Mozilla Critical Services HackerOne

Target Policy
https://hackerone.com/mozilla_critical_services?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • push.services.mozilla.com

    **Critical Site**

    Firefox Push Service.

    Additional domains in scope:
    - updates.push.services.mozilla.com

    Testing to be done on below staging instances:
    - wss://autopush.stage.mozaws.net
    - https://updates-autopush.stage.mozaws.net

    URL
    critical
  • com.ideashower.ReadItLaterPro

    Pocket iOS Application.

    **Only versions greater than version 8 are included in the scope.**

    Pocket authentication system is being migrated to Firefox Accounts, therefore, it is currently out of scope of the program until further notice.

    APPLE_STORE_APP_ID
    critical
  • accounts.firefox.com

    **Critical Site**

    Additional domains in scope for Firefox Accounts:
    * api.accounts.firefox.com
    * oauth.accounts.firefox.com
    * profile.accounts.firefox.com
    * verifier.accounts.firefox.com
    * subscriptions.firefox.com

    URL
    critical
  • merino.services.mozilla.com

    **Critical Site**

    Firefox Suggest

    Testing to be performed on staging instance only: https://stage.merino.nonprod.cloudops.mozgcp.net/api/v1/suggest

    URL
    critical
  • aus5.mozilla.org

    **Critical Site**

    Backend update system for Mozilla products.

    No disruptive testing or scanning tools to be run on production.

    URL
    critical
  • com.ideashower.readitlater.pro

    Pocket Android Application.

    **Pocket authentication system is being migrated to Firefox Accounts, therefore, it is currently out of scope of the program until further notice.**

    GOOGLE_PLAY_APP_ID
    critical
  • lando.services.mozilla.com

    **Critical Site**

    Tool used to land Firefox code into Mercurial.

    Additional Domains:
    - api.lando.services.mozilla.com

    ** Testing to be done on staging or development instances only:**
    ui.dev.lando.nonprod.cloudops.mozgcp.net
    ui.stage.lando.nonprod.cloudops.mozgcp.net
    api.dev.lando.nonprod.cloudops.mozgcp.net
    api.stage.lando.nonprod.cloudops.mozgcp.net

    URL
    critical
  • hg.mozilla.org

    **Critical Site**

    Source code and version control for Firefox.

    The scope includes vulnerabilities that affect the source code itself.

    URL
    critical
  • crash-reports.allizom.org

    **Critical Site**

    Endpoint for sending Firefox crash reports.

    Testing to be done on staging instance: https://crash-reports.allizom.org/

    URL
    critical
  • bugzilla.mozilla.org

    **Critical Site**

    Mozilla owned Bugzilla instance.

    Please do not use automated scanners, create, or modify bugs when testing Bugzilla. Instead, testing should be only done on the development instance, bugzilla-dev.allizom.org.

    URL
    critical
  • crash-stats.mozilla.org

    Analytics site for Firefox crash reports data.

    Testing to be done on staging: https://crash-stats.allizom.org/

    URL
    critical
  • crash-reports.mozilla.com

    Endpoint for sending Firefox crash reports.

    Testing to be done on staging instance: https://crash-reports.allizom.org/

    URL
    critical
  • pontoon.mozilla.org

    Mozilla's Localization Platform.

    ** Testing to be done on staging instance only: https://mozilla-pontoon-staging.herokuapp.com/ **

    URL
    critical
  • phabricator.services.mozilla.com

    Testing to be done on the development instance (phabricator-dev.allizom.org) and the staging instance (phabricator.allizom.org)

    URL
    critical
  • Product Delivery

    **Critical Site**

    ** Do not run automated scans on those domains**

    Firefox product delivery domains:
    - archive.mozilla.org
    - download.mozilla.org
    - download-installer.cdn.mozilla.net
    - treeherder.mozilla.org

    OTHER
    critical
  • contile.services.mozilla.com

    **Critical Site**

    Firefox Tile service.

    Testing to be performed on staging instance: https://contile-stage.topsites.nonprod.cloudops.mozgcp.net/

    URL
    critical
  • sync.services.mozilla.com

    **Critical Site**

    Firefox Sync Domains:
    - *.sync.services.mozilla.com
    - token.services.mozilla.com

    URL
    critical
  • mozilla-pontoon-staging.herokuapp.com

    **Critical Site**

    Staging instance for Mozilla Localization Service.

    Testing is to be done on this instance only, testing on production is not acceptable.

    URL
    critical
  • shavar.services.mozilla.com

    **Critical Site**

    Anti-tracking protection service in Firefox.

    Additional domain: shavar.prod.mozaws.net

    Please do not run automated scans or denial of service testing on this service.

    URL
    critical
  • addons.allizom.org

    **Critical Site**

    This is the staging server for Firefox Addons. Testing should be restricted to this instance without any testing on production.

    Additional domains for Addons:
    - services.addons.allizom.org
    - versioncheck-bg.addons.allizom.org
    - versioncheck.addons.allizom.org

    URL
    critical
  • Mozilla VPN Clients

    **Critical Site**

    Mozilla VPN iOS, Android, Desktop Clients.

    Note that Mozilla VPN subscriptions are only open in [these countries](https://support.mozilla.org/en-US/kb/mozilla-vpn-countries-available-subscribe).

    OTHER
    critical
  • crash-stats.allizom.org

    **Critical Site**

    Analytics site for Firefox crash reports data.

    Testing to be done on staging instance only: https://crash-stats.allizom.org/

    URL
    critical
  • firefox-ci-tc.services.mozilla.com

    **Critical Site**

    TaskCluster CI/CD tool instance used for Firefox builds.

    URL
    critical
  • firefox.settings.services.mozilla.com

    **Critical Site**

    Additional domains for Remote Settings:
    webextensions.settings.services.mozilla.com
    firefox-settings-attachments.cdn.mozilla.net

    Testing to be performed on staging instance only: https://firefox.settings.services.allizom.org/v1/

    URL
    critical
  • phabricator.allizom.org

    **Critical Site**

    Testing to be done **only** on the development instance (phabricator-dev.allizom.org) or the staging instance (phabricator.allizom.org)

    URL
    critical
  • location.services.mozilla.com

    Firefox Location Service.

    Testing to be done on staging instance: location.stage.mozaws.net

    URL
    critical
Target Scope Domains
  • accounts.firefox.com
  • addons.allizom.org
  • aus5.mozilla.org
  • bugzilla.mozilla.org
  • contile.services.mozilla.com
  • crash-reports.allizom.org
  • crash-reports.mozilla.com
  • crash-stats.allizom.org
  • crash-stats.mozilla.org
  • firefox-ci-tc.services.mozilla.com
  • firefox.settings.services.mozilla.com
  • hg.mozilla.org
  • lando.services.mozilla.com
  • location.services.mozilla.com
  • merino.services.mozilla.com
  • mozilla-pontoon-staging.herokuapp.com
  • phabricator.allizom.org
  • phabricator.services.mozilla.com
  • pontoon.mozilla.org
  • push.services.mozilla.com
  • shavar.services.mozilla.com
  • sync.services.mozilla.com
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-gausubs-2-kxss
allkxss
1 year, 1 month ago
Finished
auto-gausubs-2-kxss
  • Fleet: allkxss
  • Duration: 1.13 Hours
  • Finished: 1 year, 1 month ago