Scope Release Event 2

Hackers,

We had an absolute blast all week long in Las Vegas at BSides, BlackHat, DefCon and of course H1-702. If you were in town and came to the Paranoids party at Mansion 54, make sure to give us a shout @theparanoids and send us your resume if you are interested in a job that is posted on our job listings website.

At H1-702 we set the event scope to cover *.yahoo.com which was pretty daunting for a lot of folks because of the sheer size and scale of what is included there. Those that weren’t scared by the size told us that they were a bit disappointed because “Yahoo has had a bug bounty program for 6 years, so all the bugs have probably already been found”. If you saw the leaderboard then you would know that is clearly not the case!

But why? Simple my dear Watson: We are still developing these products. All of them. Every day. Every week. Every month. New features, new products, new subscriptions, new services, usability bug fixes, and of course - security bug fixes.

All this new development means that the thing you looked at 6 years ago, 6 months ago, or maybe even 6 weeks ago, is probably different than when you last looked. You bring new skills from your experience in between, new tools you learned and wrote, and just a fresh set of eyes connected to that brilliant brain of yours. Come hack away. We paid out over $1,000,000 for the bugs we received at H1-702. Almost all of that was on *.yahoo.com.

That wasn’t all we included in H1-702 scope though, which brings us to what this message is all about...

The Huffington Post is coming to our public program!

Let’s keep this party going with more hacking on The Huffington Post.

Phase 1: Scope Release Announcement & Dupe Period

• Begin your recon and testing!
• New assets will be listed on the program page in the Scope section.
• Start submitting reports to us and make sure to use the new assets.
• All reports submitted during this period will be deduplicated against each other, any bounties will be evenly split among all reports for the same vulnerability.
• All duplicated reports during this phase will receive full credit when ranked at the end of this cycle.

Reminders

1. Register accounts (self-service) using your <username>@wearehackerone.com addresses.
2. Make sure to add the X-Bug-Bounty: hackerone-<username> header to your traffic.

In Scope

• *.huffingtonpost.com
• *.huffpost.com
• *.huffpost.net
• *.huffingtonpost.co.uk
• *.huffingtonpost.ca
• *.huffingtonpost.es
• *.huffingtonpost.fr
• *.huffingtonpost.gr
• *.huffingtonpost.in
• *.huffingtonpost.it
• *.huffingtonpost.jp
• *.huffingtonpost.kr
• *.huffingtonpost.com.au
• *.huffingtonpost.co.za
• *.huffpostbrasil.com
• *.huffpostmaghreb.com
• *.huffpost.co.uk
• *.huffpost.ca
• *.huffpost.es
• *.huffpost.fr
• *.huffpost.gr
• *.huffpost.in
• *.huffpost.it
• *.huffpost.jp
• *.huffpost.kr
• *.huffpost.com.au
• *.huffpost.co.za
• *.huffingtonpost.de (decommissioned edition)
• *.huffingtonpost.com.mx (decommissioned edition)
• *.huffpost.de (decommissioned edition)
• *.huffpost.com.mx (decommissioned edition)
• *.huffpostarabi.com (decommissioned edition)
• *.huffpo.net (anything here will likely will exist on some other domain with very few exceptions)

Notes

• Mobile Apps and APIs included
• HuffPost Plus (no reimbursement will be provided)
• Any accounts you need will be self-service signup.

Out of Scope

• DO NOT use/select/test “Emergency” on the support forms. This will earn you a strike.
• news.huffingtonpost.com (3rd party, CampaignMonitor)
• coupons.huffpost.com (3rd party, Groupon)
• huffpost.atlassian.net (3rd party, Atlassian)
• huffpoststuff.com (3rd party, StackCommerce)

For a quick refresher on our Scope Release Event design, please see the update from July 1 titled Hack in the Saddle Again! New Scope Release Event Coming Soon

This phase will end on August 23.

Happy Hacking,

The Paranoids