scope for scheduled to be discontinued.
* This site is in Japanese.
* This site uses pixiv account (signup at https://accounts.pixiv.net).
* PC: https://sketch.pixiv.net/
* iOS: https://itunes.apple.com/app/pixiv-sketch/id991334925
* Android: https://play.google.com/store/apps/details?id=jp.pxv.android.sketch
Environment: Non-core
Vulnerabilities found in Shopify third party apps should be reported to the responsible developer. You should only report vulnerabilities in Shopify third party apps to Shopify under this program if you do not receive a satisfactory response from the responsible developer.
Environment: Non-core
You may only test against shops you have created.
Environment: Non-core
Reports involving *.shopify.com are reviewed on a per case basis for bounty eligibility, this includes shopifycompass.com. Any services operated by a third party without a proof of concept demonstrating impact on *.myshopify.com users will likely be ineligible for a bounty.
Environment: Non-core
Public repositories available under the Shopify organization in Github.
Environment: Non-core
*.shopify.io may include developer test or third party applications. If you are unsure about a domain and it looks like a test or third party application, please email us at bugbounty@shopify.com before spending time on it.
Environment: Non-core
*.shopifycloud.com may include developer test or third party applications. For example, devdegree*.shopifycloud.com, vendorvoice.shopifycloud.com, nsolid-test-console.shopifycloud.com. These types of domains are not considered in scope and reports pertaining to them will be closed Informative. If you are unsure about a domain and it looks like a test application, please email us at bugbounty@shopify.com before spending time on it.
Environment: Non-core
Shopify apps and sales channels means everything installed via the following link https://apps.shopify.com/collections/made-by-shopify
Environment: Non-core
Environment: Non-core
Environment: Non-core
Shopify Kloud includes all *.shopifykloud.com applications. Please note, there may be developer test or third party applications launched on the domain which may have low security implications for Shopify. If you are unsure about a subdomain on *.shopifykloud.com and it looks like a test application, email us at bugbounty AT shopify.com before spending time on it.
Environment: Core
Environment: Core
Environment: Core
Your development store hosted at `*.myshopify.com`. Create a development store by signing up at https://partners.shopify.com/
Environment: Core
Environment: Core
Environment: Core
Environment: Core
Environment: Non-core
Shopify's service for handling credit card data in a PCI compliant way.
Environment: Core
Environment: Non-core
Android: https://play.google.com/store/apps/dev?id=8929232438554100687
iOS: https://itunes.apple.com/ca/developer/shopify-inc/id371294475
Note: any services operated by a third party without a proof of concept demonstrating impact on Shopify users will likely be ineligible for a bounty.
Magic Labs has been engaged to manage the Magic Newton Foundation bug bounty for the Newton Protocol.
Staking Contract: 0x8f0D9acBdf8Dbeea67af639CbC995a9767e14488
Validator Contract: 0x3846a94F817AcB78fb983f8631E779e49cbE888f
Only critical issues
Only critical issues
Bistro by Blinkit: A mobile app offering instant food delivery
https://apps.apple.com/in/app/bistro-food-in-minutes/id6670203019
Bistro by Blinkit: A mobile app offering instant food delivery
https://play.google.com/store/apps/details?id=com.blinkit.bistro
**Secondary Asset**
World Foundation-owned asset
**Primary Asset**
TFH-owned asset
**Primary Asset**
World App for Android. TFH-owned asset
AdwCleaner is the world’s most popular adware cleaner finds and removes unwanted programs and junkware so your online experience stays optimal and hassle-free.
Product page: https://www.malwarebytes.com/adwcleaner
Documentation:
https://help.malwarebytes.com/hc/en-us/categories/31589180730139-AdwCleaner
## Known Issues
The following vulnerabilities have been identified and are currently being addressed. Reports of these issues will be closed as duplicates:
- Cross-Site Scripting (XSS) vulnerabilities on `*.bmeinntech.es`.
- This includes any reflected or stored XSS in input parameters on any endpoint within this domain.
Please sign-up (self-registration) and use the following test accounts: @wearehackerone.com
## Scope
* Attacks that allow extracting the seed from the device, including but not limited to:
Gaining access to the device recovery mode without wiping the seed first.
* Allowing the installation and use of arbitrary ledger apps without wiping the seed first.
* Attacks that allow signing arbitrary hashes with the BTC key id.
* Attacks that gain access to arbitrary BIP32 paths (either for signing or extracting the private key).
* Attacks that allow the manipulation of the blockchain state's best block without the corresponding PoW.
* Attacks that allow the manipulation of the blockchain state's ancestor block and/or ancestor receipts root without the corresponding proof of best block ancestry.
* Attacks that fake an authentic attestation on a device running different versions of either the UI or Signer.
* Attacks that allow producing an authentic attestation on a device with a pre-generated or well-known seed.
* Attacks that lead the ledger into a DOS state without the need for physical device access. This does not mean ledger device has open external interface.
* Attacks that lead the middleware manager into a DOS state without the need for physical access to the host. This does not mean the middleware has open external interface.
* Transactions in either the RSK or Bitcoin networks that may lead the powHSM into signing arbitrary pegouts or hashes.
* Side channel attacks.
* Supply chain attacks that have direct consequences on the production software.
* Identification and reporting of vulnerabilities in the Ledger source code will be eligible for rewards after 90 days from the initial disclosure from Ledger.
* Vulnerabilities discovered in the Ledger source code will be rewarded according to the general reward table specified for the bug bounty program, rather than the powHSM project reward table.
* Vulnerabilities found in the Ledger source code will not qualify for the bonus reward associated with Remote Execution Code.
## Out of Scope
* Vulnerabilities related to the ledger devices used by the rsk-powhsm; this includes their physical security.
* Vulnerabilities that don't ultimately allow for the arbitrary or unsecure use of any of the keys derived from the device seed.
* Vulnerabilities in TCPSigner component, which is made solely for testing and fuzzing purposes.
* Vulnerabilities located in code under the following path `firmware/src/hal/src/x86/` since is code related to the TCPSigner component.
* All code related to SGX is out of scope.
Due to the complexity of the project some of the points may be interpreted ambiguously, therefore we reserve a right to make a final decision on the report regarding its relevance to the scope and specified severity. Please, reach us if you have any doubts on the scope.
Stripe [acquired](https://stripe.com/ae/newsroom/news/stripe-completes-bridge-acquisition) Bridge in February 2025.
Bridge does not currently have a self-service sign-up option. Scope for the bug bounty program is limited to researchers testing api.bridge.xyz ([documentation](https://apidocs.bridge.xyz/docs/api-summary)) or Dashboard ([login](https://dashboard.bridge.xyz/)) without credentials at this time. Because of this, the program is interested in potential authentication bypasses or vulnerabilities that surface without valid credentials. In the future, the program may expand to include credentialed testing.
Other static content domains like Bridge's [marketing](https://www.bridge.xyz/) or [docs](https://apidocs.bridge.xyz/) site are out-of-scope.
Please note that only following repositories are in scope:
- [OneAgent-Ansible](https://github.com/Dynatrace/Dynatrace-OneAgent-Ansible)
- [configuration-as-code](https://github.com/Dynatrace/dynatrace-configuration-as-code)
- [configuration-as-code-core](https://github.com/Dynatrace/dynatrace-configuration-as-code-core)
- [dynatrace-operator](https://github.com/Dynatrace/dynatrace-operator)
- [dynatrace-otel-collector](https://github.com/Dynatrace/dynatrace-otel-collector)
- [heroku-buildpack-dynatrace](https://github.com/Dynatrace/heroku-buildpack-dynatrace)
- [backstage-plugin](https://github.com/Dynatrace/backstage-plugin)
- [swift-mobile-sdk](https://github.com/Dynatrace/swift-mobile-sdk)
- [dynatrace-bootstrapper](https://github.com/Dynatrace/dynatrace-bootstrapper)
- [OneAgent-SDK-for-Java](https://github.com/Dynatrace/OneAgent-SDK-for-Java)
- [openkit-js](https://github.com/Dynatrace/openkit-js)
- [agent-nodejs](https://github.com/Dynatrace/agent-nodejs)
- [Log-Security-Rules-Checker](https://github.com/Dynatrace/Dynatrace-Log-Security-Rules-Checker)
Do not perform any tests against [https://github.com.](https://github.com/).
## Known Issues
The following vulnerabilities have been identified and are currently being addressed. Reports of these issues will be closed as duplicates:
- Cross-Site Scripting (XSS) vulnerabilities on `secure.tkfweb.com`.
- This includes any reflected or stored XSS in input parameters on any endpoint within this domain.
Lemon Squeezy is the all-in-one platform for running your SaaS business. Payments, subscriptions, global tax compliance, fraud prevention, multi-currency support, failed payment recovery, PayPal integration and more.
Lemon Squeezy was acquired by Stripe in July 2024. As an acquisition, Lemon Squeezy pays out at the rate schedule listed on our [program page](https://hackerone.com/stripe?type=team#:~:text=In%2Dscope%20acquisition%20bounty%20ranges%20(e.g.%2C%20TaxJar%2C%20Recko%2C%20Bouncer%2C%20Lemon%20Squeezy)).
** Critical Site**
Mozilla Accounts (previously known as Firefox Accounts)
Additional domains in scope for Firefox Accounts:
* api.accounts.firefox.com
* oauth.accounts.firefox.com
* profile.accounts.firefox.com
* verifier.accounts.firefox.com
* graphql.accounts.firefox.com
* subscriptions.firefox.com
Source Code: https://github.com/mozilla/fxa
By visiting this domain you will be redirected to our blog at [cs.money/blog/](https://cs.money/blog/). This is a web application built on Wordpress.
Out of Scope
WordPress Core Vulnerabilities
Any vulnerabilities resulting from bugs or shortcomings in the WordPress core itself (e.g., issues with form validation, incorrect API implementations, vulnerabilities in the base architecture of WordPress, etc.).
This also includes cases where an outdated and potentially vulnerable version of WordPress is being used.
Plugin Vulnerabilities
Vulnerabilities in third-party or built-in WordPress plugins that extend the blog's functionality (e.g., SEO plugins, contact form plugins, etc.).
Also included are configuration errors or flaws that are directly related to issues within the plugin itself.
Theme Vulnerabilities
Vulnerabilities associated with custom or default WordPress themes (e.g., broken or unsafe layout structure, vulnerable JavaScript or PHP files within the theme, templating issues, etc.).
Any flaws in the operation of themes (standard or custom) that may lead to site compromise via known or outdated theme components are considered out of scope.
Version Conflicts or WordPress Setup Issues
All cases where the problem stems solely from an improperly installed or conflicting version of WordPress and can be resolved by updating or switching to another version.
Manual Installation or Modification of WordPress
Vulnerabilities that require manual code changes to the WordPress core, or installing/configuring third-party plugins or themes solely to reproduce the issue.