Target Policy

Structured Scope

• Asset Identifier

  Asset Type

  Max Severity

• crash-reports.allizom.org

  ---

  ** Critical Site**

  Endpoint for sending Firefox crash reports.

  Testing to be done on staging instance: https://crash-reports.allizom.org/

  Source Code: https://github.com/mozilla-services/socorro

  URL

  critical
• addons.allizom.org

  ---

  ** Critical Site**

  This is the staging server for Firefox Addons. Testing should be restricted to this instance without any testing on production.

  Additional domains for Addons:
  - services.addons.allizom.org
  - versioncheck-bg.addons.allizom.org
  - versioncheck.addons.allizom.org

  Source Code: https://github.com/mozilla/addons-server

  URL

  critical
• shavar.services.mozilla.com

  ---

  ** Critical Site**

  Anti-tracking protection service in Firefox.

  Additional domain: shavar.prod.mozaws.net.

  Please do not run automated scans or denial of service testing on this service.

  Source Code: https://github.com/mozilla-services/shavar

  URL

  critical
• Mozilla Ad Routing Service

  ---

  ** Critical Site **
  Mozilla Ad Routing Service (MARS) under the below domains:
  - ads.mozilla.org (mars.prod.ads.prod.webservices.mozgcp.net)
  - ads.allizom.org (mars.stage.ads.nonprod.webservices.mozgcp.net)
  - mars.qa.ads.nonprod.webservices.mozgcp.net
  - ads-img.mozilla.org
  - ads-img.allizom.org
  - contile.services.mozilla.com
  - spocs.getpocket.com
  - spocs.getpocket.dev
  - spocs.mozilla.net
  - spocs.allizom.net

  Testing to be done on the staging instance:
  - ads.allizom.org

  Source Code: https://github.com/mozilla-services/mars

  OTHER

  critical
• sync.services.mozilla.com

  ---

  ** Critical Site**

  Firefox Sync Domains:
  - *.sync.services.mozilla.com
  - token.services.mozilla.com

  Source Code:
  - https://github.com/mozilla-services/syncstorage-rs
  - https://github.com/mozilla-services/tokenlib/

  URL

  critical
• lando.services.mozilla.com

  ---

  ** Critical Site**

  Tool used to land Firefox code into Mercurial.

  Additional Domain: api.lando.services.mozilla.com

  Testing to be done on staging or development instances only:
  - ui.dev.lando.nonprod.cloudops.mozgcp.net
  - ui.stage.lando.nonprod.cloudops.mozgcp.net
  - api.dev.lando.nonprod.cloudops.mozgcp.net
  - api.stage.lando.nonprod.cloudops.mozgcp.net

  Source Code:
  - https://github.com/mozilla-conduit/lando
  - https://github.com/mozilla-conduit/lando-api
  - https://github.com/mozilla-conduit/lando-ui

  URL

  critical
• support.mozilla.org

  ---

  **Core Site**

  Support platform for all of Mozilla Products.

  **Testing to be done on staging instance only to avoid disrupting users: support.allizom.org**

  Source Code: https://github.com/mozilla/kitsune

  URL

  critical
• push.services.mozilla.com

  ---

  ** Critical Site**

  Firefox Push Service.

  Additional domain in scope: updates.push.services.mozilla.com

  Testing to be done on below staging instances:
  - wss://autopush.stage.mozaws.net
  - https://updates-autopush.stage.mozaws.net

  Source Code: https://github.com/mozilla-services/autopush-rs
  

  URL

  critical
• contile.services.mozilla.com

  ---

  ** Critical Site**

  Firefox Tile service.

  Testing to be performed on staging instance: https://contile-stage.topsites.nonprod.cloudops.mozgcp.net/
  

  URL

  critical
• phabricator.allizom.org

  ---

  ** Critical Site**

  Testing to be done **only** on the development instance (phabricator-dev.allizom.org) or the staging instance (phabricator.allizom.org)

  Source Code: https://github.com/mozilla-conduit/phabricator

  URL

  critical
• Product Delivery

  ---

  ** Critical Site**

  **Do not run automated scans on those domains**

  Firefox Downloads which include the below sites:
  - archive.mozilla.org
  - download.mozilla.org
  - download-installer.cdn.mozilla.net
  - treeherder.mozilla.org

  Note that content on these assets is intentionally public.

  Source Code: https://github.com/mozilla/treeherder

  OTHER

  critical
• stage.taskcluster.nonprod.cloudops.mozgcp.net

  ---

  **Core Site**

  Staging instance for TaskCluster CI/CD tool.

  Source Code: https://github.com/taskcluster/taskcluster

  URL

  critical
• firefox-ci-tc.services.mozilla.com

  ---

  ** Critical Site**

  TaskCluster CI/CD tool instance used for Firefox builds.

  Source Code: https://github.com/taskcluster/taskcluster

  URL

  critical
• Mozilla VPN Clients

  ---

  ** Critical Site**

  Mozilla VPN iOS, Android, Desktop Clients.

  Note that Mozilla VPN subscriptions are only open in [these countries](https://support.mozilla.org/en-US/kb/mozilla-vpn-countries-available-subscribe).

  Source Code: https://github.com/mozilla-mobile/mozilla-vpn-client

  OTHER

  critical
• aus5.mozilla.org

  ---

  ** Critical Site**

  Backend update system for Mozilla products.

  No disruptive testing or scanning tools to be run on production.

  Source Code: https://github.com/mozilla-releng/balrog

  URL

  critical
• hg.mozilla.org

  ---

  The website used for source code and version control hosting for Firefox.

  Web vulnerabilities that affect the website itself and not the source code will be considered as vulnerabilities in a **Core Site**.

  Vulnerabilities that affect the source code itself will be considered as vulnerabilities in a **Critical Site**.

  Source Code: https://github.com/mozilla/version-control-tools
  

  URL

  critical
• api.profiler.firefox.com

  ---

  **Core Site**

  API server for Firefox Profiler

  Source Code: https://github.com/firefox-devtools/profiler

  URL

  critical
• crash-stats.allizom.org

  ---

  ** Critical Site**

  Analytics site for Firefox crash reports data.

  Testing to be done on staging instance only: https://crash-stats.allizom.org/

  Source Code: https://github.com/mozilla-services/socorro

  URL

  critical
• relay.firefox.com

  ---

  **Core Site**

  Testing to be done on the staging instance only: https://stage.fxprivaterelay.nonprod.cloudops.mozgcp.net.

  The team would like testing to be focused on the APIs listed here: https://dev.fxprivaterelay.nonprod.cloudops.mozgcp.net/api/v1/docs/

  Source Code: https://github.com/mozilla/fx-private-relay

  URL

  critical
• community-tc.services.mozilla.com

  ---

  **Core Site**

  Community instance of TaskCluster CI/CD tool.

  Source Code: https://github.com/taskcluster/taskcluster

  URL

  critical
• vpn.mozilla.org

  ---

  **Core Site**

  This is the backend server behind Mozilla VPN.
  

  URL

  critical
• firefox.settings.services.mozilla.com

  ---

  ** Critical Site**

  Additional domains for Remote Settings:
  - firefox-settings-attachments.cdn.mozilla.net

  Testing to be performed on staging instance only: https://firefox.settings.services.allizom.org/v1/

  URL

  critical
• mozilla-pontoon-staging.herokuapp.com

  ---

  ** Critical Site**

  Staging instance for Mozilla Localization Service.

  Testing is to be done on this instance only, testing on production is not acceptable.

  Source Code: https://github.com/mozilla/pontoon

  URL

  critical
• profiler.firefox.com

  ---

  **Core Site**

  Web application for Firefox Profiler

  Source Code: https://github.com/firefox-devtools/profiler

  URL

  critical
• bugzilla.mozilla.org

  ---

  ** Critical Site**

  Mozilla owned Bugzilla instance.

  Please do not use automated scanners, create, or modify bugs when testing Bugzilla. Instead, testing should be only done on the development instance, bugzilla-dev.allizom.org.

  Source Code: https://github.com/mozilla-bteam/bmo

  URL

  critical
• developer.mozilla.org

  ---

  **Core Site**

  Please use the staging instance for intrusive tests or for tests which change the content: https://developer.allizom.org

  Source Code: https://github.com/mdn/mdn

  URL

  critical
• www.mozilla.org

  ---

  **Core Site**

  Mozilla Marketing Website aka Bedrock.

  Please use our staging instance, www.allizom.org, for testing to avoid site disruption.

  Source Code: https://github.com/mozilla/bedrock

  URL

  critical
• accounts.firefox.com

  ---

  ** Critical Site**

  Mozilla Accounts (previously known as Firefox Accounts)

  Additional domains in scope for Firefox Accounts:
  * api.accounts.firefox.com
  * oauth.accounts.firefox.com
  * profile.accounts.firefox.com
  * verifier.accounts.firefox.com
  * subscriptions.firefox.com

  Source Code: https://github.com/mozilla/fxa

  URL

  critical
• monitor.mozilla.org

  ---

  **Core Site**

  Mozilla Monitor
  Testing to be done on the staging instance: https://monitor-stage.allizom.org/
  Source Code: https://github.com/mozilla/blurts-server

  URL

  critical
• merino.services.mozilla.com

  ---

  ** Critical Site**

  Firefox Suggest

  Testing to be performed on staging instance only: https://stage.merino.nonprod.cloudops.mozgcp.net/api/v1/suggest

  Source Code: https://github.com/mozilla-services/merino-py

  URL

  critical

Target Scope Domains

• accounts.firefox.com
• addons.allizom.org
• api.profiler.firefox.com
• aus5.mozilla.org
• bugzilla.mozilla.org
• community-tc.services.mozilla.com
• contile.services.mozilla.com
• crash-reports.allizom.org
• crash-stats.allizom.org
• developer.mozilla.org
• firefox-ci-tc.services.mozilla.com
• firefox.settings.services.mozilla.com
• hg.mozilla.org
• lando.services.mozilla.com
• merino.services.mozilla.com
• monitor.mozilla.org
• mozilla-pontoon-staging.herokuapp.com
• phabricator.allizom.org
• profiler.firefox.com
• push.services.mozilla.com
• relay.firefox.com
• shavar.services.mozilla.com
• stage.taskcluster.nonprod.cloudops.mozgcp.net
• support.mozilla.org
• sync.services.mozilla.com
• vpn.mozilla.org
• www.mozilla.org

• 340 Subdomains
• 97635 Endpoints
• Download wordlist

Last Finished Scan: