** Critical Site**
Firefox Suggest
Testing to be performed on staging instance only: https://stage.merino.nonprod.cloudops.mozgcp.net/api/v1/suggest
** Critical Site**
TaskCluster CI/CD tool instance used for Firefox builds.
** Critical Site**
Anti-tracking protection service in Firefox.
Additional domain: shavar.prod.mozaws.net.
Please do not run automated scans or denial of service testing on this service.
** Critical Site**
**Do not run automated scans on those domains**
Firefox Downloads which include the below sites:
- archive.mozilla.org
- download.mozilla.org
- download-installer.cdn.mozilla.net
- treeherder.mozilla.org
** Critical Site**
Firefox Sync Domains:
- *.sync.services.mozilla.com
- token.services.mozilla.com
**Core Site**
Mozilla Monitor
Testing to be done on the staging instance: https://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net/
** Critical Site**
Endpoint for sending Firefox crash reports.
Testing to be done on staging instance: https://crash-reports.allizom.org/
** Critical Site**
Firefox Tile service.
Testing to be performed on staging instance: https://contile-stage.topsites.nonprod.cloudops.mozgcp.net/
** Critical Site**
Testing to be done **only** on the development instance (phabricator-dev.allizom.org) or the staging instance (phabricator.allizom.org)
** Critical Site**
This is the staging server for Firefox Addons. Testing should be restricted to this instance without any testing on production.
Additional domains for Addons:
- services.addons.allizom.org
- versioncheck-bg.addons.allizom.org
- versioncheck.addons.allizom.org
** Critical Site**
Mozilla Accounts (previously known as Firefox Accounts)
Additional domains in scope for Firefox Accounts:
* api.accounts.firefox.com
* oauth.accounts.firefox.com
* profile.accounts.firefox.com
* verifier.accounts.firefox.com
* subscriptions.firefox.com
** Critical Site**
Backend update system for Mozilla products.
No disruptive testing or scanning tools to be run on production.
Pocket Web application under the following paths:
- getpocket.com/home
- getpocket.com/account
- getpocket.com/discover
- getpocket.com/collections
- getpocket.com/saves/*
- getpocket.com/read/*
- getpocket.com/premium/*
The following API endpoints:
- getpocket.com/v3/add
- getpocket.com/v3/send
- getpocket.com/v3/get
- getpocket.com/graphql
**Pocket authentication system is being migrated to Firefox Accounts, therefore, it is currently out of scope of the program until further notice.**
** Critical Site**
Mozilla owned Bugzilla instance.
Please do not use automated scanners, create, or modify bugs when testing Bugzilla. Instead, testing should be only done on the development instance, bugzilla-dev.allizom.org.
** Critical Site**
Firefox Push Service.
Additional domain in scope: updates.push.services.mozilla.com
Testing to be done on below staging instances:
- wss://autopush.stage.mozaws.net
- https://updates-autopush.stage.mozaws.net
** Critical Site**
Mozilla VPN iOS, Android, Desktop Clients.
Note that Mozilla VPN subscriptions are only open in [these countries](https://support.mozilla.org/en-US/kb/mozilla-vpn-countries-available-subscribe).
Demo Hubs web application.
Backend services for the Hubs application.
Additional domains in scope for reticulum.io:
* hmc-assets.reticulum.io
* nearspark.reticulum.io
* stream.reticulum.io
* *.stream.reticulum.io
Managed Hubs Instance. We created this instance specifically for researchers to use when testing. Please do not conduct any testing on any other instance.
** Critical Site**
Analytics site for Firefox crash reports data.
Testing to be done on staging instance only: https://crash-stats.allizom.org/
** Critical Site**
Staging instance for Mozilla Localization Service.
Testing is to be done on this instance only, testing on production is not acceptable.
** Critical Site**
Additional domains for Remote Settings:
- webextensions.settings.services.mozilla.com
- firefox-settings-attachments.cdn.mozilla.net
Testing to be performed on staging instance only: https://firefox.settings.services.allizom.org/v1/
** Critical Site**
Tool used to land Firefox code into Mercurial.
Additional Domain: api.lando.services.mozilla.com
Testing to be done on staging or development instances only:
- ui.dev.lando.nonprod.cloudops.mozgcp.net
- ui.stage.lando.nonprod.cloudops.mozgcp.net
- api.dev.lando.nonprod.cloudops.mozgcp.net
- api.stage.lando.nonprod.cloudops.mozgcp.net
**Core Site**
Testing to be done on the staging instance only: https://stage.fxprivaterelay.nonprod.cloudops.mozgcp.net.
The team would like testing to be focused on the APIs listed here: https://dev.fxprivaterelay.nonprod.cloudops.mozgcp.net/api/v1/docs/
The website used for source code and version control hosting for Firefox.
Web vulnerabilities that affect the website itself and not the source code will be considered as vulnerabilities in a **Core Site**.
Vulnerabilities that affect the source code itself will be considered as vulnerabilities in a **Critical Site**.
**Core Site**
Staging instance for TaskCluster CI/CD tool.
**Core Site**
Support platform for all of Mozilla Products.
**Testing to be done on staging instance only to avoid disrupting users: support.allizom.org**
Mozilla Monitor
Testing to be done on the staging instance: https://stage.firefoxmonitor.nonprod.cloudops.mozgcp.net/
**Core Site**
Please use the staging instance for intrusive tests or for tests which change the content: https://developer.allizom.org
**Core Site**
Mozilla Marketing Website aka Bedrock.
Please use our staging instance, www.allizom.org, for testing to avoid site disruption.
**Core Site**
Web application for Firefox Profiler
**Core Site**
Community instance of TaskCluster CI/CD tool.
**Core Site**
This is the backend server behind Mozilla VPN.
**Core Site**
API server for Firefox Profiler