Instruction: ## In Scope
* *.aol.com
## Notes
Only use this asset when nothing else can be reasonably selected.
Bugs with AOL that are not listed in scope of our other AOL-related assets can still be submitted to this asset and **_*might*_** be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.
## Out of Scope
* *nat.aol.com
* *.ipt.aol.com
Integrity requirements:
Max severity: critical
Asset identifier: AOL Help
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* help.aol.com
* assistance.aol.fr
* help.aol.co.uk
* hilfe.aol.de
## Notes
Any bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.
## Out of Scope
* assist.aol.com (2nd party service)
* helpisp.netscape.com
* helpconnect.netscape.com
* help.compuserve.com
Integrity requirements:
Max severity: critical
Asset identifier: AOL Homepage
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* www.aol.fr
* www.aol.de
* www.aol.co.uk
* www.aol.jp
* www.aol.in
* www.aol.ca
* www.aol.com
* www.aol.com/*
* AOL Games Landing Page - https://www.aol.com/games/ -> **see 3rd Party Notes Below**
## Notes
**OOS Exception:** 3rd party components that affect aol.com (e.g. XSS executes in AOL.com domain resulting from abuse of TravelZoo module on Travel page)
## Out of Scope
First Party Things:
* https://ottr.video.yahoo.com/v1/video-exp/schedule
* https://s.yimg.com/rb/screwdriver/ctv/ve-module/builds/prod/aol/dist/vem.js
Second Party Things:
* [DataMask by AOL](https://get.aol.com/datamask/) (White Label app)
* [AOL OnePoint](https://get.aol.com/onepoint) (White Label app)
* [Private WiFi by AOL](https://get.aol.com/privatewifi/) (White Label app)
* [AOL Games](https://www.aol.com/games) (White Label app)
Third Party Things:
* 3rd Party Ad Integration. (Third Party, Taboola)
* `Popular in the Community`, `More Conversations for You`, Commenting on articles (and more) (Third Party, OpenWeb)
* spot.im (Third Party, OpenWeb)
* Individual AOL Games pages are rendered by us, but we iFrame in the Masque game urls. (Third Party, Masque)
* games.com, fungames.aol.com & fungames.com (Third Party, Masque)
* Comparecards.aol.com is CNAME’d to our own ATS cluster which forward maps requests to the comparecards cloudfront distribution. (Third Party, CompareCards)
* JS widget on the AOL.com homepage providing news stories. (Third Party, Zergnet)
* Serverside rendered module on aol.com/real-estate, data comes from Zillow api. (Third Party, Zillow)
* Serverside rendered module on www.aol.com/travel, data comes from TravelZoo api. (Third Party, Travel Zoo)
* rezserver.com (Third Party, Travel Zoo)
Integrity requirements:
Max severity: critical
Asset identifier: AOL Mail
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* *.mail.aol.com (see exclusions below)
* rpc.mail.aol.com
## Notes
* oidc.mail.aol.com (Hosted by Mail, but belongs to `Membership`)
## Out of Scope
* mail.aol.com/calsvc
* [AOL iOS](https://apps.apple.com/us/app/aol-news-email-weather-video/id646100661)
* [AOL Android](https://play.google.com/store/apps/details?id=com.aol.mobile.aolapp&hl=en_US)
* [AOL FireOS](https://www.amazon.com/AOL-Inc-Mail-News-Video/dp/B011VYAGSY)
* [AOL Desktop Gold](https://get.aol.com/aol-desktop-gold)
* apis.mail.aol.com
* test-apis.mail.aol.com
* *.aolmail.com
* mail.aol.com/classicab
* mail.aol.com/getmydata
* mail.aol.com/ws
* *.aol.com
Integrity requirements:
Max severity: critical
Asset identifier: AOL Mobile Apps
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## Out of Scope
* Apps from the app stores are not in scope.
Integrity requirements:
Max severity: critical
Asset identifier: AOL Publishers
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: * *.aolpublishers.com
Integrity requirements:
Max severity: critical
Asset identifier: AOL Search
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* search.aol.ca
* search.aol.co.uk
* search.aol.com
* recherche.aol.fr
* suche.aol.de
## Notes
Any bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.
Integrity requirements:
Max severity: critical
Asset identifier: Arkime
Asset type: SOURCE_CODE
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ###Review the Code
* [Source Code](https://github.com/arkime/arkime)
* Submit a PR to fix/update the code - [fork](https://help.github.com/en/articles/fork-a-repo) the codebase then submit a [PR](https://help.github.com/en/articles/creating-a-pull-request-from-a-fork)
* Visit our web page at https://arkime.com/ for pre-bulit rpm/deb and instructions for running yourself.
##Out of Scope
* Known unauthenticated endpoints such as `parliament.json` & `eshealth.json`
* UI based bugs on `parliament`
* demo.arkime.com
* *.molo.ch (old website)
Integrity requirements:
Max severity: critical
Asset identifier: Athenz
Asset type: SOURCE_CODE
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ###Review the Code
* [Source Code](https://github.com/yahoo/athenz)
* Submit a PR to fix/update the code - [fork](https://help.github.com/en/articles/fork-a-repo) the codebase then submit a [PR](https://help.github.com/en/articles/creating-a-pull-request-from-a-fork)
###Out of Scope
`yahoo/athenz/ui`, `yahoo/athenz/contributions`, and `yahoo/athenz/docker` are outdated from our own internal deployment because of our use of Okta and Duo which we are not able to deploy to you all for this event; this is why we stated the Athenz UI was out of scope during the scoping call.
The UI was just given out as a starting point so whoever needs it, can take it, integrate with their own authentication system and also provide all the necessary protections. Our UI devs worked with the Paranoids’ red team internally for quite some time to go through all this, addressing many different types of bug classes with our integration with Okta and Duo and that’s what we’re running in our production instance.
Integrity requirements:
Max severity: critical
Asset identifier: Autoblog
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* www.autoblog.com
## Out of Scope
* *.spot.im (3rd party, Spot.IM)
* Development-like environments for `autoblog.com` exist, but should not be tested; keep the testing in Production (`www.`).
Integrity requirements:
Max severity: critical
Asset identifier: BUILD
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: * *.buildseries.com
Integrity requirements:
Max severity: critical
Asset identifier: Built By Girls
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* *.builtbygirls.com
## Notes
* You MUST register for an account with your `@wearehackerone` email address or else your report will NOT be eligible for bounty.
## Out of Scope
* jobs.builtbygirls.com (3rd party, Jobboard.io)
* store.builtbygirls.com (3rd party, BrightStores)
* builtbygirls.mybrightsites.com (3rd party, BrightStores)
Integrity requirements:
Max severity: critical
Asset identifier: DSP
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: # In Scope
* api-v3.admanagerplus.yahoo.com
* admanagerplus.yahoo.com
#Notes
Restrict your rate limit on requests to `120 requests/minute` to prevent yourself being auto-banned or impacting our production system.
This asset is not in eligible for bounty through our public bug bounty program.
Integrity requirements:
Max severity: critical
Asset identifier: Engadget
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* [APIs](https://api.engadget.com/api)
* *.engadget.com
## Notes
* Separate reports for the same or similar payload/issue against multiple international editions, will be marked as duplicates and paid only once for Engadget international editions.
## Out of Scope
* *.spot.im (3rd party, Spot.IM)
* *.cn.engadget.com (Engadget International Edition)
* *.chinese.engadget.com (Engadget International Edition)
* *.japanese.engadget.com (Engadget International Edition)
* jobs.engadget.com (3rd party, Jobboard.io)
Instruction: ## In Scope
* *.isp.netscape.com
* *.lite.aol.com
* *.compuserve.com
* www.wmconnect.com
Other places to look
* webaccelerator.isp.netscape.com
* register.isp.netscape.com
* admin.isp.netscape.com
* www.getnetscape.com
* netscape.compuserve.com
## Out of Scope
* Subdomains of `wmconnect.com` outside of `www`
## Notes
* These services are designed for delivery through slow internet connections.
* Registration for these services has been disabled.
* Help-related pages/domains should be reported to the AOL Help asset.
Integrity requirements:
Max severity: critical
Asset identifier: Makers
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: * *.makers.com
Integrity requirements:
Max severity: critical
Asset identifier: Media Platform Marketing Website
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* *.verizondigitalmedia.com
* www.verizondigitalmedia.com (prod)
* stage-www.verizondigitalmedia.com (staging, only non-english content)
* research.verizondigitalmedia.com
## Notes
* The staging environment of `www.verizondigitalmedia.com` only hosts non-english translations of content served on www.
* Do not spam our Support Request team (our-company/request-support/ our-company/customer-support/)
## Out of Scope
* *.yahooinc.com (Company home page)
* *.ouryahoo.com
* *.verizonmedia.com
* info.verizondigitalmedia.com (Third Party, Pardot/Salesforce)
* status.verizondigitalmedia.com (Third Party, Status.io)
The pages listed under these URL paths (Third Party, instapage.com):
* www.verizondigitalmedia.com/announcement/*
* www.verizondigitalmedia.com/campaign/*
* www.verizondigitalmedia.com/case-study/*
* www.verizondigitalmedia.com/e-book/*
* www.verizondigitalmedia.com/free-trial/*
* www.verizondigitalmedia.com/infographic/*
* www.verizondigitalmedia.com/internal/*
* www.verizondigitalmedia.com/landing/*
* www.verizondigitalmedia.com/platform-updates/*
* www.verizondigitalmedia.com/referral/*
* www.verizondigitalmedia.com/report/*
* www.verizondigitalmedia.com/rsvp/*
* www.verizondigitalmedia.com/television-academy/*
* www.verizondigitalmedia.com/webinar/*
* www.verizondigitalmedia.com/white-paper/*
Integrity requirements:
Max severity: critical
Asset identifier: Media Platforms Engineering Blog
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* eng.verizondigitalmedia.com
* eng-staging.verizondigitalmedia.com
## Notes
Bugs present on both Staging and production will not be awarded `Same Bug Different Host` bonus.
Integrity requirements:
Max severity: critical
Asset identifier: Membership
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
##In Scope
* https://login.yahoo.com
* https://login.aol.com
* https://api.login.yahoo.com
* https://api.login.aol.com
* http://credstore.yahoo.com/
Some documentation that may help:
https://developer.yahoo.com/oauth2/guide/
Specific paths to target….
For `login.*.com`
* /account/logout
* /auth/2.0/credentials
* /auth/1.0/
* /saml2/
* /account
* /oauth2
* /ylc
* /account/challenges
* /account/access
* /oauth2/device_auth
* /ctv
* /activate
* /forgot
For `api.login.*.com`
* /api
* /oauth2/get_token
* /oauth2/web_session
* /oauth2/device_sessions
* /oauth2/device_authorization
* /oauth2/device_auth
* /oauth2/revoke
* /oauth2/introspect
##Out of Scope
* Any rate limits for authentication attempts.
* Any differentiated treatment based on account, browser, IP address etc.
##Limits
* Limit traffic against our services to < 10/second when probing or testing.
Instruction: Online Marketplace (MyAccount) supports many AOL properties and can be accessed by a variety of CNAME records.
* billupdate.aol.com
* myaccount.aol.com
* myservices.aol.com
* payments.aol.com
* mybenefits.aol.com
* cancel.aol.com
* bill.aol.com
Please consolidate your reports.
**Note: Reporting the same issue separately for multiple CNAMEs will result in reports being marked as `Duplicate` at best.**
Integrity requirements:
Max severity: critical
Asset identifier: Other (misc)
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty:
Eligible for submissions: true
Instruction: Only use this asset when nothing else can be reasonably selected.
Bugs with Yahoo products that are not listed in scope of our [Public Program](https://hackerone.com/yahoo) can still be submitted to this asset and _*might*_ be eligible for award, at the sole discretion of the Yahoo Bug Bounty team .
Use this asset for:
* *.vzbuilders.com
* *.oath.cloud
* *.yahoo.cloud
Integrity requirements:
Max severity: critical
Asset identifier: RYOT
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* RYOT Mobile SDK (iOS and Android) `https://s.yimg.com/cv/apiv2/ar_sdk/*
* *.ryot.org (site under construction)
## Notes
* The RYOT Augmented Reality SDK is used by our major mobile apps.
* `ryot.org` is hosted on WordPress; WP’s services are not in scope
## Out of Scope
* *.ryotfilms.com (third party)
* *.ryot.com (third party)
* *.portal.ryot.com (third party)
Integrity requirements:
Max severity: critical
Asset identifier: Social Media Accounts
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## Requirements
* Account in question has posted content within 365 days of report submission
* Account in question is related to a company, brand, or product
* Exposed (valid/functional/active) credentials that allow login to an account
## In Scope
* Bounty: **Must meet all** `Requirements` above
* Reputation: Meets at least one of the `Requirements` above
* Note: “Account in question” means the account you are reporting as “vulnerable.”
## Out of Scope
* Account in question is related to an individual (employee, freelancer or otherwise)
* Brute forcing account credentials
Integrity requirements:
Max severity: critical
Asset identifier: TW Media: Front Page
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* tw.mobi.yahoo.com
* tw.yahoo.com
* Content API: https://ncp-gw-abu.media.yahoo.com/
## Out of Scope
* *.yahoo.com.tw
Instruction: ## In Scope
* [Yahoo TW Stock Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.TWStock)
* [Yahoo TW Stock iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%82%A1%E5%B8%82/id790214428?mt=8)
* Yahoo TW Stock
* tw.stock.yahoo.com
* API: https://stock-app.abumedia.yql.yahoo.com
* API: https://tw-finance-yql.media.yahoo.com
## Notes
* `stock.yahoo.com` and `finance.yahoo.com` are identical; Reports will NOT be credited same-bug-different-host bonuses when issues are found on both domains.
* TW Stock Apps have a strong dependency with third party SDK(s) for receiving the real-time quote data in the market. Every page containing values (volume, prices, up/down flag, …) of index, tickers, etfs, …, ticker information, line chart, notifications setting are all from the SDK. And the connection with the SDK service is established when the app launches and lasts the app's whole lifetime. **These SDK service(s) are out of scope.**
## Out of Scope
* *.yahoo.com.tw
* tw.finance.yahoo.com
* Quote SDK (from Systex inc.)
Integrity requirements:
Max severity: critical
Asset identifier: TW eCommerce: Auctions
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* [Yahoo TW Auctions Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecauction)
* [Yahoo TW Auctions iOS](https://itunes.apple.com/tw/app/yahoo%E6%8B%8D%E8%B3%A3-%E5%88%8A%E7%99%BB%E5%85%8D%E8%B2%BB/id1033771352?mt=8)
* Yahoo TW Auctions:
* *.bid.yahoo.com
* https://tw.bid.yahoo.com
* Yahoo TW Auctions APIs:
* https://tw.bid.yahoo.com/api/
* https://tw.api.bid.yahoo.com:4443
* Search API: tw.search.ec.yahoo.com
## Notes
* Access to the Taiwan sites from some countries in Europe may be blocked.
* `Buyer` accounts can be set up for any Yahoo user.
* `Seller` accounts require a TW phone number and 2FA.
* **Do not** use fake data (like nid) when operating the cash functions, it may cause real money to be stuck; **we will hold you accountable for broken workflows.**
* You are required to clean up all the testing data related to posting new products.
* You **must** include the following “test” label in **ALL** posts (in the most visible location) to prevent regular users from interacting with hacker-created content: `[PARANOIDS-勿下標][TEST]` -- *Any reports identified that are missing this label, will not receive a bounty.*
## Out of Scope
* *.yahoo.com.tw
* ismarus-ap-94600.tw.juiker.net
* *.tw.juiker.net
* auth.tw.juiker.net/oauth2/getUserTokenByTurnkey
* *.straas.net
* iOS: JuikerIMSDK.framework, StraaS-iOS-SDK
* Android: io.straas.android.sdk
* ecfme.famiport.com.tw (Third Party)
Instruction: ## In Scope
* [Yahoo TW Store Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.ecstore)
* [Yahoo TW Store iOS](https://itunes.apple.com/tw/app/yahoo%E5%A5%87%E6%91%A9%E8%B6%85%E7%B4%9A%E5%95%86%E5%9F%8E/id778296354?mt=8)
* Yahoo TW Store
* *.tw.mall.yahoo.com
* m.mall.yahoo.com
* Web: https://tw.mall.yahoo.com/
* Mobile Web: https://m.tw.mall.yahoo.com/
* API: https://tw.ews.mall.yahooapis.com/
* Search API: tw.search.ec.yahoo.com
## Out of Scope
* *.yahoo.com.tw
Integrity requirements:
Max severity: critical
Asset identifier: TW eCommerce: Used Car
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* tw.usedcar.yahoo.com
## Notes
Refer to the **Notes** section in the `TW eCommerce: Auctions` listing.
## Out of Scope
* *.yahoo.com.tw
* autos.yahoo.com.tw
* tw.serviceplus.yahoo.com
Integrity requirements:
Max severity: critical
Asset identifier: TechCrunch
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* *.techcrunch.com
* Custom endpoints: `https://techcrunch.com/wp-json/tc/v1/*` -- These are custom endpoints that use the WordPress architecture and output methods but modified for our uses with custom data.
* Custom mobile endpoints: `https://techcrunch.com/wp-json/tc/mobile/v2/*` -- These are the endpoints that are used by the mobile apps to retrieve posts for the apps.
* Default WordPress: `https://techcrunch.com/wp-json/wp/v2/*` -- We also leverage most of WordPress' out of the box endpoints with added custom data to augment the output.
## Out of Scope
* *.crunchbase.com (3rd party, Crunchbase)
* *.tc-appunite.herokuapp.com (3rd party, Heroku now closed)
* *.parsely.com (3rd party, Parse.ly)
* *.swiftype.com (3rd party, Swiftype now closed)
* *.marketo.com (3rd party, Marketo)
* *.urbanairship.com (3rd party, Urban Airship)
* *.sailthru.com (3rd party, Sailthru)
* *.spot.im (3rd party, Spot.IM)
* *.tcdisrupt.com (3rd party, App)
* *.bit.ly (3rd party, Bit.ly)
* *.thomsonreuters.com (3rd party, Open Calais)
* *.tinypass.com (3rd party, Piano/Tinypass)
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Calendar
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* *.calendar.yahoo.com
* *.caldav.calendar.yahoo.com
Specific paths to look at:
* https://calendar.yahoo.com/ws/v3/users/
* https://caldav.calendar.yahoo.com/principals/users/
* https://caldav.calendar.yahoo.com/dav/*/calendar/
## Limits
Limit traffic against our services to < 10/second when probing or testing.
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Elections
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
*Note: you MUST include the* `ref=electionsNight` *parameter to hit the right in-scope pages.*
* https://www.yahoo.com/elections?ref=electionsNight
* https://www.yahoo.com/elections/senate?ref=electionsNight
* https://www.yahoo.com/elections/house?ref=electionsNight
* https://www.yahoo.com/elections/state/al?ref=electionsNight (and all other US state pages)
## Notes
Any bugs found in non-production environments will **not** be eligible for the `Same Bug Different Host` bonus if the issue also exists in production.
## Out of Scope
* elections.yahoo.com (First Party, Yahoo Search)
* yahoo.com/elections (First Party, Yahoo Search)
* yahoo.turbovote.org (Third Party, Turbovote)
* Historical Race Feed: https://www.realclearpolitics.com/poll/race/903/historical_data.json (Third Party, Real Clear Politics)
* Presidential RCP Feed: https://www.realclearpolitics.com/syn/verizon_2020_president_trump_vs_/main.json (Third Party, Real Clear Politics)
* Trump Approval RCP Feed: https://www.realclearpolitics.com/syn/verizon_president_trump_approval_ratings/main.json (Third Party, Real Clear Politics)
* Senate RCP Feed: https://www.realclearpolitics.com/syn/verizon_2020_senate/main.json (Third Party, Real Clear Politics)
* House RCP Feed: https://www.realclearpolitics.com/syn/verizon_house_2020/main.json (Third Party, Real Clear Politics)
* Associated Press, Third Party
* Scribble Live, Third Party
Instruction: * [Yahoo HK Auctions Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.hkauctions)
* [Yahoo HK Auctions iOS](https://itunes.apple.com/hk/app/yahoo-pai-mai/id943334932?mt=8)
* [Yahoo HK Auctions (web)](https://hk.auctions.yahoo.com/)
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo HK News
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: * [Yahoo HK News Android](https://play.google.com/store/apps/details?id=com.yahoo.infohub)
* [Yahoo HK News iOS](https://itunes.apple.com/hk/app/yahoo%E6%96%B0%E8%81%9E-%E9%A6%99%E6%B8%AF%E5%8D%B3%E6%99%82%E7%84%A6%E9%BB%9E/id425655609?mt=8)
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo HK Shopping
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* [Yahoo HK Shopping Android](https://play.google.com/store/apps/details?id=com.yahoo.hkdeals)
* [Yahoo HK Shopping iOS](https://itunes.apple.com/hk/app/yahoo-hk-shopping/id472140112?mt=8)
* [Yahoo HK Shopping (web)](https://hk.shop.yahoo.com/)
## Out of Scope
* *.myguide.hk
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Live Web Insights
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: * [Yahoo Live Web Insights iOS](https://itunes.apple.com/us/app/yahoo-live-web-insights/id853260592?mt=8)
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Mail
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: * [Yahoo Mail Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail)
* [Yahoo Mail AndroidGo](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail.lite)
* [Yahoo Mail FireOS](https://www.amazon.com/Yahoo-Mail-Keeps-you-organized/dp/B00632HWOG/)
* [Yahoo Mail iOS](https://itunes.apple.com/us/app/yahoo-mail-keeps-you-organized/id577586159?mt=8)
* [Yahoo Mail (web)](https://mail.yahoo.com/)
Out of Scope:
* mail.yahoo.com/cal/ (this is the same as `calendar.yahoo.com` and should be reported as Yahoo Calendar)
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo News
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: * *.news.yahoo.com
* yahoo.com/news
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Open Source Projects (misc)
Asset type: SOURCE_CODE
Availability requirement:
Confidentiality requirement:
Eligible for bounty:
Eligible for submissions: true
Instruction: Select open source projects are now eligible for bounties! The rest of our open source projects are technically in scope, but at a reduced rate for the time being.
Instruction: ## In Scope
* https://bestball.fantasysports.yahoo.com/
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Sports: Daily Fantasy
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* https://sports.yahoo.com/dailyfantasy/
* https://sports.yahoo.com/dailyfantasy/contest/create
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Sports: Editorial
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* https://sports.yahoo.com/
* https://api-secure.sports.yahoo.com
## Out of scope
* shop.yahoosports.com (Third party)
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Sports: Fantasy Games
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* https://sports.yahoo.com/fantasy/
* [Fantasy Basketball](https://basketball.fantasysports.yahoo.com/)
* [Fantasy Hockey](https://hockey.fantasysports.yahoo.com/)
* [Fantasy User Profiles](https://profiles.sports.yahoo.com)
* [Fantasy Football](https://football.fantasysports.yahoo.com/) (out of season)
* [Public cookie-based API endpoints](https://pub-api-ro.fantasysports.yahoo.com) (used by some FE stacks)
* [Public OAuth2 endpoints](https://fantasysports.yahooapis.com)
* tournament.fantasysports.yahoo.com
## Out of Scope
* *.sendbird.com (Third Party, SendBird)
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Sports: Fantasy Slate/PicknWin
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* https://sports.yahoo.com/fantasyslate
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Sports: Fantasy Sports
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* [Yahoo Fantasy Sports Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.fantasyfootball)
* [Yahoo Fantasy Sports iOS](https://itunes.apple.com/us/app/yahoo-fantasy-sports/id328415391?mt=8)
* [Yahoo Fantasy Sports (web)](https://sports.yahoo.com/fantasy/)
* https://sports.yahoo.com/odds/
## Notes
The betting feature in Fantasy is provided by a third party, BetMGM. `https://sports.yahoo.com/odds/`, is the page from where it redirects the user to the BetMGM. This is geographically restricted.
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Sports: Fantasy Wallet
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* https://sports.yahoo.com/dailyfantasy/account/addfunds
Instruction: ## In Scope
* https://n.rivals.com
* https://www.rivals.com/
## Notes
All testing against rivals is to be **MANUAL only.** ZERO automated tools are allowed. **This notice is your warning.**
## Out of Scope
* *.rivalsfanstore.com (3rd party, Fanatics Inc.)
* *.rivalscamps.com (3rd party)
* *.rivalscampseries.com (3rd party)
* [Rivals iOS](https://itunes.apple.com/us/app/rivals-com-no-1-college-sports-recruiting-news/id1069511855?mt=8)
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Sports: Rivals Forums
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: ## In Scope
* *.forums.rivals.com
## Notes
* All testing against rivals is to be **MANUAL only.** ZERO automated tools are allowed. **This notice is your warning.**
* This is third party software and will be awarded at a 50% bounty rate.
* Reports on this asset will not be eligible for bonuses.
Integrity requirements:
Max severity: critical
Asset identifier: Yahoo Video
Asset type: OTHER
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: * [Yahoo Video FireTV](https://www.amazon.com/Yahoo-for-Fire-TV/dp/B014X5UGPQ/)
* [Yahoo Video tvOS](https://itunes.apple.com/us/app/yahoo-watch-free-live-concerts-sports-video-clips-and-more/id1046996690?mt=8)
Instruction: ## Notes
Only use this asset when nothing else can be reasonably selected.
Bugs with Yahoo! that are not listed in scope of our other Yahoo-related assets can still be submitted to this asset and **_*might*_** be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.
Integrity requirements:
Max severity: critical
Asset identifier: apis.mail.yahoo.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: com.yahoo.aerogram
Asset type: APPLE_STORE_APP_ID
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction: [Yahoo Mail iOS](https://apps.apple.com/us/app/yahoo-mail-keeps-you-organized/id577586159)
Instruction: * [Yahoo Mail Android](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail)
* [Yahoo Mail AndroidGo](https://play.google.com/store/apps/details?id=com.yahoo.mobile.client.android.mail.lite)
* [Yahoo Mail FireOS](https://www.amazon.com/Yahoo-Mail-Keeps-you-organized/dp/B00632HWOG/)
* Sign up for the [Beta here](https://play.google.com/apps/testing/com.yahoo.mobile.client.android.mail)
Integrity requirements:
Max severity: critical
Asset identifier: data.mail.yahoo.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: le.yahooapis.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: onepush.query.yahoo.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: proddata.xobni.yahoo.com
Asset type: URL
Availability requirement:
Confidentiality requirement:
Eligible for bounty: true
Eligible for submissions: true
Instruction:
Integrity requirements:
Max severity: critical
Asset identifier: yimg.com
Asset type: URL
Availability requirement: low
Confidentiality requirement: none
Eligible for bounty: true
Eligible for submissions: true
Instruction: yimg is a resource storage and content distribution network (CDN).
**Note:** Reports submitted that exploit bugs **only** in the context of the `yimg.com` domain are most likely to be closed as `Informative`. Most bugs in `*.yimg.com` will require a proof-of-concept or proof-of-exploit that escalates into one of the primary brand or product domains (e.g. yahoo.com or aol.com) to be eligible for bounty. CVSS Environmental scores have been set to account for this limitation.
What does that mean for my report?
1. If you show escalation into a trusted domain's context (such as yahoo.com) it will be accepted at 100% bounty rate. A bonus may be applied for different instances within the trusted domain list only; not for other instances of vulnerabilities content on yimg.com.
2. If you show execution in the context of *.yimg.com only, the vulnerability MAY be accepted by the business owner in some instances. In that case, a minimum bounty would be offered only if the content is removed. There are no "same bug different host" or other vulnerability grouping bonus offers for this asset.
