##In Scope
* https://login.yahoo.com
* https://login.aol.com
* https://api.login.yahoo.com
* https://api.login.aol.com
* http://credstore.yahoo.com/
Some documentation that may help:
https://developer.yahoo.com/oauth2/guide/
Specific paths to target….
For `login.*.com`
* /account/logout
* /auth/2.0/credentials
* /auth/1.0/
* /saml2/
* /account
* /oauth2
* /ylc
* /account/challenges
* /account/access
* /oauth2/device_auth
* /ctv
* /activate
* /forgot
For `api.login.*.com`
* /api
* /oauth2/get_token
* /oauth2/web_session
* /oauth2/device_sessions
* /oauth2/device_authorization
* /oauth2/device_auth
* /oauth2/revoke
* /oauth2/introspect
##Out of Scope
* Any rate limits for authentication attempts.
* Any differentiated treatment based on account, browser, IP address etc.
##Limits
* Limit traffic against our services to < 10/second when probing or testing.
## Notes
Only use this asset when nothing else can be reasonably selected.
Bugs with Yahoo! that are not listed in scope of our other Yahoo-related assets can still be submitted to this asset and **_*might*_** be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.
## In Scope ##
* *.aol.com
## Notes
Only use this asset when nothing else can be reasonably selected.
Bugs with AOL that are not listed in scope of our other AOL-related assets can still be submitted to this asset and **_*might*_** be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.
## Out of Scope ##
* *nat.aol.com
* *.ipt.aol.com
## In Scope ##
* www.aol.de
* www.aol.co.uk
* www.aol.in
* www.aol.ca
* www.aol.com
* www.aol.com/*
* AOL Games Landing Page - https://www.aol.com/games/ -> see 3rd Party Notes Below
## Notes ##
* OOS Exception: 3rd party components that affect aol.com (e.g. XSS executes in AOL.com domain resulting from abuse of TravelZoo module on Travel page)
## Out of Scope ##
**First Party Things:**
* https://ottr.video.yahoo.com/v1/video-exp/schedule
* https://s.yimg.com/rb/screwdriver/ctv/ve-module/builds/prod/aol/dist/vem.js
**Second Party Things:**
* DataMask by AOL (White Label app)
* AOL OnePoint (White Label app)
* Private WiFi by AOL (White Label app)
* AOL Games (White Label app)
**Third Party Things:**
* 3rd Party Ad Integration. (Third Party, Taboola)
* Popular in the Community, More Conversations for You, Commenting on articles (and more) (Third Party, OpenWeb)
* spot.im (Third Party, OpenWeb)
* Individual AOL Games pages are rendered by us, but we iFrame in the Masque game urls. (Third Party, Masque)
* games.com, fungames.aol.com & fungames.com (Third Party, Masque)
* Comparecards.aol.com is CNAME’d to our own ATS cluster which forward maps requests to the comparecards cloudfront distribution. (Third Party, CompareCards)
* JS widget on the AOL.com homepage providing news stories. (Third Party, Zergnet)
* Serverside rendered module on aol.com/real-estate, data comes from Zillow api. (Third Party, Zillow)
* Serverside rendered module on www.aol.com/travel, data comes from TravelZoo api. (Third Party, Travel Zoo)
* rezserver.com (Third Party, Travel Zoo)
yimg is a resource storage and content distribution network (CDN).
## Note: ## Reports submitted that exploit bugs **only** in the context of the `yimg.com` domain are most likely to be closed as `Informative`. Most bugs in `*.yimg.com` will require a proof-of-concept or proof-of-exploit that escalates into one of the primary brand or product domains (e.g. yahoo.com or aol.com) to be eligible for bounty. CVSS Environmental scores have been set to account for this limitation.
What does that mean for my report?
1. If you show escalation into a trusted domain's context (such as yahoo.com) it will be accepted at 100% bounty rate. A bonus may be applied for different instances within the trusted domain list only; not for other instances of vulnerabilities content on yimg.com.
2. If you show execution in the context of *.yimg.com only, the vulnerability MAY be accepted by the business owner in some instances. In that case, a minimum bounty would be offered only if the content is removed. There are no "same bug different host" or other vulnerability grouping bonus offers for this asset.
## In Scope
* *.techcrunch.com
* Custom endpoints: `https://techcrunch.com/wp-json/tc/v1/*` -- These are custom endpoints that use the WordPress architecture and output methods but modified for our uses with custom data.
* Custom mobile endpoints: `https://techcrunch.com/wp-json/tc/mobile/v2/*` -- These are the endpoints that are used by the mobile apps to retrieve posts for the apps.
* Default WordPress: `https://techcrunch.com/wp-json/wp/v2/*` -- We also leverage most of WordPress' out of the box endpoints with added custom data to augment the output.
## Out of Scope
* *.crunchbase.com (3rd party, Crunchbase)
* *.tc-appunite.herokuapp.com (3rd party, Heroku now closed)
* *.parsely.com (3rd party, Parse.ly)
* *.swiftype.com (3rd party, Swiftype now closed)
* *.marketo.com (3rd party, Marketo)
* *.urbanairship.com (3rd party, Urban Airship)
* *.sailthru.com (3rd party, Sailthru)
* *.spot.im (3rd party, Spot.IM)
* *.tcdisrupt.com (3rd party, App)
* *.bit.ly (3rd party, Bit.ly)
* *.thomsonreuters.com (3rd party, Open Calais)
* *.tinypass.com (3rd party, Piano/Tinypass)
* [Yahoo HK News Android](https://play.google.com/store/apps/details?id=com.yahoo.infohub)
* [Yahoo HK News iOS](https://itunes.apple.com/hk/app/yahoo%E6%96%B0%E8%81%9E-%E9%A6%99%E6%B8%AF%E5%8D%B3%E6%99%82%E7%84%A6%E9%BB%9E/id425655609?mt=8)
## In Scope ##
* https://sports.yahoo.com/fantasy/
* [Fantasy Basketball](https://basketball.fantasysports.yahoo.com/)
* [Fantasy Hockey](https://hockey.fantasysports.yahoo.com/)
* [Fantasy User Profiles](https://profiles.sports.yahoo.com/)
* [Fantasy Football](https://football.fantasysports.yahoo.com/) (out of season)
* [Public cookie-based API endpoints](https://pub-api-ro.fantasysports.yahoo.com/) (used by some FE stacks)
* [Public OAuth2 endpoints](https://fantasysports.yahooapis.com/)
* tournament.fantasysports.yahoo.com
## Out of Scope ##
* *.sendbird.com (Third Party, SendBird)
* [Yahoo Weather Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.weather)
* [Yahoo Weather iOS](https://itunes.apple.com/us/app/yahoo-weather/id628677149?mt=8)
* [Yahoo Weather (web)](https://www.yahoo.com/news/weather/)
Only use this asset when nothing else can be reasonably selected.
Bugs with Yahoo products that are not listed in scope of our [Public Program](https://hackerone.com/yahoo) can still be submitted to this asset and _*might*_ be eligible for award, at the sole discretion of the Yahoo Bug Bounty team .
Use this asset for:
* *.oath.cloud
* *.yahoo.cloud
## In Scope
* tw.mobi.yahoo.com
* tw.yahoo.com
* Content API: https://ncp-gw-abu.media.yahoo.com/
## Out of Scope
* *.yahoo.com.tw
## In Scope ##
* [Yahoo Fantasy Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.fantasyfootball)
* [Yahoo Fantasy Sports iOS](https://itunes.apple.com/us/app/yahoo-fantasy-sports/id328415391?mt=8)
* [Yahoo Fantasy Sports (web)](https://sports.yahoo.com/fantasy/)
* https://sports.yahoo.com/odds/
## Notes ##
The betting feature in Fantasy is provided by a third party, BetMGM. https://sports.yahoo.com/odds/, is the page from where it redirects the user to the BetMGM. This is geographically restricted.
## In Scope
* [Yahoo Mail (web)](https://mail.yahoo.com/)
* [Yahoo Mail Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail)
* [Yahoo Mail AndroidGo](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail.lite)
* [Yahoo Mail iOS](https://itunes.apple.com/us/app/yahoo-mail-keeps-you-organized/id577586159?mt=8)
* [Yahoo Mail FireOS](https://www.amazon.com/Yahoo-Mail-Keeps-you-organized/dp/B00632HWOG/)
## Out of Scope:
* mail.yahoo.com/cal/ (this is the same as `calendar.yahoo.com` and should be reported as Yahoo Calendar)
## In Scope
* help.aol.com
* assistance.aol.fr
* help.aol.co.uk
* hilfe.aol.de
## Notes
Any bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.
## Out of Scope
* assist.aol.com (2nd party service)
* helpisp.netscape.com
* helpconnect.netscape.com
* help.compuserve.com
## In Scope ##
* https://sports.yahoo.com/dailyfantasy/
* https://sports.yahoo.com/dailyfantasy/contest/create
* [Flurry Android](https://play.google.com/store/apps/details?id=com.yahoo.flurry)
* [Flurry iOS](https://itunes.apple.com/us/app/flurry-analytics/id1079687315?mt=8)
* *.flurry.com
## In Scope ##
* www.autoblog.com
## Out of Scope ##
* *.spot.im (3rd party, Spot.IM)
* Development-like environments for autoblog.com exist, but should not be tested; keep the testing in Production (www.).
## In Scope ##
* https://sports.yahoo.com/fantasyslate
* [Yahoo Search Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.search)
* [Yahoo Search iOS](https://itunes.apple.com/us/app/yahoo-search/id361071600?mt=8)
* [Yahoo Search (web)](https://search.yahoo.com/)
* [Yahoo Video FireTV](https://www.amazon.com/Yahoo-for-Fire-TV/dp/B014X5UGPQ/)
* [Yahoo Video tvOS](https://itunes.apple.com/us/app/yahoo-watch-free-live-concerts-sports-video-clips-and-more/id1046996690?mt=8)
* [Newsroom Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.yahoo)
* [Newsroom iOS](https://itunes.apple.com/us/app/newsroom-news-that-gets-you-talking/id304158842?mt=8)
* *.news.yahoo.com
* yahoo.com/news
## In Scope
* [Yahoo TW Store Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecstore)
* [Yahoo TW Store iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%B6%85%E7%B4%9A%E5%95%86%E5%9F%8E/id778296354?mt=8)
* Yahoo TW Store
* *.tw.mall.yahoo.com
* m.mall.yahoo.com
* Web: https://tw.mall.yahoo.com/
* Mobile Web: https://m.tw.mall.yahoo.com/
* API: https://tw.ews.mall.yahooapis.com/
* Search API: tw.search.ec.yahoo.com
## Out of Scope
* *.yahoo.com.tw
## In Scope ##
* https://sports.yahoo.com/
* https://api-secure.sports.yahoo.com
## Out of scope ##
* shop.yahoosports.com (Third party)
## In Scope
* [APIs](https://api.engadget.com/api)
* *.engadget.com
## Notes
* Separate reports for the same or similar payload/issue against multiple international editions, will be marked as duplicates and paid only once for Engadget international editions.
## Out of Scope
* *.spot.im (3rd party, Spot.IM)
* *.cn.engadget.com (Engadget International Edition)
* *.chinese.engadget.com (Engadget International Edition)
* *.japanese.engadget.com (Engadget International Edition)
* jobs.engadget.com (3rd party, Jobboard.io)
## In Scope
* [Yahoo TW Auctions Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecauction)
* [Yahoo TW Auctions iOS](https://itunes.apple.com/tw/app/yahoo%E6%8B%8D%E8%B3%A3-%E5%88%8A%E7%99%BB%E5%85%8D%E8%B2%BB/id1033771352?mt=8)
* Yahoo TW Auctions:
* *.bid.yahoo.com
* https://tw.bid.yahoo.com
* Yahoo TW Auctions APIs:
* https://tw.bid.yahoo.com/api/
* https://tw.api.bid.yahoo.com:4443
* Search API: tw.search.ec.yahoo.com
## Notes
* Access to the Taiwan sites from some countries in Europe may be blocked.
* `Buyer` accounts can be set up for any Yahoo user.
* `Seller` accounts require a TW phone number and 2FA.
* **Do not** use fake data (like nid) when operating the cash functions, it may cause real money to be stuck; **we will hold you accountable for broken workflows.**
* You are required to clean up all the testing data related to posting new products.
* You **must** include the following “test” label in **ALL** posts (in the most visible location) to prevent regular users from interacting with hacker-created content: `[PARANOIDS-勿下標][TEST]`
-- *Any reports identified that are missing this label, will not receive a bounty.*
## Out of Scope
* *.yahoo.com.tw
* ismarus-ap-94600.tw.juiker.net
* *.tw.juiker.net
* auth.tw.juiker.net/oauth2/getUserTokenByTurnkey
* *.straas.net
* iOS: JuikerIMSDK.framework, StraaS-iOS-SDK
* Android: io.straas.android.sdk
* ecfme.famiport.com.tw (Third Party)
## In Scope
* tw.usedcar.yahoo.com
## Notes
Refer to the ## Notes ## section in the `TW eCommerce: Auctions` listing.
## Out of Scope
* *.yahoo.com.tw
* autos.yahoo.com.tw
* tw.serviceplus.yahoo.com
* *.gemini.yahoo.com
* *.admanager.yahoo.com
* monetization.flurry.com
Online Marketplace (MyAccount) supports many AOL properties and can be accessed by a variety of CNAME records.
* billupdate.aol.com
* myaccount.aol.com
* myservices.aol.com
* payments.aol.com
* mybenefits.aol.com
* cancel.aol.com
* bill.aol.com
Please consolidate your reports.
**Note: Reporting the same issue separately for multiple CNAMEs will result in reports being marked as `Duplicate` at best.**
## In Scope ##
* https://sports.yahoo.com/dailyfantasy/account/addfunds
## In Scope
* search.aol.ca
* search.aol.co.uk
* search.aol.com
* recherche.aol.fr
* suche.aol.de
## Notes
Any bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.
* [iOS](https://itunes.apple.com/us/app/yahoo-finance/id328412701?mt=8)
* [Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.finance&hl=en_US)
* *.finance.yahoo.com
* OBI Premium Checkout: https://checkout.finance.yahoo.com/checkout/v1
* API WebSockets Streaming Market Data: http://streamer.finance.yahoo.com
* finance.mobile.yahoo.com
* finance.query.yahoo.com
Select open source projects are now eligible for bounties.
The [rest of our open source projects](https://developer.yahoo.com/opensource/projectindex/) are technically in scope, but at a reduced rate for the time being.
* [7News iOS](https://itunes.apple.com/au/app/7news/id439828000?mt=8)
* [7News Android](https://play.google.com/store/apps/details?id=com.seven.news&hl=en_US)
## In Scope ##
* https://bestball.fantasysports.yahoo.com/
## In Scope ##
* https://n.rivals.com
* https://www.rivals.com/
## Notes ##
All testing against rivals is to be MANUAL only. ZERO automated tools are allowed. This notice is your warning.
## Out of Scope ##
* *.rivalsfanstore.com (3rd party, Fanatics Inc.)
* *.rivalscamps.com (3rd party)
* *.rivalscampseries.com (3rd party)
* Rivals iOS
## In Scope ##
* *.forums.rivals.com
## Notes ##
* All testing against rivals is to be MANUAL only. ZERO automated tools are allowed. This notice is your warning.
* This is third party software and will be awarded at a 50% bounty rate.
* Reports on this asset will not be eligible for bonuses.
## In Scope ##
* *.mail.aol.com (see exclusions below)
* Rpc.mail.aol.com
* [AOL iOS](https://apps.apple.com/us/app/aol-news-email-weather-video/id646100661)
* [AOL Android](https://play.google.com/store/apps/details?id=com.aol.mobile.aolapp&hl=en_US)
* [AOL FireOS](https://www.amazon.com/AOL-Inc-Mail-News-Video/dp/B011VYAGSY)
## Notes ##
* oidc.mail.aol.com (Hosted by Mail, but belongs to Membership)
## Out of Scope ##
* mail.aol.com/calsvc
* AOL Desktop Gold
* apis.mail.aol.com
* test-apis.mail.aol.com
* *.aolmail.com
* mail.aol.com/classicab
* mail.aol.com/getmydata
* mail.aol.com/ws
* *.aol.com
## In Scope
* *.calendar.yahoo.com
* *.caldav.calendar.yahoo.com
Specific paths to look at:
* https://calendar.yahoo.com/ws/v3/users/
* https://caldav.calendar.yahoo.com/principals/users/
* https://caldav.calendar.yahoo.com/dav/*/calendar/
## Limits
Limit traffic against our services to < 10/second when probing or testing.
## Requirements
* Account in question has posted content within 365 days of report submission
* Account in question is related to a company, brand, or product
* Exposed (valid/functional/active) credentials that allow login to an account
## In Scope
* Bounty: **Must meet all** `Requirements` above
* Reputation: Meets at least one of the `Requirements` above
* Note: “Account in question” means the account you are reporting as "vulnerable."
## Out of Scope
* Account in question is related to an individual (employee, freelancer or otherwise)
* Brute forcing account credentials
## In Scope
* *.isp.netscape.com
* *.lite.aol.com
* *.compuserve.com
* www.wmconnect.com
##Other places to look
* www.getnetscape.com
* netscape.compuserve.com
## Out of Scope
* Subdomains of wmconnect.com outside of www
##Notes
* These services are designed for delivery through slow internet connections.
* Registration for these services has been disabled.
* Help-related pages/domains should be reported to the AOL Help asset.
## In Scope
* [Yahoo TW Stock Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.TWStock)
* [Yahoo TW Stock iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%82%A1%E5%B8%82/id790214428?mt=8)
* Yahoo TW Stock
* tw.stock.yahoo.com
* API: https://stock-app.abumedia.yql.yahoo.com
* API: https://tw-finance-yql.media.yahoo.com
## Notes
* `stock.yahoo.com` and `finance.yahoo.com` are identical; Reports will NOT be credited same-bug-different-host bonuses when issues are found on both domains.
* TW Stock Apps have a strong dependency with third party SDK(s) for receiving the real-time quote data in the market. Every page containing values (volume, prices, up/down flag, …) of index, tickers, etfs, …, ticker information, line chart, notifications setting are all from the SDK. And the connection with the SDK service is established when the app launches and lasts the app's whole lifetime. **These SDK service(s) are out of scope.**
## Out of Scope
* *.yahoo.com.tw
* tw.finance.yahoo.com
* Quote SDK (from Systex inc.)
## In Scope ##
* [Yahoo Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.sportacular)
* [Yahoo Sports iOS](https://itunes.apple.com/us/app/yahoo-sports-teams-scores-news-highlights/id286058814?mt=8)
* *.protrade.com
## In Scope
* [Yahoo TW Shopping Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecshopping)
* [Yahoo TW Shopping iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%B3%BC%E7%89%A9%E4%B8%AD%E5%BF%83/id1061577845?mt=8)
* Yahoo TW Shopping
* twpay.buy.yahoo.com
* Web: https://tw.buy.yahoo.com/
* Mobile Web: https://m.tw.buy.yahoo.com/
* API: https://tw.mapi.shp.yahoo.com
* Search API: tw.search.ec.yahoo.com
* Rushbuy API: rushbuy.buy.yahoo.com
## Out of Scope
* *.yahoo.com.tw
* iOS: TPDirect.framework
* Android: tech.cherri.tpdirect.api
## In Scope
* [Yahoo TW News Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.newstw)
* [Yahoo TW News iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9-%E7%9B%B4%E6%92%ADlive-%E5%8D%B3%E6%99%82%E6%96%B0%E8%81%9E/id864844562?mt=8)
* Yahoo TW News
* *.tw.news.yahoo.com
* Backend API: https://news-app.abumedia.yql.yahoo.com:443/
* Web: https://tw.news.yahoo.com
* Content API: https://ncp-gw-abu.media.yahoo.com/
## Out of Scope
* news.campaign.yahoo.com.tw
* *.yahoo.com.tw