8x8 Bounty icon 8x8 Bounty HackerOne

Target Policy
https://hackerone.com/8x8-bounty?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • voapi.8x8.com

    VOAPI is a backend application responsible to process phone calls (like InboundCall, OutboundCall, Click2Dial, CallTransfer, CallMerge, Start/Stop CallRecording).

    ▶︎ AU Region: voapi-au.8x8.com
    ▶︎ UK Region: voapi-uk.8x8.com

    URL
    critical
  • https://github.com/jitsi

    Open source repositories that support [Jitsi](https://github.com/jitsi/).
    Jitsi Meet offers free, secure and open-source video conferencing.
    ⚠️ Good faith review of source that a reporter must have no association with the existence of the vulnerability in question.

    **Proof of Concept Requirements:**
    ⚠️ Vulnerability submissions must include practical exploitation demonstrations on one of the following environments
    ▶︎ The public Jitsi Meet instance ([meet.jit.si](https://meet.jit.si/))
    ▶︎ 8x8 Video Meetings platform ([8x8.vc](https://8x8.vc/))
    ▶︎ A self-hosted Jitsi deployment

    **Out of Scope:**
    ▶︎ Not actively maintained or archived repositories
    ▶︎ [github.com/jitsi/jitsi](https://github.com/jitsi/jitsi/)
    [Jitsi Desktop](https://github.com/jitsi/jitsi/) is the heritage of [Jitsi Meet](https://github.com/jitsi/jitsi-meet). While some components are still used in e.g. Jigasi, the project is not actively developed anymore. Improvements, bugfixes and builds are entirely based on community contributions.

    SOURCE_CODE
    critical
  • 8x8 Communication APIs

    Transform customer interactions with our seamless SMS, messaging, video, and voice solutions.
    ⚠️ Self Sign-up is available: https://connect.8x8.com/
    ⚠️ [8x8 CPaaS developer portal](https://developer.8x8.com/connect)
    ⚠️ All APIs listed under "8x8 Connect" are in-scope.
    ⚠️ In-Scope examples:
    * sms.8x8.com
    * chatapps.8x8.com
    * {product}.8x8.uk
    * {product}.8x8.id
    * {product}.us.8x8.com
    * {product}.{region}.cpaas-net.8x8.com

    API
    critical
  • 8x8.my.site.com

    Portal for management of your 8x8 account, billing, orders, and support cases
    ⚠️ when testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum
    ⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)

    URL
    high
  • http://*.8x8.vc

    Professional Meetings and Jitsi as a Service. At this time 8x8 does not provide credentials and researchers are responsible for any fees occurred if signing up for the service.

    WILDCARD
    critical
  • http://*.jit.si
    WILDCARD
    critical
  • http://*.jitsi.net
    WILDCARD
    critical
  • http://*.8x8staging.com
    WILDCARD
    critical
  • http://*.chalet.8x8.com
    WILDCARD
    critical
  • 8x8 Meet - Windows or macOS Desktop App

    Download Apps - https://download.8x8.vc

    DOWNLOADABLE_EXECUTABLES
    none
  • connect.8x8.com

    ⚠️ **Temporary Scope Exclusion**: campaign.wavecell.com, contacts.8x8.com
    ---
    ⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)
    ⚠️ out of scope: IDORs based on `AccountId` and `subAccountId`
    ⚠️ when testing support functionality please add "HackerOne" in your subject line and limit the number of requests to an absolute minimum

    URL
    critical
  • *.wavecell.com
    WILDCARD
    critical
  • *.callstats.io

    Sold to Spearline. No longer owned by 8x8.

    URL
    none
  • https://8x8.vc/xmpp-websocket
    URL
    critical
  • 1468264023

    https://apps.apple.com/us/app/8x8-meeting-rooms/id1468264023

    APPLE_STORE_APP_ID
    none
  • vcc-ce-*.8x8.com

    Customer Experience and Post-Call Survey Analytics
    front-end, e.g.: https://vcc-ce.8x8.com/analytix/rt-dashboard.htm

    WILDCARD
    critical
  • *.packet8.net
    WILDCARD
    critical
  • *.jit.si

    Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. We are best known for our Jitsi Meet video conferencing platform, [meet.jit.si](https://meet.jit.si/) where we host a Jitsi Meet instance that the community can use for totally free video conferences , and the Jitsi Videobridge that powers all of our multi-party video capabilities.

    **Out of Scope:**
    ⚠️ Application logic bugs or non-production features in [beta.meet.jit.si](https://beta.meet.jit.si/)

    WILDCARD
    critical
  • Windows or macOS Desktop App

    Download Apps - https://download.8x8.vc

    DOWNLOADABLE_EXECUTABLES
    critical
  • 1473422060

    https://apps.apple.com/us/app/8x8-video-meetings/id1473422060

    APPLE_STORE_APP_ID
    none
  • www.callstats.io
    URL
    none
  • com.eght.meetings

    https://play.google.com/store/apps/details?id=com.eght.meetings

    GOOGLE_PLAY_APP_ID
    none
  • 1165103905

    Jitsi Desktop is the heritage of Jitsi Meet. While some components are still used in e.g. Jigasi, the project is not actively developed anymore. Improvements, bugfixes and builds are entirely based on community contributions.

    APPLE_STORE_APP_ID
    none
  • http://vcc-*.8x8.com

    Support Agent front-end:
    ./AGUI/login.php
    Configuration Manager:
    ./CM/login.php

    Latest version of software usually available on https://vcc-na30.8x8.com/.

    WILDCARD
    critical
  • 348177448

    https://apps.apple.com/us/app/8x8-work/id348177448

    APPLE_STORE_APP_ID
    critical
  • sms.8x8.com

    ▶︎ API usage via sign-up on [8x8 Connect](https://connect.8x8.com/login/signup)
    ▶︎ Usage is described in [8x8 CPaaS developer portal](https://developer.8x8.com/connect)
    ▶︎ All related APIs under `8x8 Connect` (e.g. SMS API, Verification API, Chatapps API, Voice API, …) are in-scope

    URL
    critical
  • *.jitsi.net

    Jitsi is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. We are best known for our Jitsi Meet video conferencing platform.

    **Out of Scope:**
    ⚠️ Application logic bugs or non-production features in [moderated-pilot.jitsi.net](https://moderated-pilot.jitsi.net/)

    WILDCARD
    critical
  • http://*.packet8.net
    WILDCARD
    critical
  • platform.8x8.com
    URL
    critical
  • vcc-*.8x8.com

    ► Contact Center Agent Workspace:
    `./AGUI/login.php`
    ► Configuration Manager:
    `./CM/login.php`

    ⚠️ Latest version of software usually available on https://vcc-na30.8x8.com/
    ⚠️ shareable Wallboard links are out of scope

    WILDCARD
    critical
  • 8x8 Partner Portal

    ▶︎ https://partnerxchange.8x8.com/
    ▶︎ https://8x8.my.site.com/partnerxchange/
    ▶︎ https://8x8.force.com/partnerxchange/
    ⚠️ out of scope: Disclosure of non-sensitive information, such as `Name`, `City`, etc.
    ⚠️ out of scope: `ContentDocument` if considered non-sensitive (e.g. marketing collateral)
    ⚠️ out of scope: IDORs in form of unguessable/non-enumerable identifier (UUID)

    OTHER
    high
  • admin.8x8.com

    Administration portal for managing your 8x8 service including users and telephony features

    URL
    critical
  • Intellectual Property on Public Domains

    Leaks identified in public domains are in scope, provided they contain sensitive or proprietary information that could impact our organization’s confidentiality, integrity, or availability.

    OTHER
    critical
  • org.jitsi.meet

    https://play.google.com/store/apps/details?id=org.jitsi.meet

    While some components are still used in e.g. Jigasi, the project is not actively developed anymore. Improvements, bugfixes and builds are entirely based on community contributions.

    GOOGLE_PLAY_APP_ID
    none
  • sso.8x8.com

    8x8 Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials, such as name and password, to access multiple 8x8 applications.
    ⚠️ MFA-bypasses requiring prior knowledge of credentials will be treated with `MEDIUM` severity.

    URL
    critical
  • com.spot8x8.spot

    8x8 Spaces - https://play.google.com/store/apps/details?id=com.spot8x8.spot

    GOOGLE_PLAY_APP_ID
    none
  • uc.8x8pilot.com
    URL
    critical
  • work-staging.8x8.com
    URL
    critical
  • https://webrtc.8x8.com/
    URL
    critical
  • 8x8-work

    https://apps.apple.com/us/app/8x8-work/id348177448

    APPLE_STORE_APP_ID
    critical
  • express.8x8.com
    URL
    none
  • *.p8t.us
    WILDCARD
    critical
  • analytics-*.8x8.com

    Analytics for Contact Center
    ⚠️ shareable Wallboard links are out of scope

    WILDCARD
    critical
  • dashboard.qa.ai.8x8.com

    Analytics for 8x8 Work

    URL
    critical
  • qm-*.8x8.com

    Quality Management & Speech Analytics

    WILDCARD
    critical
  • https://*.chalet.8x8.com/ws/v1
    WILDCARD
    critical
  • work.8x8.com

    At this time 8x8 does not provide test credentials.

    URL
    critical
  • org.vom8x8.sipua

    8x8 Work - https://play.google.com/store/apps/details?id=org.vom8x8.sipua

    GOOGLE_PLAY_APP_ID
    critical
  • *.chalet.8x8.com
    WILDCARD
    critical
  • user-profile-staging.8x8.com
    URL
    critical
  • *.8x8staging.com
    WILDCARD
    critical
  • user-profile.8x8.com
    URL
    critical
  • *.8x8.id

    ▶︎ RDP: If You See Something, Say Something

    WILDCARD
    critical
  • platform.8x8pilot.com
    URL
    critical
  • Virtual Office Desktop

    Download 8x8 Work for Desktop: https://support-portal.8x8.com/helpcenter/viewArticle.html?d=8bff4970-6fbf-4daf-842d-8ae9b533153d

    DOWNLOADABLE_EXECUTABLES
    critical
  • sso.8x8pilot.com

    8x8 Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials, such as name and password, to access multiple 8x8 applications.
    ⚠️ MFA-bypasses requiring prior knowledge of credentials will be treated with `MEDIUM` severity.

    URL
    critical
  • pay.8x8.com
    URL
    critical
  • *.8x8cloud.net
    WILDCARD
    critical
  • cloud8.8x8.com
    URL
    critical
  • *.8x8.vc

    Professional Meetings and Jitsi as a Service. At this time 8x8 does not provide credentials and researchers are responsible for any fees occurred if signing up for the service.

    WILDCARD
    critical
Target Scope Domains
  • 8x8.id
  • 8x8.my.site.com
  • 8x8.vc
  • 8x8cloud.net
  • 8x8staging.com
  • admin.8x8.com
  • analytics-8x8.com
  • chalet.8x8.com
  • cloud8.8x8.com
  • connect.8x8.com
  • dashboard.qa.ai.8x8.com
  • jit.si
  • jitsi.net
  • p8t.us
  • packet8.net
  • pay.8x8.com
  • platform.8x8.com
  • platform.8x8pilot.com
  • qm-8x8.com
  • sms.8x8.com
  • sso.8x8.com
  • sso.8x8pilot.com
  • uc.8x8pilot.com
  • user-profile-staging.8x8.com
  • user-profile.8x8.com
  • vcc-8x8.com
  • vcc-ce-8x8.com
  • voapi.8x8.com
  • wavecell.com
  • webrtc.8x8.com
  • work-staging.8x8.com
  • work.8x8.com
Tech Stack
  • Alibaba Cloud Cdn
  • Amazon Cloudfront
  • Amazon Elb
  • Amazon S3
  • Amazon Web Services
  • Apache Http Server
  • Apexpages
  • Atlassian Statuspage
  • Caddy
  • Canny
  • Cdnjs
  • Cloudflare
  • Cloudflare Bot Management
  • Cowboy
  • Envoy
  • Erlang
  • Express
  • Fastly
  • Flywheel
  • Flywheel:5.1.0
  • Github Pages
  • Google Analytics
  • Google Tag Manager
  • Hsts
  • Http/3
  • Hubspot
  • Hubspot Cms Hub
  • Java
  • Jetty:9.4.44
  • Jitsi
  • Jquery
  • Jquery Cdn
  • Jquery Ui
  • Jsdelivr
  • Linkedin Ads
  • Mysql
  • Nginx
  • Nginx:1.18.0
  • Nginx:1.22.1
  • Nginx:1.24.0
  • Node.Js
  • Php
  • Polyfill:2
  • React
  • Recaptcha
  • Ruby
  • Ruby On Rails
  • Salesforce
  • Spring
  • Tengine
  • Varnish
  • Webassembly
  • Wordpress
  • Zendesk
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-dnsenum-threaded
allsubs
1 week, 1 day ago
Finished
auto-dnsenum-threaded
  • Fleet: allsubs
  • Duration: 52 Seconds
  • Finished: 1 week, 1 day ago