HuntDash - watson

Target Policy

https://hackerone.com/watson_group?type=team

Structured Scope

Asset Identifier

Asset Type

Max Severity
Watsons

There are 7 regions of Watsons online retail platforms. They share the same source code, we only accept one report for one issue across the following domains. If you are testing functionalities that require you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In Scope
=========
>https://www.watsons.com.my
>https://www.watsons.com.ph
>https://www.watsons.co.th
>https://www.watsons.com.tw
>https://www.watsons.com.hk
>https://www.watsons.co.id
>https://www.watsons.com.sg
>https://www10.watsons.com.my
>https://www10.watsons.com.ph
>https://www10.watsons.co.th
>https://www20.watsons.co.th
>https://www10.watsons.com.tw
>https://www10.watsons.com.hk
>https://www10.watsons.co.id
>https://www10.watsons.com.sg
>api.watsons.com.my
>api.watsons.com.ph
>api.watsons.com.th
>api.watsons.com.tw
>api.watsons.com.hk
>api.watsons.co.id
>api.watsons.com.sg
>Mobile app retail (Android and iOS)

*Not eligible for bounty*
> \*.watsons.co.th
>\*.watsons.co.id
>\*.watsons.com.sg

OTHER

critical
*.watsons.com.tw

This asset is specifically for Watsons TW subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.tw/

WILDCARD

critical
api.iciparisxl.lu

This is the API server for the www.iciparisxl.lu website

URL

critical
api.drogas.lt

This is the API server of the Drogas mobile app in Lithuania

URL

critical
api.iciparisxl.be

This is the API server for the www.iciparisxl.be website

URL

critical
api.watsons.com.my

This is the API server for the www.watsons.com.my website

URL

critical
Watsons SG (subdomains)

This asset is specifically for Watsons Singapore subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.sg

OTHER

critical
api.superdrug.com

This is the API server for the superdrug.com website

URL

critical
*.marionnaud.ch

This asset is specifically for Marionnaud CH subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.marionnaud.ch/

WILDCARD

critical
*.watsons.com.sg

This asset is specifically for Watsons SG subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.sg/

WILDCARD

critical
*.savers.co.uk

This asset is specifically for Savers subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.savers.co.uk/

WILDCARD

critical
Superdrug.App.Android

This is our Superdrug Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App link: https://play.google.com/store/apps/details?id=superdrug.com.beautycard&hl=en

GOOGLE_PLAY_APP_ID

critical
www.marionnaud.at

This is our online Austrian perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
media.drogas.lv

This subdomain is used to store static content for the www.drogas.lv e-commerce website

URL

critical
app.watsons.com.tr

This hostname is used for the Watsons Turkey mobile app

URL

critical
*.parknshop.com

This asset is specifically for PNS subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.parknshop.com/

WILDCARD

critical
Marionnaud.France.iOS

This is our Marionnaud (iOS) app in France. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/fr/app/marionnaud-beaut%C3%A9-soins/id1127368763

APPLE_STORE_APP_ID

critical
www10.watsons.com.tw

This is the API server for the Watsons Taiwan Mobile App

URL

critical
www.marionnaud.hu

This is our online Hungarian perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Watsons.HongKong.Android

This is our Watsons HongKong Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.ndn.android.watsons

GOOGLE_PLAY_APP_ID

critical
PNS.HongKong.Android

This is our PNS Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.parknshop.parknshopapp

GOOGLE_PLAY_APP_ID

critical
media.marionnaud.ch

This subdomain is used to store static content for the www.marionnaud.ch e-commerce website.

URL

critical
Watsons TW (subdomains)

This asset is specifically for Watsons TW's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.tw/

OTHER

critical
www.kruidvat.be

This is our Dutch online retail platform. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This website is similar to other websites (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.

URL

critical
Moneyback (subdomains)

This asset is specifically for Moneyback's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
> *.moneyback.com.hk/

OTHER

critical
ICI Paris XL

This asset is our Benelux perfume retail website. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In scope
=====================
>https://www.iciparisxl.nl/
>https://www.iciparisxl.be/
>https://www.iciparisxl.lu/
>https://app.iciparisxl.nl/
>https://app.iciparisxl.be/
>https://app.iciparisxl.lu/
>Mobile app retail (Android and iOS)

*Not eligible for bounty*
>https://www.iciparisxl.nl/blog
>https://www.iciparisxl.be/blog
>https://www.iciparisxl.lu/blog

OTHER

critical
*.watsons.co.th

This asset is specifically for Watsons TH subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.co.th/

WILDCARD

critical
Marionnaud.Italy.iOS

This is our Marionnaud (iOS) app in Italy. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/it/app/marionnaud/id883671274

APPLE_STORE_APP_ID

critical
*.watsons.com.tr

This asset is specifically for Watsons TR subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.tr/

WILDCARD

critical
ICIParisXL.App.Android

This is our ICI Paris XL (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App link:
https://play.google.com/store/apps/details?id=com.iciparisxl.app

GOOGLE_PLAY_APP_ID

critical
*.superdrug.com

This asset is specifically for Superdrug subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.superdrug.com/

WILDCARD

critical
*.watsons.vn

This asset is specifically for Watsons VN subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.vn/

WILDCARD

critical
*.watsons.com.ph

This asset is specifically for Watsons PH subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.ph/

WILDCARD

critical
www.trekpleister.nl

URL

critical
Fortress (subdomains)

This asset is specifically for Fortress's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
> *.fortress.com.hk/

OTHER

critical
Watsons TH (subdomains)

This asset is specifically for Watsons TH's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.co.th

OTHER

critical
Promotion Tier

Bounty table header

OTHER

none
Watsons PH

This asset is specifically for Watsons Philippines subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.ph/

OTHER

critical
PARKnSHOP (subdomains)

This asset is specifically for PARKnSHOP's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
> *.parknshop.com/

OTHER

critical
www.iciparisxl.nl

This is our Dutch online Perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

This website is similar to other websites (Such as Superdrug and Kruidvat). Please keep in mind that issues might be considered duplicates if it is reported on another website already.

URL

critical
Drogas.Latvia.iOS

This is our Drogas (iOS) app in Latvia. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/lv/app/drogas/id1564705644

APPLE_STORE_APP_ID

critical
www.marionnaud.it

This is our online Italian perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Watsons.TaiWan.Android

This is our Watsons TaiWan Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=tw.com.watsons.app

GOOGLE_PLAY_APP_ID

critical
Marionnaud.France.Android

This is our Marionnaud (Android) app in France. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://play.google.com/store/apps/details?id=com.marionnaud.marionnaudfrance

GOOGLE_PLAY_APP_ID

critical
Watsons HK (subdomains)

This asset is specifically for Watsons HK's subdomain assets.
Please note that for subdomains (tier 3), will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.hk/

OTHER

critical
medias.fortress.com.hk

This subdomain is used to store static content for the www.fortress.com.hk e-commerce website.

URL

critical
www.watsons.com.ph

This is our online retail platform for health and beauty products in the Philippines.
If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Marionnaud.Italy.Android

This is our Marionnaud (Android) app in Italy. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=it.marionnaud.customer

GOOGLE_PLAY_APP_ID

critical
media.drogas.lt

This subdomain is used to store static content for the www.drogas.lt e-commerce website

URL

critical
MoneyBack.HongKong.Android

This is our MoneyBack Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://play.google.com/store/apps/details?id=com.asw.moneyback

GOOGLE_PLAY_APP_ID

critical
media.iciparisxl.be

This subdomain is used to store static content for the www.iciparisxl.be e-commerce website

URL

critical
*.marionnaud.hu

This asset is specifically for Marionnaud HU subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.marionnaud.hu/

WILDCARD

critical
*.marionnaud.sk

This asset is specifically for Marionnaud SK subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.marionnaud.sk/

WILDCARD

critical
ICIParisXL.App.IOS

This is our ICI Paris XL (iOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App link:
https://apps.apple.com/nl/app/ici-paris-xl-beauty/id1061895392

APPLE_STORE_APP_ID

critical
ThePerfumeShop.App.Android

This is our The Perfume Shop (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.theperfumeshop.customer

GOOGLE_PLAY_APP_ID

critical
*.moneyback.com.hk

This asset is specifically for Moneyback subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.moneyback.com.hk/

WILDCARD

critical
www.iciparisxl.lu

This is our Belgium online Perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This website is similar to other websites (Such as Superdrug and Kruidvat). Please keep in mind that issues might be considered duplicates if it is reported on another website already.

URL

critical
www.drogas.lv

This is our Latvian online retail platform. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Tier 1

OTHER

none
The Perfume Shop

The Perfume Shop is one of our leading e-commerce perfumery websites. If you are testing functionalities that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In scope
=====================
>https://www.theperfumeshop.com/
>https://apptps.theperfumeshop.com/
>ThePerfumeShop.App.IOS
>ThePerfumeShop.App.Android

*Not eligible for bounty*
>https://www.theperfumeshop.com/blog
>https://www.theperfumeshop.com/ie/blog
>https://apptps.theperfumeshop.com/blog
>https://apptps.theperfumeshop.com/ie/blog
>*.theperfumeshop.com (See separate subdomain asset)

OTHER

critical
www.moneyback.com.hk

MoneyBack has turned shopping into fantastic rewards for families across Hong Kong. If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
app.superdrug.com

This is the API server for the Superdrug mobile app

URL

critical
*.marionnaud.at

This asset is specifically for Marionnaud AT subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.marionnaud.at/

WILDCARD

critical
*.marionnaud.ro

This asset is specifically for Marionnaud RO subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.marionnaud.ro/

WILDCARD

critical
www.watsons.com.hk

This is our online retail platform for health and beauty products in Hong Kong.
If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
www.watsons.com.vn

URL

critical
api.theperfumeshop.com

This is the API server for the www.theperfumeshop.com website

URL

critical
Kruidvat (subdomains)

This asset is specifically for Kruidvat's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In scope
=====================
>\*.kruidvat.nl/
>\*.kruidvat.be/

OTHER

critical
Marionnaud.Romania.iOS

This is our Marionnaud (iOS) app in Romania. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/ro/app/marionnaud-romania/id1021924260

APPLE_STORE_APP_ID

critical
Marionnaud.Switzerland.iOS

This is our Marionnaud (iOS) app in Switzerland. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/ch/app/id1486316902

APPLE_STORE_APP_ID

critical
*.iciparisxl.nl

This asset is specifically for ICI Paris XL NL subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.iciparisxl.nl/

WILDCARD

critical
api.fortress.com.hk

This is our API Server for our Fortress website (www.fortress.com.hk)

URL

critical
*.marionnaud.sz

WILDCARD

critical
Trekpleister (subdomains)

This asset is specifically for Trekpleister's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In scope
=====================
>\*.trekpleister.nl

OTHER

critical
*.pns.com.hk

WILDCARD

critical
www.drogas.lt

This is our Lithuanian online retail platform. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
*.marionnaud.cz

This asset is specifically for Marionnaud CZ subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.marionnaud.cz/

WILDCARD

critical
*.trekpleister.nl

This asset is specifically for Trekpleister subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.trekpleister.nl/

WILDCARD

critical
*.watsons.com.hk

This asset is specifically for Watsons HK subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.hk/

WILDCARD

critical
*.watsons.co.id

This asset is specifically for Watsons ID subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.co.id/

WILDCARD

critical
medias.watsons.co.id

This subdomain is used to store static content for the www.watsons.co.id e-commerce website.

URL

critical
Drogas.Latvia.Android

This is our Drogas (Android) app in Latvia. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://play.google.com/store/apps/details?id=lv.drogas.consumer

GOOGLE_PLAY_APP_ID

critical
app.marionnaud.fr

This is the API server of the Marionnaud mobile app in France

URL

critical
www.iciparisxl.be

This is our Belgium online Perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This website is similar to other websites (Such as Superdrug and Kruidvat). Please keep in mind that issues might be considered duplicates if it is reported on another website already.

URL

critical
*.watsons.com.my

This asset is specifically for Watsons MY subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.my/

WILDCARD

critical
*.theperfumeshop.com

This asset is specifically for The Perfume Shop subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.theperfumeshop.com/

WILDCARD

critical
Watsons MY (subdomains)

This asset is specifically for Watsons Malaysia subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.my/

OTHER

critical
MoneyBack

MoneyBack has turned shopping into fantastic rewards for families across Hong Kong. If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In Scope
=========
>www.moneyback.com.hk
>Mobile app retail (Android and iOS)

OTHER

critical
PARKnSHOP

ParknShop is our leading e-commerce website for every day items in Hong Kong. If you are testing functionalities that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In Scope
=========
>https://www.parknshop.com
>https://www10.parknshop.com
>api.parknshop.com
>Mobile app retail (Android and iOS)

OTHER

critical
Watsons.Philippines.IOS

This is our Watsons Philippines Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/watsons-philippines/id1438203234

APPLE_STORE_APP_ID

critical
Watsons.Turkey.Android

This is our Watsons (Android) app in Turkey. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://play.google.com/store/apps/details?id=com.mobular.watsons

GOOGLE_PLAY_APP_ID

critical
Fortress

Fortress is one of our leading e-commerce websites in Hong Kong and Macau.
Customers could shop for electrical appliances after paying their electricity bills. If you are testing functionalities that require you to be authenticated,
please ensure you register with your @wearehackerone.com email address.

In Scope
=========
>https://www.fortress.com.hk
>Mobile app retail (Android and iOS)

OTHER

critical
Marionnaud FR (subdomains)

OTHER

critical
media.marionnaud.at

This subdomain is used to store static content for the www.marionnaud.at e-commerce website.

URL

critical
Kruidvat

This is our Benelux online retail platform for health and beauty products. If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In scope
=====================
>https://www.kruidvat.nl/
>https://www.kruidvat.be/
>https://app.kruidvat.nl/
>https://app.kruidvat.be/
>Mobile app retail (Android and iOS)

*Not eligible for bounty*
>https://www.kruidvat.nl/persoonlijk/
>https://www.kruidvat.nl/blog/
>https://www.kruidvat.be/blog/

OTHER

critical
blog.watsons.com.tr

URL

medium
Marionnaud.France.Android

GOOGLE_PLAY_APP_ID

critical
app.marionnaud.fr

URL

critical
Marionnaud.France.iOS

APPLE_STORE_APP_ID

critical
www.watsons.com.my

This is our online retail platform for health and beauty products in Malaysia.
If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Fortress.HongKong.IOS

This is our MoneyBack Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://apps.apple.com/hk/app/fortress/id1133110850

APPLE_STORE_APP_ID

critical
Watsons.Singapore.IOS

This is our Watsons Singapore Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/watsons-sg-the-official-app/id449412168

APPLE_STORE_APP_ID

critical
Watsons.Philippines.IOS

This is our Watsons Philippines Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/watsons-philippines/id1438203234

APPLE_STORE_APP_ID

critical
Watsons.TaiWan.IOS

This is our Watsons TaiWan Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/%E5%B1%88%E8%87%A3%E6%B0%8F%E5%8F%B0%E7%81%A3/id477968775

APPLE_STORE_APP_ID

critical
Watsons.Thailand.IOS

This is our Watsons Thailand Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/watsons-th/id619935224

APPLE_STORE_APP_ID

critical
www.watsons.co.id

This is our online retail platform for health and beauty products in Indonesia.
If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
medias.watsons.co.th

This subdomain is used to store static content for the www.watsons.co.th e-commerce website.

URL

critical
Kruidvat.Belgium.Android

This is our Dutch online retail mobile app for Belgium customers. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This app is similar to other apps (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.
App Link
https://play.google.com/store/apps/details?id=be.kruidvat.voordeelkaart

GOOGLE_PLAY_APP_ID

critical
The Perfume Shop (subdomains)

The Perfume Shop (subdomains)

This asset is specifically for The Perfume Shop's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In scope
=====================
>\*.theperfumeshop.com/

OTHER

critical
app.kruidvat.be

This is the API server of the Kruidvat Mobile App in Belgium

URL

critical
Marionnaud.Austria.Android

This is our Marionnaud (Android) app in Austria. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://play.google.com/store/apps/details?id=at.marionnaud.customer

GOOGLE_PLAY_APP_ID

critical
*.drogas.lt

This asset is specifically for Drogas LT subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.drogas.lt/

WILDCARD

critical
*.fortress.com.hk

This asset is specifically for Fortress HK subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.fortress.com.hk/

WILDCARD

critical
*.iciparisxl.be

This asset is specifically for ICI Paris XL BE subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.iciparisxl.be/

WILDCARD

critical
www10.watsons.co.id

This is the API server for the Watsons Indonesia Mobile App

URL

critical
blog.watsons.com.tr

This is the wordpress blog for Watsons Turkey. This asset is regarded as (Tier 3) subdomain.

URL

medium
Watsons.Indonesia.Android

This is our Watsons Indonesia Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.watsons.id.android

GOOGLE_PLAY_APP_ID

critical
api.marionnaud.at

This is the API server for the www.marionnaud.at e-commerce website.

URL

critical
www.theperfumeshop.com

The Perfume Shop is one of our leading e-commerce perfumery websites. If you are testing functionalities that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Marionnaud (subdomains)

This asset is specifically for Marionnauds' subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In scope
=====================
>\*.marionnaud.it
>\*.marionnaud.fr
>\*.marionnaud.ch
>\*.marionnaud.ro
>\*.marionnaud.hu
>\*.marionnaud.sk
>\*.marionnaud.cz

OTHER

critical
Superdrug.App.IOS

This is our Superdrug Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App link: https://apps.apple.com/gb/app/superdrug/id1267896687

OTHER_IPA

critical
www10.watsons.com.hk

This is the API server for the Watsons Hong Kong Mobile App

URL

critical
Superdrug

Superdrug is one of our leading e-commerce websites in health and beauty. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In scope
=====================
>https://www.superdrug.com/
>https://app.superdrug.com/
>Superdrug.App.IOS
>Superdrug.App.Android

*Not eligible for bounty*
>https://www.superdrug.com/blog

OTHER

critical
api.marionnaud.ch

This is the API server for the www.marionnaud.ch e-commerce website.

URL

critical
media.marionnaud.fr

This subdomain is used to store static content for the www.marionnaud.fr e-commerce website.

URL

critical
app.iciparisxl.lu

This is the API server of the ICI Paris XL mobile app in Luxembourg

URL

critical
*.kruidvat.be

This asset is specifically for Kruidvat NL subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.kruidvat.be/

WILDCARD

critical
*.pns.hk

This asset is specifically for PNS's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
> \*.pns.hk/

WILDCARD

critical
www.fortress.com.hk

Fortress is one of our leading e-commerce websites in Hong Kong and Macau.
Customers could shop for electrical appliances after paying their electricity bills. If you are testing functionalities that require you to be authenticated,
please ensure you register with your @wearehackerone.com email address.

URL

critical
www.watsons.com.hk

URL

critical
api.watsons.co.th

URL

critical
Watsons.TaiWan.Android

This is our Watsons TaiWan Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=tw.com.watsons.app

GOOGLE_PLAY_APP_ID

critical
Watsons.Malaysia.Android

This is our Watsons Malaysia Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.watsons.mcommerce

GOOGLE_PLAY_APP_ID

critical
PNS

PNS is our leading e-commerce website for every day items in Hong Kong. If you are testing functionalities that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In Scope
=========
>https://www.pns.hk
>https://www10.pns.hk
>api.pns.hk
>Mobile app retail (Android and iOS)

OTHER

critical
Superdrug (subdomains)

This asset is specifically for Superdrug's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In scope
=====================
>*.superdrug.com/

Out of scope
=====================
>https://appt.healthclinics.superdrug.com/
>https://healthclinics.superdrug.com/

OTHER

critical
Marionnaud

This is one of our main perfumeries. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

In scope
=====================
>https://www.marionnaud.it/
>https://www.marionnaud.at/
>https://www.marionnaud.ch/
>https://www.marionnaud.ro/
>https://www.marionnaud.sk/
>https://www.marionnaud.cz/
>https://www.marionnaud.hu/
>https://app.marionnaud.it/
>https://app.marionnaud.at/
>https://app.marionnaud.ch/
>https://app.marionnaud.ro/
>https://app.marionnaud.sk/
>https://app.marionnaud.cz/
>https://app.marionnaud.hu/
>Mobile app retail (Android and iOS)

*Not eligible for bounty*
>\*.marionnaud.it/
>\*.marionnaud.at/
>\*.marionnaud.ch/
>\*.marionnaud.ro/
>\*.marionnaud.sk/
>\*.marionnaud.cz/
>\*.marionnaud.hu/
>https://www.marionnaud.it/blog/
>https://www.marionnaud.at/blog/
>https://www.marionnaud.ch/blog/
>https://www.marionnaud.ro/blog/
>https://www.marionnaud.sk/blog/
>https://www.marionnaud.cz/blog/
>https://www.marionnaud.hu/blog/

OTHER

critical
api.watsons.com.hk

This is the API server for the www.watsons.com.hk website

URL

critical
Watsons.Singapore.Android

This is our Watsons Singapore Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.watsons.sg.android

GOOGLE_PLAY_APP_ID

critical
www10.watsons.com.ph

This is the API server for the Watsons Philippines Mobile App

URL

critical
www.marionnaud.sk

This is our online Slovakian perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Watsons.Indonesia.IOS

This is our Watsons Indonesia Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://apps.apple.com/hk/app/watsons-id/id1184851346

APPLE_STORE_APP_ID

critical
api.marionnaud.it

This is the API server for the www.marionnaud.it e-commerce website.

URL

critical
Watsons TW (subdomains)

This asset is specifically for Watsons TW's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.tw/

OTHER

critical
Kruidvat.App.Android

This is our Dutch online retail mobile app. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This app is similar to other apps (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.

Netherlands https://play.google.com/store/apps/details?id=nl.kruidvat.voordeelkaart

Belgium
https://play.google.com/store/apps/details?id=be.kruidvat.voordeelkaart

GOOGLE_PLAY_APP_ID

critical
Kruidvat.App.IOS

This is our Dutch online retail mobile app. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This app is similar to other apps (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.

Netherlands
https://itunes.apple.com/nl/app/kruidvat-mobiele-app/id531631058

Belgium
https://apps.apple.com/be/app/kruidvat/id1151434781

APPLE_STORE_APP_ID

critical
www10.watsons.co.th

URL

critical
www10.watsons.co.id

URL

critical
www.watsons.com.sg

URL

critical
api.watsons.com.sg

URL

critical
www.watsons.com.my

URL

critical
Watsons.Thailand.Android

This is our Watsons Thailand Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.mtelnet.watson.thailand

GOOGLE_PLAY_APP_ID

critical
www.superdrug.com

This is our online retail platform. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
www.iciparisxl.be

This is our Belgium online Perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This website is similar to other websites (Such as Superdrug and Kruidvat). Please keep in mind that issues might be considered duplicates if it is reported on another website already.

URL

critical
app.kruidvat.be

This is the API server of the Kruidvat Mobile App in Belgium

URL

critical
app.iciparisxl.be

This is the API server of the ICI Paris XL mobile app in Belgium

URL

critical
api.superdrug.com

This is the API server for the superdrug.com website

URL

critical
apptps.theperfumeshop.com

This is the API server of The Perfume Shop mobile app

URL

critical
medias.watsons.com.tw

This subdomain is used to store static content for the www.watsons.com.tw e-commerce website.

URL

critical
www.marionnaud.at

This is our online Austrian perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
app.marionnaud.ch

This is the API server of the Marionnaud mobile app in Switzerland

URL

critical
www.marionnaud.cz

This is our online Czech perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
www.marionnaud.it

This is our online Italian perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
ThePerfumeShop.App.Android

This is our The Perfume Shop (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.theperfumeshop.customer

GOOGLE_PLAY_APP_ID

critical
ICIParisXL.App.IOS

This is our ICI Paris XL (iOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App link:
https://apps.apple.com/nl/app/ici-paris-xl-beauty/id1061895392

APPLE_STORE_APP_ID

critical
*.kruidvat.nl

This asset is specifically for Kruidvat NL subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.kruidvat.nl/

WILDCARD

critical
Watsons MY (subdomains)

This asset is specifically for Watsons Malaysia subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.my/

OTHER

critical
medias.watsons.com.sg

This subdomain is used to store static content for the www.watsons.com.sg e-commerce website.

URL

critical
ThePerfumeShop.App.iOS

This is our The Perfume Shop (iOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

Appstore Link
https://apps.apple.com/gb/app/the-perfume-shop/id1202206665

APPLE_STORE_APP_ID

critical
api.watsons.co.th

This is the API server for the www.watsons.co.th website

URL

critical
https://www.drogas.lt/blog

This is our Wordpress blog for Drogas Lithuania

URL

critical
*.drogas.lv

This asset is specifically for Drogas LV subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.drogas.lv/

WILDCARD

critical
api-mcom.parknshop.com

This is the API server for the old PNS environment

URL

critical
PNS (subdomains)

This asset is specifically for PNS's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
> *.pns.hk/
> *.parknshop.com/

OTHER

critical
Watsons HK (subdomains)

This asset is specifically for Watsons HK's subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.hk/

OTHER

critical
www.marionnaud.hu

This is our online Hungarian perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
app.marionnaud.sk

This is the API server of the Marionnaud mobile app in Slovakia

URL

critical
medias.pns.hk

This subdomain is used to store static content for the www.pns.hk e-commerce website.

URL

critical
ICI Paris XL (subdomains)

ICI Paris XL (subdomains)

This asset is specifically for ICI Paris XL's subdomain assets.
Please note that for subdomains (tier 3), will only pay out reports that have a high or critical severity.

In scope
=====================
>\*.iciparisxl.nl/
>\*.iciparisxl.be/
>\*.iciparisxl.lu/

OTHER

critical
PNS (subdomains)

This asset is specifically for PNS's subdomain assets.
Please note that for subdomains (tier 3), will only pay out reports that have a high or critical severity.

In Scope
=========
> \*.pns.hk/
> \*.parknshop.com/

OTHER

critical
Fortress (subdomains)

This asset is specifically for Fortress's subdomain assets.
Please note that for subdomains (tier 3), will only pay out reports that have a high or critical severity.

In Scope
=========
> *.fortress.com.hk/

OTHER

critical
medias.watsons.com.my

This subdomain is used to store static content for the www.watsons.com.my e-commerce website.

URL

critical
api.marionnaud.fr

This is the API server for the www.marionnaud.fr website

URL

critical
https://www.drogas.lv/lv/blog

This is our wordpress blog for Drogas Latvia

URL

medium
app.marionnaud.it

This is the API server of the Marionnaud mobile app in Italy

URL

critical
www10.watsons.com.sg

This is the API server for the Watsons Singapore Mobile App

URL

critical
media.iciparisxl.nl

This subdomain is used to store static content for the www.iciparisxl.nl e-commerce website

URL

critical
app.marionnaud.ro

This is the API server of the Marionnaud mobile app in Romania

URL

critical
Watsons ID (subdomains)

This asset is specifically for Watsons Indonesia subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.co.id

OTHER

critical
Watsons.Philippines.Android

This is our Watsons Philippines Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.mtelnet.watson.ph

GOOGLE_PLAY_APP_ID

critical
MoneyBack.HongKong.iOS

This is our MoneyBack Mobile (iOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://apps.apple.com/hk/app/moneyback/id1230818544

APPLE_STORE_APP_ID

critical
Watsons.TaiWan.IOS

This is our Watsons TaiWan Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/%E5%B1%88%E8%87%A3%E6%B0%8F%E5%8F%B0%E7%81%A3/id477968775

APPLE_STORE_APP_ID

critical
www.fortress.com.hk

Fortress is one of our leading e-commerce websites in Hong Kong and Macau.
Customers could shop for electrical appliances after paying their electricity bills. If you are testing functionalities that require you to be authenticated,
please ensure you register with your @wearehackerone.com email address.

URL

critical
app.drogas.lt

This is the API server of the Drogas Lithuania mobile app

URL

critical
www.superdrug.com

This is our online retail platform. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Watsons PH (subdomains)

This asset is specifically for Watsons Philippines subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.com.ph/

OTHER

critical
www10.watsons.vn

This is the API server of the Watsons Vietnam Mobile App

URL

critical
medias.watsons.com.hk

This subdomain is used to store static content for the www.watsons.com.hk e-commerce website.

URL

critical
www.watsons.com.sg

This is our online retail platform for health and beauty products in Singapore.
If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Drogas.Lietuva.Android

This is our Drogas (Android) app in Lithuania. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://play.google.com/store/apps/details?id=lt.drogas.consumer

GOOGLE_PLAY_APP_ID

critical
www.watsons.com.tw

This is our online retail platform for health and beauty products in Taiwan.
If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Marionnaud.Romania.iOS

This is our Marionnaud (iOS) app in Romania. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/ro/app/marionnaud-romania/id1021924260

APPLE_STORE_APP_ID

critical
www10.watsons.co.th

This is the API server for the Watsons Thailand Mobile App

URL

critical
media.superdrug.com

This subdomain is used to store static content for the www.superdrug.com e-commerce website

URL

critical
www10.watsons.com.vn

URL

critical
api.watsons.com.vn

URL

critical
Kruidvat.Belgium.Android

This is our Dutch online retail mobile app for Belgium customers. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This app is similar to other apps (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.
App Link
https://play.google.com/store/apps/details?id=be.kruidvat.voordeelkaart

GOOGLE_PLAY_APP_ID

critical
medias.watsons.com.ph

This subdomain is used to store static content for the www.watsons.com.ph e-commerce website.

URL

critical
Drogas.Lietuva.iOS

This is our Drogas (iOS) app in Lithuania. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

APPLE_STORE_APP_ID

critical
Watsons TR (subdomains)

This asset is specifically for Watsons TR' subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In scope
=====================
>\*.watsons.com.tr

OTHER

critical
app.marionnaud.sk

This is the API server of the Marionnaud mobile app in Slovakia

URL

critical
Watsons.Turkey.iOS

This is our Watsons (iOS) app in Turkey. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
https://apps.apple.com/app/watsons-t%C3%BCrkiye/id1507132907

APPLE_STORE_APP_ID

critical
app.kruidvat.nl

This is the API server of the Kruidvat Mobile App in the Netherlands

URL

critical
app.marionnaud.cz

This is the API server of the Marionnaud mobile app in Czech Republic

URL

critical
medias.watsons.vn

This subdomain is used to store static content for the www.watsons.vn e-commerce website.

URL

critical
media.marionnaud.it

This subdomain is used to store static content for the www.marionnaud.it e-commerce website.

URL

critical
app.marionnaud.at

This is the API server of the Marionnaud mobile app in Austria

URL

critical
Watsons.Thailand.IOS

This is our Watsons Thailand Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/watsons-th/id619935224

APPLE_STORE_APP_ID

critical
api.watsons.co.id

This is the API server for the www.watsons.co.id website

URL

critical
https://www.drogas.lv/ru/blog

This is our wordpress blog for Drogas Latvia

URL

medium
Tier 2

OTHER

none
www.watsons.com.tr

This is our Turkish online retail platform for health and beauty products.
If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
www.marionnaud.fr

This is our online France perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Watsons.HongKong.IOS

This is our Watsons HongKong Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://apps.apple.com/hk/app/%E5%B1%88%E8%87%A3%E6%B0%8F%E9%A6%99%E6%B8%AF/id479512803

APPLE_STORE_APP_ID

critical
www.kruidvat.nl

This is our Dutch online retail platform. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

This website is similar to other websites (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.

URL

critical
*.iciparisxl.lu

This asset is specifically for ICI Paris XL LU subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.iciparisxl.lu/

WILDCARD

critical
*.marionnaud.fr

This asset is specifically for Marionnaud FR subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.marionnaud.fr/

WILDCARD

critical
*.marionnaud.it

This asset is specifically for Marionnaud IT subdomain assets.
Please note that for subdomains (tier 3); will only pay out reports that have a high or critical severity.

In Scope
=========
>*.marionnaud.it/

WILDCARD

critical
Watsons.Malaysia.IOS

This is our Watsons Malaysia Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/watsons-my/id1112796292

APPLE_STORE_APP_ID

critical
app.iciparisxl.nl

This is the API server of the ICI Paris XL mobile app in the Netherlands

URL

critical
www10.watsons.com.my

This is the API server for the Watsons Malaysia Mobile App

URL

critical
Fortress.HongKong.Android

This is our Fortress Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=fortress.fortressapp

GOOGLE_PLAY_APP_ID

critical
app.theperfumeshop.com

This is the new API server of The Perfume Shop mobile app

URL

critical
app.marionnaud.ch

This is the API server of the Marionnaud mobile app in Switzerland

URL

critical
www10.fortress.com.hk

This is the API server for the Fortress Mobile App

URL

critical
Drogas (subdomains)

This asset is specifically for Drogas' subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In scope
=====================
>\*.drogas.lv
>\*.drogas.lt

OTHER

critical
Watsons.Malaysia.Android

This is our Watsons Malaysia Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.watsons.mcommerce

GOOGLE_PLAY_APP_ID

critical
mapi-sim.fortress.com.hk

This is our mobile app subdomain for Fortress.

URL

critical
Tier 3

OTHER

none
app.iciparisxl.be

This is the API server of the ICI Paris XL mobile app in Belgium

URL

critical
Watsons.Singapore.IOS

This is our Watsons Singapore Mobile (IOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/hk/app/watsons-sg-the-official-app/id449412168

APPLE_STORE_APP_ID

critical
www.marionnaud.ro

This is our online Romanian perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
media.iciparisxl.lu

This subdomain is used to store static content for the www.iciparisxl.lu e-commerce website

URL

critical
Superdrug (subdomains)

This asset is specifically for Superdrug's subdomain assets.
Please note that for subdomains (tier 3), will only pay out reports that have a high or critical severity.

In scope
=====================
>*.superdrug.com/

Out of scope
=====================
>https://appt.healthclinics.superdrug.com/
>https://healthclinics.superdrug.com/

OTHER

critical
www.watsons.vn

This is our online retail platform for health and beauty products in Vietnam. If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
Marionnaud.Switzerland.iOS

This is our Marionnaud (iOS) app in Switzerland. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/ch/app/id1486316902

APPLE_STORE_APP_ID

critical
Marionnaud.Switzerland.Android

This is our Marionnaud (Android) app in Switzerland. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://play.google.com/store/apps/details?id=ch.marionnaud.customer

GOOGLE_PLAY_APP_ID

critical
Marionnaud.Romania.Android

This is our Marionnaud (Android) app in Romania. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://play.google.com/store/apps/details?id=ro.marionnaud.customer

GOOGLE_PLAY_APP_ID

critical
Marionnaud.Austria.iOS

This is our Marionnaud (iOS) app in Austria. Please make sure to consult our policy page to see which items are out of scope for mobile apps.
App Link
https://apps.apple.com/gb/app/marionnaud-%C3%B6sterreich/id1114541888

APPLE_STORE_APP_ID

critical
www.watsons.co.th

This is our online retail platform for health and beauty products in Thailand.
If you are testing a functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
https://www.kruidvat.nl/fotoservice

URL

medium
https://www.kruidvat.nl/persoonlijk

URL

medium
PNS.HongKong.iOS

This is our PNS Mobile (iOS) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://apps.apple.com/hk/app/parknshop/id840837558

APPLE_STORE_APP_ID

critical
www10.pns.hk

This is the API server for the PNS Mobile App

URL

critical
api.pns.hk

This is our API Server for our PNS website (www.pns.hk)

URL

critical
Kruidvat.Belgium.iOS

This is our Dutch online retail mobile app for Belgium customers. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This app is similar to other apps (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.
App Link
https://apps.apple.com/be/app/kruidvat/id1151434781

APPLE_STORE_APP_ID

critical
Kruidvat.Netherlands.Android

This is our Dutch online retail mobile app. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This app is similar to other apps (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.
App Link
https://play.google.com/store/apps/details?id=nl.kruidvat.voordeelkaart

GOOGLE_PLAY_APP_ID

critical
Kruidvat.Netherlands.iOS

This is our Dutch online retail mobile app. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.
This app is similar to other apps (Such as Superdrug). Please keep in mind that issues might be considered duplicates if it is reported on another website already.
App Link
https://itunes.apple.com/nl/app/kruidvat-mobiele-app/id531631058

APPLE_STORE_APP_ID

critical
Fortress.HongKong.IOS

This is our MoneyBack Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://apps.apple.com/hk/app/fortress/id1133110850

APPLE_STORE_APP_ID

critical
Moneyback (subdomains)

This asset is specifically for Moneyback's subdomain assets.
Please note that for subdomains (tier 3), will only pay out reports that have a high or critical severity.

In Scope
=========
> *.moneyback.com.hk/

OTHER

critical
The Perfume Shop (subdomains)

The Perfume Shop (subdomains)

This asset is specifically for The Perfume Shop's subdomain assets.
Please note that for subdomains (tier 3), will only pay out reports that have a high or critical severity.

In scope
=====================
>\*.theperfumeshop.com/

OTHER

critical
www20.watsons.co.th

URL

critical
www.marionnaud.ch

This is our online Swiss perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
mapi.moneyback.com.hk

This is the API Server for our MoneyBack Mobile App

URL

critical
www.marionnaud.cz

This is our online Czech perfumery. If you are testing functionality that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
app.marionnaud.hu

This is the API server of the Marionnaud mobile app in Hungary

URL

critical
app.drogas.lv

This is the API server of the Drogas Latvia mobile app.

URL

critical
https://www.drogas.lv/blog/

This is our Wordpress blog for Drogas Latvia

URL

medium
api.watsons.vn

This is the API server for the www.watsons.vn website

URL

critical
www.pns.hk

PNS is our leading e-commerce website for every day items in Hong Kong. If you are testing functionalities that requires you to be authenticated, please ensure you register with your @wearehackerone.com email address.

URL

critical
api.watsons.com.sg

This is the API server for the www.watsons.com.sg website

URL

critical
api.watsons.com.tw

This is the API server for the www.watsons.com.tw website

URL

critical
Watsons.Thailand.Android

This is our Watsons Thailand Mobile (Android) app. Please make sure to consult our policy page to see which items are out of scope for mobile apps.

App Link
https://play.google.com/store/apps/details?id=com.mtelnet.watson.thailand

GOOGLE_PLAY_APP_ID

critical
Watsons VN (subdomains)

This asset is specifically for Watsons VN subdomain assets.
Please note that for subdomains (tier 3), will only handle reports that have a high or critical severity.

In Scope
=========
>*.watsons.vn/

OTHER

critical
media.theperfumeshop.com

This subdomain is used to store static content for the www.theperfumeshop.com e-commerce website

URL

critical
api.watsons.com.ph

This is the API server for the www.watsons.com.ph website

URL

critical
api.iciparisxl.nl

This is the API server for the www.iciparisxl.lu website

URL

critical
api.drogas.lv

This is the API server of the Drogas mobile app in Latvia

URL

critical