HuntDash - yahoo

Target Policy

https://hackerone.com/yahoo?type=team

Structured Scope

Asset Identifier

Asset Type

Max Severity
Yahoo Cricket

* [Yahoo Cricket Android](https://play.google.com/store/apps/details?id=com.si.yahoocricket)
* [Yahoo Cricket iOS](https://itunes.apple.com/in/app/yahoo-cricket/id1276184907?mt=8)
* Out of Scope: `cricket.yahoo.net` (third party)
* Out of Scope: `*.sportz.io` (third party)

OTHER

none
Boundless

To submit bugs, contact: yj-csirt@mail.yahoo.co.jp

This includes these and possibly other domains currently and/or formerly associated with Yahoo Japan:
* *.yahoo-net.jp
* *.yahoo.net

OTHER

none
Newsroom

* [Newsroom Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.yahoo)
* [Newsroom iOS](https://itunes.apple.com/us/app/newsroom-news-that-gets-you-talking/id304158842?mt=8)
* Newsroom (web)

OTHER

critical
Yahoo HK Shopping

## In Scope
* [Yahoo HK Shopping Android](https://play.google.com/store/apps/details?id=com.yahoo.hkdeals)
* [Yahoo HK Shopping iOS](https://itunes.apple.com/hk/app/yahoo-hk-shopping/id472140112?mt=8)
* [Yahoo HK Shopping (web)](https://hk.shop.yahoo.com/)

## Out of Scope
* *.myguide.hk

OTHER

none
Engadget

## In Scope
* [APIs](https://api.engadget.com/api)
* *.engadget.com

## Notes
* Separate reports for the same or similar payload/issue against multiple international editions, will be marked as duplicates and paid only once for Engadget international editions.

## Out of Scope
* *.spot.im (3rd party, Spot.IM)
* *.cn.engadget.com (Engadget International Edition)
* *.chinese.engadget.com (Engadget International Edition)
* *.japanese.engadget.com (Engadget International Edition)
* jobs.engadget.com (3rd party, Jobboard.io)

OTHER

critical
Yahoo Finance

* [iOS](https://itunes.apple.com/us/app/yahoo-finance/id328412701?mt=8)
* [Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.finance&hl=en_US)
* *.finance.yahoo.com
* OBI Premium Checkout: https://checkout.finance.yahoo.com/checkout/v1
* API WebSockets Streaming Market Data: http://streamer.finance.yahoo.com
* finance.mobile.yahoo.com
* finance.query.yahoo.com

OTHER

critical
Other (misc)

Only use this asset when nothing else can be reasonably selected.

Bugs with Yahoo products that are not listed in scope of our [Public Program](https://hackerone.com/yahoo) can still be submitted to this asset and _*might*_ be eligible for award, at the sole discretion of the Yahoo Bug Bounty team .

Use this asset for:
* *.vzbuilders.com
* *.oath.cloud
* *.yahoo.cloud

OTHER

critical
Autoblog

## In Scope
* www.autoblog.com

## Out of Scope
* *.spot.im (3rd party, Spot.IM)
* Development-like environments for `autoblog.com` exist, but should not be tested; keep the testing in Production (`www.`).

OTHER

critical
Yahoo Elections

## In Scope
*Note: you MUST include the* `ref=electionsNight` *parameter to hit the right in-scope pages.*
* https://www.yahoo.com/elections?ref=electionsNight
* https://www.yahoo.com/elections/senate?ref=electionsNight
* https://www.yahoo.com/elections/house?ref=electionsNight
* https://www.yahoo.com/elections/state/al?ref=electionsNight (and all other US state pages)

## Notes
Any bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.

## Out of Scope
* elections.yahoo.com (First Party, Yahoo Search)
* yahoo.com/elections (First Party, Yahoo Search)
* yahoo.turbovote.org (Third Party, Turbovote)
* Historical Race Feed: https://www.realclearpolitics.com/poll/race/903/historical_data.json (Third Party, Real Clear Politics)
* Presidential RCP Feed: https://www.realclearpolitics.com/syn/verizon_2020_president_trump_vs_/main.json (Third Party, Real Clear Politics)
* Trump Approval RCP Feed: https://www.realclearpolitics.com/syn/verizon_president_trump_approval_ratings/main.json (Third Party, Real Clear Politics)
* Senate RCP Feed: https://www.realclearpolitics.com/syn/verizon_2020_senate/main.json (Third Party, Real Clear Politics)
* House RCP Feed: https://www.realclearpolitics.com/syn/verizon_house_2020/main.json (Third Party, Real Clear Politics)
* Associated Press, Third Party
* Scribble Live, Third Party

OTHER

critical
TW eCommerce: Auctions

## In Scope
* [Yahoo TW Auctions Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecauction)
* [Yahoo TW Auctions iOS](https://itunes.apple.com/tw/app/yahoo%E6%8B%8D%E8%B3%A3-%E5%88%8A%E7%99%BB%E5%85%8D%E8%B2%BB/id1033771352?mt=8)
* Yahoo TW Auctions:
* *.bid.yahoo.com
* https://tw.bid.yahoo.com
* Yahoo TW Auctions APIs:
* https://tw.bid.yahoo.com/api/
* https://tw.api.bid.yahoo.com:4443
* Search API: tw.search.ec.yahoo.com

## Notes
* Access to the Taiwan sites from some countries in Europe may be blocked.
* `Buyer` accounts can be set up for any Yahoo user.
* `Seller` accounts require a TW phone number and 2FA.
* **Do not** use fake data (like nid) when operating the cash functions, it may cause real money to be stuck; **we will hold you accountable for broken workflows.**
* You are required to clean up all the testing data related to posting new products.
* You **must** include the following “test” label in **ALL** posts (in the most visible location) to prevent regular users from interacting with hacker-created content: `[PARANOIDS-勿下標][TEST]` -- *Any reports identified that are missing this label, will not receive a bounty.*

## Out of Scope
* *.yahoo.com.tw
* ismarus-ap-94600.tw.juiker.net
* *.tw.juiker.net
* auth.tw.juiker.net/oauth2/getUserTokenByTurnkey
* *.straas.net
* iOS: JuikerIMSDK.framework, StraaS-iOS-SDK
* Android: io.straas.android.sdk
* ecfme.famiport.com.tw (Third Party)

OTHER

critical
AOL Homepage

## In Scope
* www.aol.fr
* www.aol.de
* www.aol.co.uk
* www.aol.jp
* www.aol.in
* www.aol.ca
* www.aol.com
* www.aol.com/*
* AOL Games Landing Page - https://www.aol.com/games/ -> **see 3rd Party Notes Below**

## Notes
**OOS Exception:** 3rd party components that affect aol.com (e.g. XSS executes in AOL.com domain resulting from abuse of TravelZoo module on Travel page)

## Out of Scope
First Party Things:
* https://ottr.video.yahoo.com/v1/video-exp/schedule
* https://s.yimg.com/rb/screwdriver/ctv/ve-module/builds/prod/aol/dist/vem.js

Second Party Things:
* [DataMask by AOL](https://get.aol.com/datamask/) (White Label app)
* [AOL OnePoint](https://get.aol.com/onepoint) (White Label app)
* [Private WiFi by AOL](https://get.aol.com/privatewifi/) (White Label app)
* [AOL Games](https://www.aol.com/games) (White Label app)

Third Party Things:
* 3rd Party Ad Integration. (Third Party, Taboola)
* `Popular in the Community`, `More Conversations for You`, Commenting on articles (and more) (Third Party, OpenWeb)
* spot.im (Third Party, OpenWeb)
* Individual AOL Games pages are rendered by us, but we iFrame in the Masque game urls. (Third Party, Masque)
* games.com, fungames.aol.com & fungames.com (Third Party, Masque)
* Comparecards.aol.com is CNAME’d to our own ATS cluster which forward maps requests to the comparecards cloudfront distribution. (Third Party, CompareCards)
* JS widget on the AOL.com homepage providing news stories. (Third Party, Zergnet)
* Serverside rendered module on aol.com/real-estate, data comes from Zillow api. (Third Party, Zillow)
* Serverside rendered module on www.aol.com/travel, data comes from TravelZoo api. (Third Party, Travel Zoo)
* rezserver.com (Third Party, Travel Zoo)

OTHER

critical
yimg.com

yimg is a resource storage and content distribution network (CDN).

**Note:** Reports submitted that exploit bugs **only** in the context of the `yimg.com` domain are most likely to be closed as `Informative`. Most bugs in `*.yimg.com` will require a proof-of-concept or proof-of-exploit that escalates into one of the primary brand or product domains (e.g. yahoo.com or aol.com) to be eligible for bounty. CVSS Environmental scores have been set to account for this limitation.

What does that mean for my report?
1. If you show escalation into a trusted domain's context (such as yahoo.com) it will be accepted at 100% bounty rate. A bonus may be applied for different instances within the trusted domain list only; not for other instances of vulnerabilities content on yimg.com.
2. If you show execution in the context of *.yimg.com only, the vulnerability MAY be accepted by the business owner in some instances. In that case, a minimum bounty would be offered only if the content is removed. There are no "same bug different host" or other vulnerability grouping bonus offers for this asset.

URL

medium
Low Cost Access

## In Scope
* *.isp.netscape.com
* *.lite.aol.com
* *.compuserve.com
* www.wmconnect.com

Other places to look
* webaccelerator.isp.netscape.com
* register.isp.netscape.com
* admin.isp.netscape.com
* www.getnetscape.com
* netscape.compuserve.com

## Out of Scope
* Subdomains of `wmconnect.com` outside of `www`

## Notes
* These services are designed for delivery through slow internet connections.
* Registration for these services has been disabled.
* Help-related pages/domains should be reported to the AOL Help asset.

OTHER

critical
Yahoo Mail

* [Yahoo Mail Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail)
* [Yahoo Mail AndroidGo](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail.lite)
* [Yahoo Mail FireOS](https://www.amazon.com/Yahoo-Mail-Keeps-you-organized/dp/B00632HWOG/)
* [Yahoo Mail iOS](https://itunes.apple.com/us/app/yahoo-mail-keeps-you-organized/id577586159?mt=8)
* [Yahoo Mail (web)](https://mail.yahoo.com/)

Out of Scope:
* mail.yahoo.com/cal/ (this is the same as `calendar.yahoo.com` and should be reported as Yahoo Calendar)

OTHER

critical
AOL Help

## In Scope
* help.aol.com
* assistance.aol.fr
* help.aol.co.uk
* hilfe.aol.de

## Notes
Any bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.

## Out of Scope
* assist.aol.com (2nd party service)
* helpisp.netscape.com
* helpconnect.netscape.com
* help.compuserve.com

OTHER

critical
TW eCommerce: Shopping

## In Scope
* [Yahoo TW Shopping Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecshopping)
* [Yahoo TW Shopping iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%B3%BC%E7%89%A9%E4%B8%AD%E5%BF%83/id1061577845?mt=8)
* Yahoo TW Shopping
* twpay.buy.yahoo.com
* Web: https://tw.buy.yahoo.com/
* Mobile Web: https://m.tw.buy.yahoo.com/
* API: https://tw.mapi.shp.yahoo.com
* Search API: tw.search.ec.yahoo.com
* Rushbuy API: rushbuy.buy.yahoo.com

## Out of Scope
* *.yahoo.com.tw
* iOS: TPDirect.framework
* Android: tech.cherri.tpdirect.api

OTHER

critical
Yahoo Sports: Fantasy Slate/PicknWin

## In Scope
* https://sports.yahoo.com/fantasyslate

OTHER

critical
Yahoo Sports: Daily Fantasy

## In Scope
* https://sports.yahoo.com/dailyfantasy/
* https://sports.yahoo.com/dailyfantasy/contest/create

OTHER

critical
Yahoo HK Auctions

* [Yahoo HK Auctions Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.hkauctions)
* [Yahoo HK Auctions iOS](https://itunes.apple.com/hk/app/yahoo-pai-mai/id943334932?mt=8)
* [Yahoo HK Auctions (web)](https://hk.auctions.yahoo.com/)

OTHER

none
TW Media: Stock

## In Scope
* [Yahoo TW Stock Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.TWStock)
* [Yahoo TW Stock iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%82%A1%E5%B8%82/id790214428?mt=8)
* Yahoo TW Stock
* tw.stock.yahoo.com
* API: https://stock-app.abumedia.yql.yahoo.com
* API: https://tw-finance-yql.media.yahoo.com

## Notes
* `stock.yahoo.com` and `finance.yahoo.com` are identical; Reports will NOT be credited same-bug-different-host bonuses when issues are found on both domains.
* TW Stock Apps have a strong dependency with third party SDK(s) for receiving the real-time quote data in the market. Every page containing values (volume, prices, up/down flag, …) of index, tickers, etfs, …, ticker information, line chart, notifications setting are all from the SDK. And the connection with the SDK service is established when the app launches and lasts the app's whole lifetime. **These SDK service(s) are out of scope.**

## Out of Scope
* *.yahoo.com.tw
* tw.finance.yahoo.com
* Quote SDK (from Systex inc.)

OTHER

critical
AOL Mail

## In Scope
* *.mail.aol.com (see exclusions below)
* rpc.mail.aol.com

## Notes
* oidc.mail.aol.com (Hosted by Mail, but belongs to `Membership`)

## Out of Scope
* mail.aol.com/calsvc
* [AOL iOS](https://apps.apple.com/us/app/aol-news-email-weather-video/id646100661)
* [AOL Android](https://play.google.com/store/apps/details?id=com.aol.mobile.aolapp&hl=en_US)
* [AOL FireOS](https://www.amazon.com/AOL-Inc-Mail-News-Video/dp/B011VYAGSY)
* [AOL Desktop Gold](https://get.aol.com/aol-desktop-gold)
* apis.mail.aol.com
* test-apis.mail.aol.com
* *.aolmail.com
* mail.aol.com/classicab
* mail.aol.com/getmydata
* mail.aol.com/ws
* *.aol.com

OTHER

critical
Yahoo Open Source Projects (misc)

Select open source projects are now eligible for bounties! The rest of our open source projects are technically in scope, but at a reduced rate for the time being.

SOURCE_CODE

critical
Membership

##In Scope
* https://login.yahoo.com
* https://login.aol.com
* https://api.login.yahoo.com
* https://api.login.aol.com
* http://credstore.yahoo.com/

Some documentation that may help:
https://developer.yahoo.com/oauth2/guide/

Specific paths to target….
For `login.*.com`
* /account/logout
* /auth/2.0/credentials
* /auth/1.0/
* /saml2/
* /account
* /oauth2
* /ylc
* /account/challenges
* /account/access
* /oauth2/device_auth
* /ctv
* /activate
* /forgot

For `api.login.*.com`
* /api
* /oauth2/get_token
* /oauth2/web_session
* /oauth2/device_sessions
* /oauth2/device_authorization
* /oauth2/device_auth
* /oauth2/revoke
* /oauth2/introspect

##Out of Scope
* Any rate limits for authentication attempts.
* Any differentiated treatment based on account, browser, IP address etc.

##Limits
* Limit traffic against our services to < 10/second when probing or testing.

OTHER

critical
7News

* [7News iOS](https://itunes.apple.com/au/app/7news/id439828000?mt=8)
* [7News Android](https://play.google.com/store/apps/details?id=com.seven.news&hl=en_US)

OTHER

critical
Yahoo Live Web Insights

* [Yahoo Live Web Insights iOS](https://itunes.apple.com/us/app/yahoo-live-web-insights/id853260592?mt=8)

OTHER

none
Yahoo HK News

* [Yahoo HK News Android](https://play.google.com/store/apps/details?id=com.yahoo.infohub)
* [Yahoo HK News iOS](https://itunes.apple.com/hk/app/yahoo%E6%96%B0%E8%81%9E-%E9%A6%99%E6%B8%AF%E5%8D%B3%E6%99%82%E7%84%A6%E9%BB%9E/id425655609?mt=8)

OTHER

critical
SSRF Test Servers (information)

# SSRF Test Servers

If you think you've got an SSRF attack against our network, please use these two groups of servers to prove it to us. There's a whole bunch of different file formats on these servers and they're all identical. To prove your SSRF, please send your attacks in a way that attempt to read or write content to/from one of these servers in each network segment (Prod + Corp). The difference between each host within each category is just their geolocation, which in most circumstances does not matter what you target. HTTPS is also enabled on these servers.

Production Network
* banana.stand.ne1.prod.oath (banana.stand.ne1.yahoo.com)
* banana.stand.gq1.prod.oath (banana.stand.gq1.yahoo.com)
* banana.stand.bf1.prod.oath (banana.stand.bf1.yahoo.com)
* banana.stand.bf2.prod.oath (banana.stand.bf2.yahoo.com)
* banana.stand.sg3.prod.oath (banana.stand.sg3.yahoo.com)
* banana.stand.ir2.prod.oath (banana.stand.ir2.yahoo.com)
* banana.stand.tw1.prod.oath (banana.stand.tw1.yahoo.com)
* banana.stand.tp2.prod.oath (banana.stand.tp2.yahoo.com)

Corporate Network
* banana.stand.corp.gq1.cic.oath (banana.stand.cgq1.yahoo.com)
* banana.stand.corp.bf1.cic.oath (banana.stand.cbf1.yahoo.com)
* banana.stand.corp.sg3.cic.oath (banana.stand.csg3.yahoo.com)
* banana.stand.corp.ne1.cic.oath (banana.stand.cne1.yahoo.com)

Files to target take the filename format of `<extension>_###.<extension>`. For example: `txt_001.txt` and `zip_001.zip`. We've put up a bunch of different file formats that can be targeted for your testing needs. There is one other file that is simple text, but does not have a file extension, reach that by asking for `noext_01`.

File types available include:
avi, bmp, css, csv, doc, docx, dtd, flv, gif, html, icns, ics, ico, jar, jpg, js, json, md, mkv, mov, mp3, mp4, odp, ods, odt, ogg, pdf, php, png, ppt, rss, svg, tiff, txt, wav, wmv, xls, xlsx, xml, xsl, zip

We’ve also set the 404 error page to show you that you’ve hit the bananastand and not just some other unknown host: `<html>...404 no bananas for you!...</html>`

**When testing**, it would be super helpful if (along with the file you pull down) you try to fetch `http://<hostname>/hackerone-<username>` so that we can identify **your** activity in the logs more easily.

**When submitting a report** (in addition to all the usual details) please make sure to:
1. Attach a copy of the file you fetched.
2. Include the timestamp you fetched the file.
3. Note the SSRF server that you fetched the file from.

---

### The Fine Print
If you can’t hit these servers but can hit something else inside our network, you must provide a working POC and understand that we will individually evaluate impact of the host you tested with.

We reserve the right to award a $0 bounty for any SSRF (or similar) reports that are not able to touch these servers.

Also, we will periodically review the logs on these servers and may reach out to hackers that have hit the server but not submitted a report. If this happens, you will be eligible for **a maximum award of 10%** for the report.

OTHER

none
TechCrunch

## In Scope
* *.techcrunch.com
* Custom endpoints: `https://techcrunch.com/wp-json/tc/v1/*` -- These are custom endpoints that use the WordPress architecture and output methods but modified for our uses with custom data.
* Custom mobile endpoints: `https://techcrunch.com/wp-json/tc/mobile/v2/*` -- These are the endpoints that are used by the mobile apps to retrieve posts for the apps.
* Default WordPress: `https://techcrunch.com/wp-json/wp/v2/*` -- We also leverage most of WordPress' out of the box endpoints with added custom data to augment the output.

## Out of Scope
* *.crunchbase.com (3rd party, Crunchbase)
* *.tc-appunite.herokuapp.com (3rd party, Heroku now closed)
* *.parsely.com (3rd party, Parse.ly)
* *.swiftype.com (3rd party, Swiftype now closed)
* *.marketo.com (3rd party, Marketo)
* *.urbanairship.com (3rd party, Urban Airship)
* *.sailthru.com (3rd party, Sailthru)
* *.spot.im (3rd party, Spot.IM)
* *.tcdisrupt.com (3rd party, App)
* *.bit.ly (3rd party, Bit.ly)
* *.thomsonreuters.com (3rd party, Open Calais)
* *.tinypass.com (3rd party, Piano/Tinypass)

OTHER

critical
Online Marketplace

Online Marketplace (MyAccount) supports many AOL properties and can be accessed by a variety of CNAME records.
* billupdate.aol.com
* myaccount.aol.com
* myservices.aol.com
* payments.aol.com
* mybenefits.aol.com
* cancel.aol.com
* bill.aol.com

Please consolidate your reports.
**Note: Reporting the same issue separately for multiple CNAMEs will result in reports being marked as `Duplicate` at best.**

OTHER

critical
Yahoo Search

* [Yahoo Search Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.search)
* [Yahoo Search iOS](https://itunes.apple.com/us/app/yahoo-search/id361071600?mt=8)
* [Yahoo Search (web)](https://search.yahoo.com/)

OTHER

critical
Arkime

###Review the Code
* [Source Code](https://github.com/arkime/arkime)
* Submit a PR to fix/update the code - [fork](https://help.github.com/en/articles/fork-a-repo) the codebase then submit a [PR](https://help.github.com/en/articles/creating-a-pull-request-from-a-fork)
* Visit our web page at https://arkime.com/ for pre-bulit rpm/deb and instructions for running yourself.

##Out of Scope
* Known unauthenticated endpoints such as `parliament.json` & `eshealth.json`
* UI based bugs on `parliament`
* demo.arkime.com
* *.molo.ch (old website)

SOURCE_CODE

critical
Athenz

###Review the Code
* [Source Code](https://github.com/yahoo/athenz)
* Submit a PR to fix/update the code - [fork](https://help.github.com/en/articles/fork-a-repo) the codebase then submit a [PR](https://help.github.com/en/articles/creating-a-pull-request-from-a-fork)

###Out of Scope
`yahoo/athenz/ui`, `yahoo/athenz/contributions`, and `yahoo/athenz/docker` are outdated from our own internal deployment because of our use of Okta and Duo which we are not able to deploy to you all for this event; this is why we stated the Athenz UI was out of scope during the scoping call.
The UI was just given out as a starting point so whoever needs it, can take it, integrate with their own authentication system and also provide all the necessary protections. Our UI devs worked with the Paranoids’ red team internally for quite some time to go through all this, addressing many different types of bug classes with our integration with Okta and Duo and that’s what we’re running in our production instance.

SOURCE_CODE

critical
AOL (misc)

## In Scope
* *.aol.com

## Notes
Only use this asset when nothing else can be reasonably selected.

Bugs with AOL that are not listed in scope of our other AOL-related assets can still be submitted to this asset and **_*might*_** be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.

## Out of Scope
* *nat.aol.com
* *.ipt.aol.com

OTHER

critical
Media Platform Marketing Website

## In Scope
* *.verizondigitalmedia.com
* www.verizondigitalmedia.com (prod)
* stage-www.verizondigitalmedia.com (staging, only non-english content)
* research.verizondigitalmedia.com

## Notes
* The staging environment of `www.verizondigitalmedia.com` only hosts non-english translations of content served on www.
* Do not spam our Support Request team (our-company/request-support/ our-company/customer-support/)

## Out of Scope
* *.yahooinc.com (Company home page)
* *.ouryahoo.com
* *.verizonmedia.com
* info.verizondigitalmedia.com (Third Party, Pardot/Salesforce)
* status.verizondigitalmedia.com (Third Party, Status.io)

The pages listed under these URL paths (Third Party, instapage.com):
* www.verizondigitalmedia.com/announcement/*
* www.verizondigitalmedia.com/campaign/*
* www.verizondigitalmedia.com/case-study/*
* www.verizondigitalmedia.com/e-book/*
* www.verizondigitalmedia.com/free-trial/*
* www.verizondigitalmedia.com/infographic/*
* www.verizondigitalmedia.com/internal/*
* www.verizondigitalmedia.com/landing/*
* www.verizondigitalmedia.com/platform-updates/*
* www.verizondigitalmedia.com/referral/*
* www.verizondigitalmedia.com/report/*
* www.verizondigitalmedia.com/rsvp/*
* www.verizondigitalmedia.com/television-academy/*
* www.verizondigitalmedia.com/webinar/*
* www.verizondigitalmedia.com/white-paper/*

OTHER

none
onepush.query.yahoo.com

URL

critical
*.yahoo.com.tw

URL

none
le.yahooapis.com

URL

critical
Built By Girls

## In Scope
* *.builtbygirls.com

## Notes
* You MUST register for an account with your `@wearehackerone` email address or else your report will NOT be eligible for bounty.

## Out of Scope
* jobs.builtbygirls.com (3rd party, Jobboard.io)
* store.builtbygirls.com (3rd party, BrightStores)
* builtbygirls.mybrightsites.com (3rd party, BrightStores)

OTHER

critical
Social Media Accounts

## Requirements
* Account in question has posted content within 365 days of report submission
* Account in question is related to a company, brand, or product
* Exposed (valid/functional/active) credentials that allow login to an account

## In Scope
* Bounty: **Must meet all** `Requirements` above
* Reputation: Meets at least one of the `Requirements` above
* Note: “Account in question” means the account you are reporting as “vulnerable.”

## Out of Scope
* Account in question is related to an individual (employee, freelancer or otherwise)
* Brute forcing account credentials

OTHER

critical
Yahoo 7

* au.yahoo.com
* nz.yahoo.com

OTHER

none
Omega

`*omega*.yahoo.com`

OTHER

critical
Gemini

* *.gemini.yahoo.com
* *.admanager.yahoo.com
* monetization.flurry.com

OTHER

critical
AOL Publishers

* *.aolpublishers.com

OTHER

none
Yahoo Video

* [Yahoo Video FireTV](https://www.amazon.com/Yahoo-for-Fire-TV/dp/B014X5UGPQ/)
* [Yahoo Video tvOS](https://itunes.apple.com/us/app/yahoo-watch-free-live-concerts-sports-video-clips-and-more/id1046996690?mt=8)

OTHER

critical
Yahoo Sports: Mobile

* [Yahoo Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.sportacular)
* [Yahoo Sports iOS](https://itunes.apple.com/us/app/yahoo-sports-teams-scores-news-highlights/id286058814?mt=8)
* *.protrade.com

OTHER

critical
Yahoo Sports: Fantasy Wallet

## In Scope
* https://sports.yahoo.com/dailyfantasy/account/addfunds

OTHER

critical
com.yahoo.aerogram

[Yahoo Mail iOS](https://apps.apple.com/us/app/yahoo-mail-keeps-you-organized/id577586159)

APPLE_STORE_APP_ID

critical
Challenge Coins

These are just for fun.
* [H1-213-2019](https://forms.gle/jG7uRzS6k7BWjAeUA)
* [H1-415-2020](coming soon)
* [H1-2004-2020](coming soon)

OTHER

none
Media Platforms Engineering Blog

## In Scope
* eng.verizondigitalmedia.com
* eng-staging.verizondigitalmedia.com

## Notes
Bugs present on both Staging and production will not be awarded `Same Bug Different Host` bonus.

OTHER

none
SSP Advertising Products

These products with their listed domains are NOT eligible for bounty or reputation for the time being:
* CRS - crs-prd.aws.oath.cloud
* Deals UI - deals.o2.verizonmedia.com
* O2 - adaptv.advertising.com
* OneAdServer - console.oneadserver.aol.com
* OneAPI - oneapi.aol.com
* OneCreative - onecreative.aol.com
* OneInsights - alephd.com
* OneMobile - onemobile.aol.com
* OneReporting - vidible.tv
* OneVideo - onevideo.aol.com
* SSP - ssp.verizonmedia.com
* SSP External API - ext.api.ssp.aol.com
* Store - store.vzbuilders.com, sales.oath.com

*Note: Any domains for these products that is not listed here is ALSO not eligible for bounty or reputation.*

OTHER

none
Yahoo Games

OTHER

critical
TW eCommerce: Store

OTHER

none
Yahoo Sports: Best Ball

## In Scope
* https://bestball.fantasysports.yahoo.com/

OTHER

critical
TW Media: Front Page

## In Scope
* tw.mobi.yahoo.com
* tw.yahoo.com
* Content API: https://ncp-gw-abu.media.yahoo.com/

## Out of Scope
* *.yahoo.com.tw

OTHER

critical
DSP

# In Scope
* api-v3.admanagerplus.yahoo.com
* admanagerplus.yahoo.com

#Notes
Restrict your rate limit on requests to `120 requests/minute` to prevent yourself being auto-banned or impacting our production system.

This asset is not in eligible for bounty through our public bug bounty program.

OTHER

critical
RYOT

## In Scope
* RYOT Mobile SDK (iOS and Android) `https://s.yimg.com/cv/apiv2/ar_sdk/*
* *.ryot.org (site under construction)

## Notes
* The RYOT Augmented Reality SDK is used by our major mobile apps.
* `ryot.org` is hosted on WordPress; WP’s services are not in scope

## Out of Scope
* *.ryotfilms.com (third party)
* *.ryot.com (third party)
* *.portal.ryot.com (third party)

OTHER

critical
TW eCommerce: Used Car

## In Scope
* tw.usedcar.yahoo.com

## Notes
Refer to the **Notes** section in the `TW eCommerce: Auctions` listing.

## Out of Scope
* *.yahoo.com.tw
* autos.yahoo.com.tw
* tw.serviceplus.yahoo.com

OTHER

critical
Flurry

OTHER

none
AOL Mobile Apps

## Out of Scope
* Apps from the app stores are not in scope.

OTHER

critical
Ensemble

`*ensemble*.yahoo.com`

OTHER

critical
Miscellaneous

* *.aolcdn.com
* *.yahoo.com.hk
* Media Group One
* Movies Hong Kong
* Onwander
* Volicon
* Volicloud
* Yahoo Operated WordPress blogs
* files.molo.ch

OTHER

none
Yahoo Calendar

## In Scope
* *.calendar.yahoo.com
* *.caldav.calendar.yahoo.com

Specific paths to look at:
* https://calendar.yahoo.com/ws/v3/users/
* https://caldav.calendar.yahoo.com/principals/users/
* https://caldav.calendar.yahoo.com/dav/*/calendar/

## Limits
Limit traffic against our services to < 10/second when probing or testing.

OTHER

critical
Yahoo Weather

* [Yahoo Weather Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.weather)
* [Yahoo Weather iOS](https://itunes.apple.com/us/app/yahoo-weather/id628677149?mt=8)
* Yahoo Weather (web)

OTHER

critical
Yahoo Sports: Editorial

## In Scope
* https://sports.yahoo.com/
* https://api-secure.sports.yahoo.com

## Out of scope
* shop.yahoosports.com (Third party)

OTHER

critical
Makers

* *.makers.com

OTHER

critical
BUILD

* *.buildseries.com

OTHER

critical
Yahoo News

* *.news.yahoo.com
* yahoo.com/news

OTHER

critical
Umbrella Out of Scope List

**Any other reference to out of scope items in this policy or scope still apply. Yahoo reserves the right to award or not award on assets that may not yet be on this list or in this policy.**

## ALL THE FOLLOWING ASSETS ARE OUT OF SCOPE
* AOL Mail
* AOL Desktop Gold
* apis.mail.aol.com
* test-apis.mail.aol.com
* *.aolmail.com
* mail.aol.com/classicab
* mail.aol.com/getmydata
* mail.aol.com/ws
* mail.aol.com/calsvc
* Athenz Source Code
* yahoo/athenz/ui
* yahoo/athenz/contributions
* yahoo/athenz/docker
* Autoblog
* *.spot.im (3rd party, Spot.IM)
* Development-like environments for autoblog.com exist, but should not be tested; keep the testing in Production (www.).
* Built By Girls
* jobs.builtbygirls.com (3rd party, Jobboard.io)
* store.builtbygirls.com (3rd party, BrightStores)
* builtbygirls.mybrightsites.com (3rd party, BrightStores)
* *.vdms.com
* EdgeCast
* Customers
* Partners
* Wholesalers
* Engadget
* *.spot.im (3rd party, Spot.IM)
* *.cn.engadget.com (Engadget International Edition)
* *.chinese.engadget.com (Engadget International Edition)
* *.japanese.engadget.com (Engadget International Edition)
* jobs.engadget.com (3rd party, Jobboard.io)
* Historical & Divestitures
* About.me
* Flickr
* Go90
* MovieFone
* Patch Media
* PawNation
* Polyvore
* Shoutcast
* Style Me Pretty
* Winamp
* Yahoo Together (Squirrel)
* Yahoo Play
* Yahoo TW eSports
* The Huffington Post
* news.huffingtonpost.com (3rd party, CampaignMonitor)
* coupons.huffpost.com (3rd party, Groupon)
* huffpost.atlassian.net (3rd party, Atlassian)
* huffpoststuff.com (3rd party, StackCommerce)
* subscribe.huffpost.com (3rd party, Epsilon)
* Miscellaneous
* *.aolcdn.com
* *.yahoo.com.hk
* Media Group One
* Movies Hong Kong
* Onwander
* Volicon
* Volicloud
* Yahoo Operated WordPress blogs
* Files.molo.ch
* sg.auctions.yahoo.com (3rd party, GMarket)
* Moloch Source Code
* Known unauthenticated endpoints such as parliament.json & eshealth.json
* www.molo.ch
* demo.molo.ch
* *.molo.ch (production website)
* UI based bugs on parliament
* RYOT
* *.ryotfilms.com (third party)
* *.ryot.com (third party)
* *.portal.ryot.com (third party)
* *.spot.im
* TechCrunch
* *.crunchbase.com (3rd party, Crunchbase)
* *.tc-appunite.herokuapp.com (3rd party, Heroku now closed)
* *.parsely.com (3rd party, Parse.ly)
* *.swiftype.com (3rd party, Swiftype now closed)
* *.marketo.com (3rd party, Marketo)
* *.urbanairship.com (3rd party, Urban Airship)
* *.sailthru.com (3rd party, Sailthru)
* *.spot.im (3rd party, Spot.IM)
* *.tcdisrupt.com (3rd party, App)
* *.bit.ly (3rd party, Bit.ly)
* *.thomsonreuters.com (3rd party, Open Calais)
* *.tinypass.com (3rd party, Piano/Tinypass)
* TW eCommerce: Auctions
* *.yahoo.com.tw
* ismarus-ap-94600.tw.juiker.net
* *.tw.juiker.net
* auth.tw.juiker.net/oauth2/getUserTokenByTurnkey
* *.straas.net
* iOS: JuikerIMSDK.framework, StraaS-iOS-SDK
* Android: io.straas.android.sdk
* ecfme.famiport.com.tw (Third Party)
* TW eCommerce: Shopping
* *.yahoo.com.tw
* iOS: TPDirect.framework
* Android: tech.cherri.tpdirect.api
* TW Media: News
* news.campaign.yahoo.com.tw
* *.yahoo.com.tw
* Uplynk (VDMS)
* Verizon
* MapQuest
* MapQuest Android
* MapQuest FireOS
* MapQuest iOS
* *.mapquest.com
* MovilData
* Skyward
* XO
* *.verizonwireless.com
* *.verizon.com
* *.verizon.net
* *.vzw.com
* *.myvzw.com
* *.verizonbusiness.com
* vzbuilders
* smart.vzbuilders.com
* some other vzbuilders sub domains
* Yahoo 7
* au.yahoo.com
* Nz.yahoo.com
* Yahoo Answers
* Yahoo Cricket
* Yahoo Cricket Android
* Yahoo Cricket iOS
* Out of Scope: cricket.yahoo.net (third party)
* Out of Scope: *.sportz.io (third party)
* Yahoo Japan
* *.yahoo-net.jp
* Yahoo Mail
* mail.yahoo.com/cal/ (this is the same as calendar.yahoo.com and should be reported as Yahoo Calendar)
* Yahoo Messenger
* Yahoo Messenger Android
* Yahoo Messenger iOS
* Yahoo Messanger (web)
* Verizon/Yahoo Small Businesses
* Smallbusiness.yahoo.com
* SiteBuilder
* Access Manager
* Store Editor
* YSB Developer Network
* Commerce Central
* Localworks
* Luminate
* Wizards
* **All other YSB related products/services/sites**
* https://s.yimg.com/pq/*
* *.webhosting.yahoo.com
* Yahoo Sports: Editorial
* shop.yahoosports.com (Third party)
* Yahoo Sports: Fantasy Games
* *.sendbird.com (Third Party, SendBird)
* Yahoo Sports: Rivals
* *.rivalsfanstore.com (3rd party, Fanatics Inc.)
* *.rivalscamps.com (3rd party)
* *.rivalscampseries.com (3rd party)
* Rivals iOS
* *.yahoo.com.tw
* *.yahoo.net

OTHER

none
TW Media: News

## In Scope
* [Yahoo TW News Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.newstw)
* [Yahoo TW News iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9-%E7%9B%B4%E6%92%ADlive-%E5%8D%B3%E6%99%82%E6%96%B0%E8%81%9E/id864844562?mt=8)
* Yahoo TW News
* *.tw.news.yahoo.com
* Backend API: https://news-app.abumedia.yql.yahoo.com:443/
* Web: https://tw.news.yahoo.com
* Content API: https://ncp-gw-abu.media.yahoo.com/

## Out of Scope
* news.campaign.yahoo.com.tw
* *.yahoo.com.tw

OTHER

critical
Historical + Divestitures

This is a list of products and companies which were previously owned but have been shut down or sold and are not in scope of **Yahoo**.

* About.me
* Autoblog
* EdgeCast
* Flickr
* Go90
* HuffPost
* IDS
* MovieFone
* Oath: Impact
* Patch Media
* PawNation
* Polyvore
* Shoutcast
* Style Me Pretty
* Uplynk
* Winamp
* Yahoo Answers
* Yahoo Groups
* Yahoo Play
* Yahoo Together (Squirrel)
* Yahoo Messanger
* Yahoo Small Business
* Yahoo TW eSports
* Yahoo Japan

OTHER

none
com.yahoo.mobile.client.android.mail

* [Yahoo Mail Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail)
* [Yahoo Mail AndroidGo](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail.lite)
* [Yahoo Mail FireOS](https://www.amazon.com/Yahoo-Mail-Keeps-you-organized/dp/B00632HWOG/)
* Sign up for the [Beta here](https://play.google.com/apps/testing/com.yahoo.mobile.client.android.mail)

GOOGLE_PLAY_APP_ID

critical
AOL Search

## In Scope
* search.aol.ca
* search.aol.co.uk
* search.aol.com
* recherche.aol.fr
* suche.aol.de

## Notes
Any bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.

OTHER

critical
proddata.xobni.yahoo.com

URL

critical
Yahoo Sports: Rivals

## In Scope
* https://n.rivals.com
* https://www.rivals.com/

## Notes
All testing against rivals is to be **MANUAL only.** ZERO automated tools are allowed. **This notice is your warning.**

## Out of Scope
* *.rivalsfanstore.com (3rd party, Fanatics Inc.)
* *.rivalscamps.com (3rd party)
* *.rivalscampseries.com (3rd party)
* [Rivals iOS](https://itunes.apple.com/us/app/rivals-com-no-1-college-sports-recruiting-news/id1069511855?mt=8)

OTHER

critical
Yahoo Homepages

OTHER

critical
Yahoo Sports: Fantasy Games

## In Scope
* https://sports.yahoo.com/fantasy/
* [Fantasy Basketball](https://basketball.fantasysports.yahoo.com/)
* [Fantasy Hockey](https://hockey.fantasysports.yahoo.com/)
* [Fantasy User Profiles](https://profiles.sports.yahoo.com)
* [Fantasy Football](https://football.fantasysports.yahoo.com/) (out of season)
* [Public cookie-based API endpoints](https://pub-api-ro.fantasysports.yahoo.com) (used by some FE stacks)
* [Public OAuth2 endpoints](https://fantasysports.yahooapis.com)
* tournament.fantasysports.yahoo.com

## Out of Scope
* *.sendbird.com (Third Party, SendBird)

OTHER

critical
Yahoo Sports: Fantasy Sports

## In Scope
* [Yahoo Fantasy Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.fantasyfootball)
* [Yahoo Fantasy Sports iOS](https://itunes.apple.com/us/app/yahoo-fantasy-sports/id328415391?mt=8)
* [Yahoo Fantasy Sports (web)](https://sports.yahoo.com/fantasy/)
* https://sports.yahoo.com/odds/

## Notes
The betting feature in Fantasy is provided by a third party, BetMGM. `https://sports.yahoo.com/odds/`, is the page from where it redirects the user to the BetMGM. This is geographically restricted.

OTHER

critical
apis.mail.yahoo.com

URL

critical
*.yahoo.net

URL

none
Yahoo Sports: Rivals Forums

## In Scope
* *.forums.rivals.com

## Notes
* All testing against rivals is to be **MANUAL only.** ZERO automated tools are allowed. **This notice is your warning.**
* This is third party software and will be awarded at a 50% bounty rate.
* Reports on this asset will not be eligible for bonuses.

OTHER

critical
data.mail.yahoo.com

URL

critical
Yahoo! (misc)

## Notes
Only use this asset when nothing else can be reasonably selected.

Bugs with Yahoo! that are not listed in scope of our other Yahoo-related assets can still be submitted to this asset and **_*might*_** be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.

OTHER

critical

Target Scope Domains

apis.mail.yahoo.com
data.mail.yahoo.com
le.yahooapis.com
onepush.query.yahoo.com
proddata.xobni.yahoo.com
yimg.com

Tech Stack

Last Finished Scan:

Scan Name

Fleet

Finished

State

auto-gausubs-2-kxss

allkxss

1 year, 1 month ago

Finished

auto-gausubs-2-kxss

Fleet: allkxss
Duration: 57.97 Minutes
Finished: 1 year, 1 month ago

Yahoo! HackerOne

Target Policy

Structured Scope

Asset Identifier

Asset Type

Max Severity

Target Scope Domains

Tech Stack

Last Finished Scan: