Instruction: Vendor hosted and managed CMS for corporate / marketing site. It is domain whitelisted for reddit.com functionality so if you can string an attack together with reddit.com then this becomes super interesting.
Integrity requirements: low
Max severity: medium
Asset identifier: *.redditmedia.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: high
Max severity: critical
Asset identifier: *.snooguts.net
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is our internal domain for "intranet" related services. Accessible to the internet should be either 1) an OAuth proxy that gates access to backend services (SCM, admin tooling, CI/CD, etc.) or 2) k8s public ingresses.
This domain isn't necessarily "private" so leaking the domain isn't interesting, but certainly bypassing proxy auth wall or finding juicy targets on that domain is of interest.
Integrity requirements: high
Max severity: critical
Asset identifier: 1064216828
Asset type: APPLE_STORE_APP_ID
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: Official iOS app, DoS issues generally not eligible for bounty
Integrity requirements:
Max severity: critical
Asset identifier: accounts.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Authentication / authorization service for reddit.com
Integrity requirements: high
Max severity: critical
Asset identifier: ads-api.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is the backend for ads.reddit.com that interfaces with Reddit and our backend Ads systems. Also used by our partners for advertising reporting, bulk modifications, and callbacks.
Integrity requirements: high
Max severity: critical
Asset identifier: ads.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Login uses a reddit.com account. Reddit does not reimburse or provide credits to run ads campaigns.
Integrity requirements: high
Max severity: critical
Asset identifier: amp.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: This service houses our AMP generated pages for search engine optimization.
Integrity requirements: high
Max severity: critical
Asset identifier: api.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: The Reddit API is used for programmatic access. Please use your own test accounts and do not try to access the private data of other users/mods/admins or Reddit employees. Authentication ([OAUTH](https://github.com/reddit-archive/reddit/wiki/OAuth2)) and authorization are especially important.
Docs are available at: https://www.reddit.com/dev/api
Please follow Reddit's [rules for API access](https://github.com/reddit-archive/reddit/wiki/API).
Integrity requirements: high
Max severity: critical
Asset identifier: com.reddit.frontpage
Asset type: GOOGLE_PLAY_APP_ID
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Official Android app, DoS issues generally not eligible for bounty.
Integrity requirements: high
Max severity: critical
Asset identifier: gateway.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Frontdoor service that handles dispensation to backend microservices. Relies on oauth authentication
Integrity requirements: high
Max severity: critical
Asset identifier: gql.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: GraphQL implementation for Reddit accessing all our internal Things requiring OAuth
Integrity requirements: high
Max severity: critical
Asset identifier: https://app.spiketrap.io
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: medium
Asset identifier: https://www.spiketrap.io
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: low
Max severity: medium
Asset identifier: m.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Mobile webapp (we call mweb) for Reddit. Use a mobile UA to access.
Integrity requirements: high
Max severity: critical
Asset identifier: meta-api.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Houses Reddit's smart contracts based on Ethereum, which is called Community Points and ties in with the Vault functionality within Reddit's official mobile apps.
Integrity requirements: high
Max severity: critical
Asset identifier: mod.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: The Reddit modmail interface is used by moderators to take moderator actions and view reports. Please test against your own subreddits and not those belonging to other users/mods/admins.
Integrity requirements: high
Max severity: critical
Asset identifier: new.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: The Reddit redesign. Follow the same rules as `www.reddit.com`.
Integrity requirements: high
Max severity: critical
Asset identifier: oauth.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: high
Max severity: critical
Asset identifier: old.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Reddit's old interface. This interface is still active and eligible for bounty awards. Follow the same rules as `www.reddit.com`.
Integrity requirements: high
Max severity: critical
Asset identifier: reddit.secure.force.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Reddit maintains a SFDC tenant for customer management for our advertisers. SFDC bugs aren't eligible for payout, but misconfigurations that are Reddit's responsibility are.
Integrity requirements: medium
Max severity: critical
Asset identifier: redditforbusiness.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: none
Eligible for bounty: true
Eligible for submissions: true
Instruction: Third party hosted CMS platform on WebFlow
Integrity requirements: medium
Max severity: high
Asset identifier: s.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: This is the Reddit chat (via Sendbird) service endpoint
Integrity requirements: high
Max severity: critical
Asset identifier: sh.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements: high
Max severity: critical
Asset identifier: strapi.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: Streaming api used for Reddit's RPAN live video streaming service.
Integrity requirements: high
Max severity: critical
Asset identifier: www.reddit.com
Asset type: URL
Availability requirement: high
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: The primary Reddit website. Create your own accounts for testing. Do not attempt to access private data belonging to other users or Reddit admins/mods/employees.
