Target Policy

https://hackerone.com/cs_money?type=team

---

Structured Scope

• Asset Identifier

  Asset Type

  Max Severity

• ab.cs.money

  URL

  none
• s.cs.money

  URL

  none
• job.cs.money

  URL

  none
• community.cs.money

  URL

  none
• CS.Money Antiscam

  ---

  This is our Google Chrome extension, which protects our users from potential scams. No longer supported and thus out of scope.
  [Chrome Web Store](https://chrome.google.com/webstore/detail/csmoney-antiscam/bocdepodnagbohblgjmooobalmcojkpg)

  OTHER

  none
• support.cs.money

  ---

  This is our [web client](https://support.cs.money/) for providing technical support.

  ## What to look for:
  * Direct access to the client, authentication bypass
  * Vulnerabilities related to user privacy violations
  * Vulnerabilities, directly affecting `cs.money`

  #Important information
  If you are to test anything related to typing in the support chat, please send the following message before that.
  ```
  Hello. I'm a pentester from HackerOne. I'm going to test something in support chat. Your developers are aware of that.
  ```

  URL

  critical
• blog.cs.money

  ---

  By visiting this domain you will be redirected to our blog at [cs.money/blog/](https://cs.money/blog/). This is a web application built on Wordpress.

  Out of Scope
  WordPress Core Vulnerabilities
  Any vulnerabilities resulting from bugs or shortcomings in the WordPress core itself (e.g., issues with form validation, incorrect API implementations, vulnerabilities in the base architecture of WordPress, etc.).
  This also includes cases where an outdated and potentially vulnerable version of WordPress is being used.

  Plugin Vulnerabilities
  Vulnerabilities in third-party or built-in WordPress plugins that extend the blog's functionality (e.g., SEO plugins, contact form plugins, etc.).
  Also included are configuration errors or flaws that are directly related to issues within the plugin itself.

  Theme Vulnerabilities
  Vulnerabilities associated with custom or default WordPress themes (e.g., broken or unsafe layout structure, vulnerable JavaScript or PHP files within the theme, templating issues, etc.).
  Any flaws in the operation of themes (standard or custom) that may lead to site compromise via known or outdated theme components are considered out of scope.

  Version Conflicts or WordPress Setup Issues
  All cases where the problem stems solely from an improperly installed or conflicting version of WordPress and can be resolved by updating or switching to another version.

  Manual Installation or Modification of WordPress
  Vulnerabilities that require manual code changes to the WordPress core, or installing/configuring third-party plugins or themes solely to reproduce the issue.

  URL

  critical
• grafana.cs.money

  ---

  Out of scope. This is our instance of Grafana.

  URL

  none
• old.cs.money

  ---

  Out of scope. This was the old version of our primary web application.

  URL

  none
• 3d.cs.money

  ---

  
  [3d.cs.money](https://3d.cs.money/) is a skin model generator.

  ## What to look for:

  * Vulnerabilities related to user privacy violations
  * Vulnerabilities directly affecting `cs.money`

  URL

  medium
• wiki.cs.money

  ---

  [wiki.cs.money](https://wiki.cs.money/) contains detailed description and characteristics of all CS2 skins as well as a unique 3D viewing system.

  ## What to look for:
  * Vulnerabilities related to user privacy violations
  * Vulnerabilities directly affecting `cs.money`

  URL

  medium
• cs.money

  ---

  [cs.money](https://cs.money/) is our primary web application where users can trade, sell and buy in-game items.

  ## What to look for:
  * Besides the described scope on our policy tab, please pay attention to anything else that can affect user experience, security and privacy.

  URL

  critical

Target Scope Domains

• 3d.cs.money
• blog.cs.money
• cs.money
• support.cs.money
• wiki.cs.money

• 33 Subdomains
• 84 Endpoints
• Download wordlist

---

Last Finished Scan:

---