Target Policy

Structured Scope

• Asset Identifier

  Asset Type

  Max Severity

• *.edition.in

  WILDCARD

  critical
• All Assets (other than Blinkit)

  ---

  Bounty table header

  OTHER

  critical
• 991745732

  APPLE_STORE_APP_ID

  critical
• 912349367

  APPLE_STORE_APP_ID

  critical
• http://*.zomato.com

  WILDCARD

  critical
• http://*.zdev.net

  WILDCARD

  critical
• http://*.zomans.com

  ---

  This domain is mainly used for internal applications that are hosted in AWS. Our area of interest is any issue that can potentially give anyone unrestricted access or expose internal or confidential data.

  WILDCARD

  critical
• http://*.hyperpure.com

  WILDCARD

  critical
• http://*.runnr.in

  WILDCARD

  critical
• *.district.in

  WILDCARD

  critical
• *.insider.in

  WILDCARD

  critical
• BlinkIT, District & Hyperpure assets (in scope)

  OTHER

  critical
• All Assets (other than)

  OTHER

  critical
• *.hyperpure.com

  WILDCARD

  critical
• http://*.grofers.com

  WILDCARD

  critical
• blinkit.com

  URL

  critical
• All District Assets (Other than Zomato, BlinkIT & Hyperpure)

  OTHER

  critical
• *.tktnew.com

  WILDCARD

  critical
• BlinkIT & Hyperpure assets (in scope)

  OTHER

  critical
• com.grofers.customerapp

  GOOGLE_PLAY_APP_ID

  critical
• *.ticketnew.com

  WILDCARD

  critical
• *.runnr.in

  WILDCARD

  critical
• *.zomato.com

  WILDCARD

  critical
• BlinkIT, Hyperpure assets (in scope)

  OTHER

  critical
• 434613896

  ---

  Zomato: Food Delivery & Dining

  APPLE_STORE_APP_ID

  critical
• All Blinkit assets (in scope)

  OTHER

  critical
• com.application.zomato

  GOOGLE_PLAY_APP_ID

  critical
• All Zomato Assets (Other than BlinkIT & Hyperpure)

  OTHER

  critical
• *.zomans.com

  ---

  This domain is mainly used for internal applications that are hosted in AWS. Our area of interest is any issue that can potentially give anyone unrestricted access or expose internal or confidential data.

  WILDCARD

  critical
• api2.grofers.com

  URL

  critical
• www.zomatobook.com

  URL

  none
• business-blog.zomato.com

  URL

  none
• com.application.zomatomerchant

  GOOGLE_PLAY_APP_ID

  critical
• com.application.zomato.ordering

  GOOGLE_PLAY_APP_ID

  none
• blog.zomato.com

  URL

  none
• community.zomato.com

  URL

  none
• success.zomato.com

  URL

  none
• send.zomato.com

  URL

  none
• dev.hyperpure.com

  URL

  none
• devapi.hyperpure.com

  URL

  none
• devpod.hyperpure.com

  URL

  none
• staging*.runnr.in

  ---

  Please don't test on staging/dev instances. Instead, we have created a dedicated environment `bugbounty.runnr.in` which is a replica of the same for testing.

  WILDCARD

  none
• *.zdev.net

  WILDCARD

  critical
• api.grofers.com

  URL

  critical
• com.grofers.customerapp

  ---

  Blinkit's Customer Android App:
  https://play.google.com/store/apps/details?id=com.grofers.customerapp

  GOOGLE_PLAY_APP_ID

  critical
• Scope Questions: Items not explicitly listed here

  ---

  If you have a question about something that is not explicitly listed as out-of-scope or in-scope, please submit a report and we will provide clarification. We will allow you to self close that report after we answer your question.

  OTHER

  critical
• winecellar.zomato.com

  URL

  critical
• http://*.grofer.io

  WILDCARD

  critical

Target Scope Domains

• api.grofers.com
• api2.grofers.com
• blinkit.com
• district.in
• edition.in
• grofer.io
• grofers.com
• hyperpure.com
• insider.in
• runnr.in
• ticketnew.com
• tktnew.com
• winecellar.zomato.com
• zdev.net
• zomans.com
• zomato.com

• 1017 Subdomains
• 43323 Endpoints
• Download wordlist

Last Finished Scan: