January 14, 2021

New Year, New Scope!

Note: Verizon Media is now known as Yahoo.


Welcome to 2021, we are so happy to be here. In a previous message we promised that we would have some new scope for you all to look at in our public bug bounty program. The time has come, today is that day!

In line with our past strategy of featuring certain products or features during live hacking events, and then releasing them into scope for our public program, please review the changes to our program policy to make sure that you know exactly what has changed. This post should just serve you as a guide for what to look for.

New Assets

These assets were featured during H1-2010 (Qualifier and Final) and, just like many of our others, have some third party components to them and other bits and bobs that are out of scope for awards.  Please make sure you review our Policy page for further details. 


AOL Homepage


AOL Search


AOL Help


Yahoo Elections

This was implicitly included, but will now be separated as an explicit item. These pages most likely won’t have much that is interesting until the next US election cycle begins.


Media Platform Marketing Website


Media Platforms Engineering Blog


Flash - It’s gone

This makes up such a small market share to begin with, and most of the reports we have seen are not even really issues with our code so they haven’t earned awards. Flash has been officially end-of-lifed as of December 31, 2020. Starting January 1, 2021 our program will not award bounties for bugs related to Flash any longer. This aligns with our practices of (1) not awarding for bugs in third party code and (2) requiring proof of concepts to function within common operating environments. We think your time (and our money) is better spent finding other bugs that might be out there. Flash has been moved to the Out of Scope section of our policy.


That’s all for now. We will have more exciting news in the near future.