Bug Bounty: New Targets & Scope Analysis
Welcome to the latest installment of our bug bounty collaboration! This article provides a comprehensive overview of new targets, out-of-scope vulnerabilities, and specific guidelines for ethical hackers. We'll delve into the details of each program, ensuring you have all the information needed to maximize your success and stay within the program's boundaries. Let's get started and explore the opportunities that await!
Sonder.com and Subdomains
The first set of targets includes www.sonder.com, graph.sonder.com, payments.sonder.com, and internal-graph.sonder.com. Before you dive in, it's essential to understand the exclusions. Non-Qualifying Vulnerabilities encompass issues like descriptive error messages, theoretical subdomain takeovers without proof, and HTTP 404 codes. Information leakage on common services, disclosure of public files, and clickjacking on public pages are also out of scope. Furthermore, CSRF on anonymous forms, logout CSRF, and autocomplete functionality are not eligible. Keep an eye out for missing security headers, SSL issues, and rate limiting issues. Ensure that your submissions are impactful and align with the program's goals. Understanding these exclusions will save you time and increase the likelihood of a successful submission.
Netskope.io and Netskope.net
Next up, we have bugbounty[1-2].devint.boomskope.com, *.netskope.io, and *.netskope.net. The scope here is fairly straightforward, but there are some crucial constraints. Denial of service or rate limit testing is strictly prohibited. Also, DNS-based submissions are not accepted. The environment is designed for testing, so keep scanning to one request per second. Any submissions related to Netskope open-source software, which is publicly available on GitHub, are also out of scope. Be mindful of the credential provided: holy-haze-9690@bugcrowdninja.com. Carefully review these rules to avoid any disqualifications.
Amaysim.com.au
The target here is *.amaysim.com.au. The primary out-of-scope restriction is related to application-level and other forms of DDoS and DoS testing. Before testing, it is essential to request permission from the team. Always seek authorization before conducting any tests that could impact the availability of the service.
VWapps.io, VWapps.run, and VWapps.cloud
For *.vwapps.io, *.vwapps.run, and *vwapps.cloud, the focus is on a comprehensive list of out-of-scope vulnerabilities. Self-XSS, email spoofing, and CSRF issues that don't impact account integrity are excluded. Remember that issues only exploitable on outdated browsers or operating systems are also out of scope. Demonstrating concrete impact is crucial for certain finding types, such as internal IP address disclosure, vulnerabilities in third-party libraries, and information leaks without a direct security impact. Prioritize high-impact vulnerabilities and provide clear evidence of their effect.
Global-fashion-group.com and Sellercenter.net
The scope includes *.global-fashion-group.com, *.sellercenter.net, *.gfgtech.com, *.datajet.io, sellercenter.com.br, api.sellercenter.com.br, static.sellercenter.com.br, and staging.sellercenter.com.br. The exclusions here are extensive, including denial of service attacks, the use of outdated software, and CSRF with low impact. Also, be wary of issues exploitable only through Self-XSS and reports from automated tools. Ensure your testing is targeted and focused on high-impact vulnerabilities.
SDGE.com, Socalgas.com, and Sempra.com
For *.sdge.com, *.socalgas.com, *.sempra.com, myenergycenter.com, and www.formyinfo.com, out-of-scope vulnerabilities include clickjacking on pages with no sensitive actions, CSRF on unauthenticated forms, and attacks requiring MITM or physical access. Stay clear of previously known vulnerable libraries without a working Proof of Concept. Remember to focus on areas that can have a considerable impact, such as data breaches or other security flaws. Prioritize attacks that could lead to disruption of service.
Carvana.com and Carvana.io
The targets *.carvana.com, *.carvana.io, *.carvanatech.com, *.zagforward.com, *.carvana.net, *.carvanadash.com, *.carvanaauction.com, *.cvnacorp.com, and *.drive4carvana.com have specific exclusions. Rate limiting issues, SSL/TLS issues, and SPF/DMARC issues are not eligible. Additionally, avoid testing outside of the defined scope, including third-party services. Also, do not test car purchasing, production chat flow, and the use of Denial of service and rate-limiting tests. Be sure to understand the restrictions to avoid any violations.
Stage.flatfox.ch
The target here is stage.flatfox.ch/. P5 vulnerabilities, open redirects, and DMARC & SPF are excluded. Avoid rate-limiting and (D)DoS attacks. Focus on high-impact vulnerabilities within the defined scope. Check the exclusions list carefully before testing.
Rewind.com and Related Domains
The scope includes api.rewind.com, app.rewind.com, app.replay.sh, and incoming-webhooks-us.rewind.io/v1/webhook/. Note that any finding without demonstrable impact is out of scope. Third-party assets, contact us forms, and missing cookie flags on non-sensitive cookies are not eligible. Also, avoid IP/Port Scanning via Rewind services unless you are able to hit private IPs or Rewind servers. Issues with SPF, DKIM, DMARC records, and missing security headers are also out of scope. Focus on vulnerabilities that can have a measurable impact on data security.
Telstra.com and Pokemon.com
The targets are *.telstra.com/, *.telstra.com.au/, *.pokemon.com, and *.pokemoncenter.com. There are no specific exclusions listed here, but always ensure your testing aligns with ethical hacking practices. Adhere to all guidelines and avoid any actions that could harm the service or its users.
Practicefusion.com and Patientfusion.com
For *.practicefusion.com/, *.patientfusion.com/, palladium.pd.diagnosticorderingnetwork.com/, static.pd.diagnosticorderingnetwork.com/, diagnosticorderingnetwork.com/, and static.diagnosticorderingnetwork.com/, note that interacting with real patients, doctors, or customers is forbidden. Also, avoid denial of service (DOS) attacks and corporate email services and configurations. Always prioritize user privacy and data security in your testing.
Employmenthero.com
For employmenthero.com/create-account/, jobs.employmenthero.com/, and secure.employmenthero.com/, remember that the 3rd party authentication service Fusion Auth is out of scope. Do not create any Australian Tax Office (ATO) lodgements. Focus on vulnerabilities within the core application and adhere to the guidelines.
Ivanti Products
For https://epmmbugcrowd.eastus.cloudapp.azure.com/mifs/login.jsp, https://zta.bugcrowd.engpentest.com/admin, https://sentry-bugcrowd.eastus.cloudapp.azure.com:8443/, https://auto10106408.qa.mobileiron.net/login.html, https://bugcrowdics.eastus.cloudapp.azure.com/admin, and https://bugcrowdips.eastus.cloudapp.azure.com/admin, there is a long list of out-of-scope vulnerabilities. Rate limiting, DoS, and vulnerabilities that demonstrate a lack of security best practices are not eligible. Also, stay clear of information disclosure and vulnerabilities that require unlikely user interaction. Prioritize high-impact vulnerabilities and provide clear evidence of their effect.
Village Cinemas and Roadshow.com.au
The targets are *.villagecinemas.com.au, *.intencity.com.au, *.movieworld.com.au, *.seaworldresort.com.au, *.topgolf.com.au, *.vrl.com.au, *.vrtp.com.au, *.roadshow.com.au, and https://preprod.villagecinemas.com.au/. Remember that external-hosted environments are out of scope. P5 vulnerabilities, availability/volumetric testing, and automated scans without a working PoC are not eligible. Also, avoid low-impact CSRF issues, missing security headers, and email-related best practices. Prioritize attacks that could lead to disruption of service.
Avast, Avira, and NortonLifeLock
The targets include *.gendigital.com, *.avast.com, *.avira.com, *.avg.com, *.ccleaner.com, *.nortonlifelock.com, *.norton.com, *.lifelock.com, int1-fe-memberportal.dev.aws.lifelock.com, stage-mobile-api.lifelock.com/mobile-api/app-config, and https://int1-fe-memex-api-ext.dev.aws.lifelock.com. There is a long list of out-of-scope vulnerabilities, including low/informational impact vulnerabilities, those on non-production subdomains, and account/email enumeration using brute-force attacks. Focus on vulnerabilities with high security impact and avoid low-impact findings.
Deputy.com
For https://*.deputy.com/*, the focus areas include privilege escalation, RCE, cross-organizational attacks, and API vulnerabilities. Broken Access Control issues have temporarily been placed out of scope. Volumetric attacks and broken access control issues are excluded from this program. Prioritize the identified focus areas and thoroughly test these aspects of the application.
Thrivent.com
For *.thrivent.com and *.thriventbank.com, no Denial of Service (DoS) testing is permitted. All vulnerabilities related to video.thrivent.com and zoom links or zoom configuration are out of scope. Any vulnerabilities related to publicly available data are not eligible. Focus on high-impact vulnerabilities and adhere to all guidelines.
Edapp.com
Finally, for https://*.edapp.com/, the reward range is P1-P2. The Send us your form functionality should not be tested, and avoid any form of physical social engineering. Concentrate on high-impact vulnerabilities and adhere to the guidelines.
In conclusion, this comprehensive overview should guide your bug bounty hunting. By carefully reviewing the scope and exclusions, you can increase your chances of finding valuable vulnerabilities. Remember to always prioritize impact, adhere to ethical hacking practices, and provide detailed reports. Good luck, and happy hunting!
For additional information and resources on bug bounty programs, check out Bugcrowd's official website: https://www.bugcrowd.com/
