You are hacking on: Trustpilot

Powered by:

Allows bounty splitting:

Average time to first program response: 8

Average time to bounty awarded null: 608

Average time to report resolved: 681

Handle trustpilot

Managed program: true

Name: Trustpilot

Offers bounties: true

Offers swag: false

Response efficiency percentage: 95

Submission state: open

Url: https://hackerone.com/trustpilot

Website: https://www.trustpilot.com/

In scope:

Asset identifier: *api.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Use https://developers.trustpilot.com/ to get insights on how public APIs are orchestrated.

Integrity requirements:

Max severity: critical

Asset identifier: *authenticate.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Authentication service for business portal

Integrity requirements:

Max severity: critical

Asset identifier: *b2b.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: *business.trustpilot.com

Asset type: URL

Availability requirement: low

Confidentiality requirement: low

Eligible for bounty: true

Eligible for submissions: true

Instruction: This services serves to provide a landing and welcome page for business users looking to register and request demo's of the product. There is a option to register with a google account.

Integrity requirements: medium

Max severity: high

Asset identifier: *emailsignature.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Exploit dynamically generated images shown on customers email signatures and newsletter templates.

Integrity requirements:

Max severity: critical

Asset identifier: *invitations-api.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: *legal.trustpilot.com

Asset type: URL

Availability requirement: low

Confidentiality requirement: low

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements: low

Max severity: medium

Asset identifier: *share.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Example: Intercept and replace images shared on social media.

Integrity requirements:

Max severity: critical

Asset identifier: *signup.business.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: Out of scope vulnerability: Claiming email provider using matching domain.

Integrity requirements:

Max severity: critical

Asset identifier: *widget.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction: APIs, Static HTML/JavaScript/CSS assets for our widgets

Integrity requirements:

Max severity: critical

Asset identifier: *www.trustpilot.com

Asset type: URL

Availability requirement:

Confidentiality requirement:

Eligible for bounty: true

Eligible for submissions: true

Instruction:

Integrity requirements:

Max severity: critical

Asset identifier: 1608392803

Asset type: APPLE_STORE_APP_ID

Availability requirement: high

Confidentiality requirement: high

Eligible for bounty: true

Eligible for submissions: true

Instruction: https://apps.apple.com/app/trustpilot-reviews-ratings/id1608392803

Integrity requirements: high

Max severity: critical