Description

Welcome to Yahoo Yahoo is a global media and advertising company connecting people to their passions. With one of the largest online audiences in the world, Yahoo brings people closer to what they love — from finance and commerce, to gaming and news — with the trusted products, content, and tech that fuel their day. For partners, we provide a full-stack platform to amplify businesses and drive more meaningful connections across advertising, search, and media.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
min. $
max. $
100
500
500
3,000
3,000
10,000
10,000
12,500
12,500
15,000
Tier 2
$100 - $15,000
Rules of engagement
Required
Not applicable
max. 50 requests/sec
See table below

By participating in this program, you agree to:

  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Respect the scope of the program
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)

By submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of this program Policy.

Program Rules
Violation of any of these rules may result in ineligibility for a bounty and/or removal from the program. Three strikes will earn you a temporary ban. Four strikes means a permanent ban.

  1. Use your own Accounts: Test vulnerabilities only against accounts that you own or accounts that you have written permission from the account holder to test against.

  2. Do not pivot: Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.

  3. Respect the Users: If sensitive information--such as personal information, credentials, etc.--is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery. All copies of sensitive information must be returned to Yahoo and may not be retained. To ensure you are fully protected under the 'Safe Harbor', you may only use potentially-sensitive data to validate your finding, report it to us and to verify if the applied fix is effective.

  4. Respect the Company: Researchers may not, and are not authorized to, engage in any activity that would be disruptive, damaging or harmful to Yahoo, its brands or its users. This includes: social engineering, phishing, physical security and denial of service attacks against users, employees, or Yahoo as a whole.

  5. Follow the Scope: Abide by the program scope. Only reports submitted to this program and against assets in scope will be eligible for monetary award.

  6. Get written permission before disclosure: Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized Yahoo or our authorized Bug Bounty Platform employees), or otherwise share vulnerabilities with a third party, without Yahoo’s express written permission.

Legal Terms

In connection with your participation in this program you agree to comply with Yahoo’s Terms of Service, Yahoo’s Privacy Policy, and all applicable laws and regulations, including any laws or regulations governing privacy or the lawful processing of data.

Yahoo reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).

Yahoo does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of Yahoo users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to Yahoo in order to extract and publicly disclose data belonging to Yahoo.

Yahoo employees (including former employees that separated from Yahoo within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Yahoo programs, whether hosted by Yahoo or any third party.

Safe Harbor

Yahoo will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities. If legal action is initiated by a third party against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.

You are expected, as always, to comply with all applicable laws and regulations.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this Policy.

Responsible Disclosure of Vulnerabilities

We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being triaged.

Please review the program scope before submitting a report.

Testing

Web traffic to and from Yahoo properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic within our normal data and the malicious actors out in the world. Please do the following when participating in Yahoo bug bounty programs:

● Where possible, register accounts using your <username>+x@intigriti.me addresses. Some of our properties may require this to be eligible for a bounty.
● Provide your IP address(es) in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
● Limit your requests to 50 requests per second unless otherwise specified in the Scope. Exceeding this rate may result in your traffic becoming blocked.
● Include custom header(s) in all your traffic. Burp Suite, other proxies, and most popular bug hunting tools allow the easy, automatic addition of headers to all outbound requests. Include the header you set so we can identify it easily. This information may be required for the report to be eligible for a bounty.

Identifier Format Example
Your Username X-Bug-Bounty: Intigriti-<username> X-Bug-Intigriti: Intigriti-zom_snack
Unique Identifier X-Bug-Bounty: ID-<sha256-flag> X-Bug-Bounty: ID-b6e291d693049dad7415e8e0e1d98889607fb15929d4ec11c6c5a0f4f745d70e
Event Identifier X-Bug-Bounty:LiveHackingEvent-<eventid> X-Bug-Bounty: LiveHackingEvent-1337UP0822
Tool Identifier X-Bug-Bounty: <toolname> X-Bug-Bounty: BurpSuitePro
Verbose Tool Identifier X-Bug-Bounty: <toolname>-version-<version> X-Bug-Bounty: BurpSuitePro-version-2020.1

When testing for a bug, please also keep in mind:

● When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:
○ Read: cat /proc/1/maps
○ Write: touch /root/<your Intigriti username>
○ Execute: id, hostname, pwd (though, technically cat and touch also prove execution)
● Before potentially causing damage: Stop, report what you've found and request additional testing permission.
● Minimize the mayhem. Adhere to program rules at all times.

Crafting a Report

If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

● Description of the vulnerability
● Steps to reproduce the reported vulnerability
● Proof of exploitability (e.g. screenshot, video)
● Perceived impact to another user or the organization
● Proposed CVSSv3.1 Vector & Score (without environmental and temporal modifiers)
● List of URLs and affected parameters
● Other vulnerable URLs, additional payloads, Proof-of-Concept code
● Browser, OS and/or app version used during testing
Note: Failure to adhere to these minimum requirements may result in no bounty.

All supporting evidence and other attachments must be stored only within the report you submit. Attach all evidence to the report through the Platform. You may NEVER host any files on external services (youtube, dropbox, s3 bucket, self-hosted, etc).

Ceasefire Conditions

Hackers participating in the Yahoo Bug Bounty program may find bugs that require special handling and/or an immediate halt to testing. In these instances, the team will post a message to the primary report related to the identified issue or issue class stating that a Ceasefire is now in effect. A Ceasefire creates a time-bound fix window that allows our engineers to analyze, understand, and address the issue at scale. During this period, Hackers may not continue working on or with the bugs that prompted the halt of testing.

Each Ceasefire will include a blackout period during which additional reports will not be accepted by the program. This period is typically 90 days, depending on the severity of the finding.

Achieving a Ceasefire Condition will result in a bonus to your report. Yahoo does not publish a list of past or current Ceasefire Conditions.

Program Scope

Wherever possible, vulnerabilities should be reported under the correct, in-scope “Asset”. Please see our detailed scope list at the bottom of this page for a full list of assets that are in scope of this program. This list is subject to change without notice.

If you’ve found a vulnerability that affects a Yahoo asset which is not listed as in-scope, please report it to this program; your finding may be eligible for a bounty.

Rewards

You will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity, to be determined by Yahoo. Rewards may range from Reputation Points and/or swag to monetary rewards up to $15,000 USD. Providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, Yahoo may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations. A reduction in bounty may be warranted for reports that require specific browser configurations. Reports in third party software may not be eligible for bounties; Products or sites developed on behalf of Yahoo may qualify for a 50% bounty. (See scope section for more details)

Bounties and bonuses are granted entirely at the discretion of Yahoo.

Domains

*ensemble*.yahoo.com

Tier 2
Wildcard

*omega*.yahoo.com

Tier 2
Wildcard

7 News

Tier 2
Other

AOL (misc)

Tier 2
Other

In Scope

  • *.aol.com

Notes

Only use this asset when nothing else can be reasonably selected.

Bugs with AOL that are not listed in scope of our other AOL-related assets can still be submitted to this asset and might be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.

Out of Scope

  • *nat.aol.com
  • *.ipt.aol.com

AOL Help

Tier 2
Other

In Scope

  • help.aol.com
  • assistance.aol.fr
  • help.aol.co.uk
  • hilfe.aol.de

Notes

Any bugs found in non-production environments will not be eligible for the Same Bug Different Host bonus if the issue also exists in production.

Out of Scope

  • assist.aol.com (2nd party service)
  • helpisp.netscape.com
  • helpconnect.netscape.com
  • help.compuserve.com

AOL Homepage

Tier 2
Other

In Scope

Notes

  • OOS Exception: 3rd party components that affect aol.com (e.g. XSS executes in AOL.com domain resulting from abuse of TravelZoo module on Travel page)

Out of Scope

First Party Things:

  • https://ottr.video.yahoo.com/v1/video-exp/schedule
  • https://s.yimg.com/rb/screwdriver/ctv/ve-module/builds/prod/aol/dist/vem.js
    Second Party Things:
  • DataMask by AOL (White Label app)
  • AOL OnePoint (White Label app)
  • Private WiFi by AOL (White Label app)
  • AOL Games (White Label app)
    Third Party Things:
  • 3rd Party Ad Integration. (Third Party, Taboola)
  • Popular in the Community, More Conversations for You, Commenting on articles (and more) (Third Party, OpenWeb)
  • spot.im (Third Party, OpenWeb)
  • Individual AOL Games pages are rendered by us, but we iFrame in the Masque game urls. (Third Party, Masque)
  • games.com, fungames.aol.com & fungames.com (Third Party, Masque)
  • Comparecards.aol.com is CNAME’d to our own ATS cluster which forward maps requests to the comparecards cloudfront distribution. (Third Party, CompareCards)
  • JS widget on the AOL.com homepage providing news stories. (Third Party, Zergnet)
  • Serverside rendered module on aol.com/real-estate, data comes from Zillow api. (Third Party, Zillow)
  • Serverside rendered module on www.aol.com/travel, data comes from TravelZoo api. (Third Party, Travel Zoo)
  • rezserver.com (Third Party, Travel Zoo)

AOL Mail

Tier 2
Other

In Scope

Notes

  • oidc.mail.aol.com (Hosted by Mail, but belongs to Membership)

Out of Scope

  • mail.aol.com/calsvc
  • AOL Desktop Gold
  • apis.mail.aol.com
  • test-apis.mail.aol.com
  • *.aolmail.com
  • mail.aol.com/classicab
  • mail.aol.com/getmydata
  • mail.aol.com/ws
  • *.aol.com

AOL Search

Tier 2
Other

In Scope

  • search.aol.ca
  • search.aol.co.uk
  • search.aol.com
  • recherche.aol.fr
  • suche.aol.de

Notes

Any bugs found in non-production environments will not be eligible for the Same Bug Different Host bonus if the issue also exists in production.

Engadget

Tier 2
Other

In Scope

  • APIs
  • *.engadget.com

Notes

  • Separate reports for the same or similar payload/issue against multiple international editions, will be marked as duplicates and paid only once for Engadget international editions.

Out of Scope

  • *.spot.im (3rd party, Spot.IM)
  • *.cn.engadget.com (Engadget International Edition)
  • *.chinese.engadget.com (Engadget International Edition)
  • *.japanese.engadget.com (Engadget International Edition)
  • jobs.engadget.com (3rd party, Jobboard.io)

Gemini

Tier 2
Other
  • *.gemini.yahoo.com
  • *.admanager.yahoo.com
  • monetization.flurry.com

Low Cost Access

Tier 2
Other

In Scope

##Other places to look

Out of Scope

  • Subdomains of wmconnect.com outside of www

##Notes

  • These services are designed for delivery through slow internet connections.
  • Registration for these services has been disabled.
  • Help-related pages/domains should be reported to the AOL Help asset.

Membership

Tier 2
Other

##In Scope

Some documentation that may help:
https://developer.yahoo.com/oauth2/guide/
Specific paths to target….
For login.*.com

  • /account/logout
  • /auth/2.0/credentials
  • /auth/1.0/
  • /saml2/
  • /account
  • /oauth2
  • /ylc
  • /account/challenges
  • /account/access
  • /oauth2/device_auth
  • /ctv
  • /activate
  • /forgot

For api.login.*.com

  • /api
  • /oauth2/get_token
  • /oauth2/web_session
  • /oauth2/device_sessions
  • /oauth2/device_authorization
  • /oauth2/device_auth
  • /oauth2/revoke
  • /oauth2/introspect

##Out of Scope

  • Any rate limits for authentication attempts.
  • Any differentiated treatment based on account, browser, IP address etc.

##Limits

  • Limit traffic against our services to < 10/second when probing or testing.

Online Marketplace

Tier 2
Other

Online Marketplace (MyAccount) supports many AOL properties and can be accessed by a variety of CNAME records.

  • billupdate.aol.com
  • myaccount.aol.com
  • myservices.aol.com
  • payments.aol.com
  • mybenefits.aol.com
  • cancel.aol.com
  • bill.aol.com

Please consolidate your reports.
Note: Reporting the same issue separately for multiple CNAMEs will result in reports being marked as Duplicate at best.

Other (Misc)

Tier 2
Other

Only use this asset when nothing else can be reasonably selected.

Bugs with Yahoo products that are not listed in scope of our Public Program can still be submitted to this asset and might be eligible for award, at the sole discretion of the Yahoo Bug Bounty team .

Use this asset for:

  • *.oath.cloud
  • *.yahoo.cloud

Social Media Accounts

Tier 2
Other

Requirements

  • Account in question has posted content within 365 days of report submission
  • Account in question is related to a company, brand, or product
  • Exposed (valid/functional/active) credentials that allow login to an account

In Scope

  • Bounty: Must meet all Requirements above
  • Reputation: Meets at least one of the Requirements above
  • Note: “Account in question” means the account you are reporting as "vulnerable."

Out of Scope

  • Account in question is related to an individual (employee, freelancer or otherwise)
  • Brute forcing account credentials

Techcrunch

Tier 2
Other

In Scope

  • *.techcrunch.com
  • Custom endpoints: https://techcrunch.com/wp-json/tc/v1/* -- These are custom endpoints that use the WordPress architecture and output methods but modified for our uses with custom data.
  • Custom mobile endpoints: https://techcrunch.com/wp-json/tc/mobile/v2/* -- These are the endpoints that are used by the mobile apps to retrieve posts for the apps.
  • Default WordPress: https://techcrunch.com/wp-json/wp/v2/* -- We also leverage most of WordPress' out of the box endpoints with added custom data to augment the output.

Out of Scope

  • *.crunchbase.com (3rd party, Crunchbase)
  • *.tc-appunite.herokuapp.com (3rd party, Heroku now closed)
  • *.parsely.com (3rd party, Parse.ly)
  • *.swiftype.com (3rd party, Swiftype now closed)
  • *.marketo.com (3rd party, Marketo)
  • *.urbanairship.com (3rd party, Urban Airship)
  • *.sailthru.com (3rd party, Sailthru)
  • *.spot.im (3rd party, Spot.IM)
  • *.tcdisrupt.com (3rd party, App)
  • *.bit.ly (3rd party, Bit.ly)
  • *.thomsonreuters.com (3rd party, Open Calais)
  • *.tinypass.com (3rd party, Piano/Tinypass)

TW eCommerce: Auctions

Tier 2
Other

In Scope

Notes

  • Access to the Taiwan sites from some countries in Europe may be blocked.
  • Buyer accounts can be set up for any Yahoo user.
  • Seller accounts require a TW phone number and 2FA.
  • Do not use fake data (like nid) when operating the cash functions, it may cause real money to be stuck; we will hold you accountable for broken workflows.
  • You are required to clean up all the testing data related to posting new products.
  • You must include the following “test” label in ALL posts (in the most visible location) to prevent regular users from interacting with hacker-created content: [PARANOIDS-勿下標][TEST]
    -- Any reports identified that are missing this label, will not receive a bounty.

Out of Scope

  • *.yahoo.com.tw
  • ismarus-ap-94600.tw.juiker.net
  • *.tw.juiker.net
  • auth.tw.juiker.net/oauth2/getUserTokenByTurnkey
  • *.straas.net
  • iOS: JuikerIMSDK.framework, StraaS-iOS-SDK
  • Android: io.straas.android.sdk
  • ecfme.famiport.com.tw (Third Party)

TW eCommerce: Shopping

Tier 2
Other

In Scope

Out of Scope

  • *.yahoo.com.tw
  • iOS: TPDirect.framework
  • Android: tech.cherri.tpdirect.api

TW eCommerce: Used Car

Tier 2
Other

In Scope

  • tw.usedcar.yahoo.com

Notes

Refer to the ## Notes ## section in the TW eCommerce: Auctions listing.

Out of Scope

  • *.yahoo.com.tw
  • autos.yahoo.com.tw
  • tw.serviceplus.yahoo.com

TW Media: Front Page

Tier 2
Other

In Scope

Out of Scope

  • *.yahoo.com.tw

TW Media: News

Tier 2
Other

In Scope

Out of Scope

  • news.campaign.yahoo.com.tw
  • *.yahoo.com.tw

TW Media: Stock

Tier 2
Other

In Scope

Notes

  • stock.yahoo.com and finance.yahoo.com are identical; Reports will NOT be credited same-bug-different-host bonuses when issues are found on both domains.
  • TW Stock Apps have a strong dependency with third party SDK(s) for receiving the real-time quote data in the market. Every page containing values (volume, prices, up/down flag, …) of index, tickers, etfs, …, ticker information, line chart, notifications setting are all from the SDK. And the connection with the SDK service is established when the app launches and lasts the app's whole lifetime. These SDK service(s) are out of scope.

Out of Scope

  • *.yahoo.com.tw
  • tw.finance.yahoo.com
  • Quote SDK (from Systex inc.)

Yahoo Calendar

Tier 2
Other

In Scope

  • *.calendar.yahoo.com
  • *.caldav.calendar.yahoo.com

Specific paths to look at:

Limits

Limit traffic against our services to < 10/second when probing or testing.

Yahoo Finance

Tier 2
Other

Yahoo HK News

Tier 2
Other

Yahoo Mail

Tier 2
Other

In Scope

Out of Scope:

  • mail.yahoo.com/cal/ (this is the same as calendar.yahoo.com and should be reported as Yahoo Calendar)

Yahoo News

Tier 2
Other

Yahoo Open Source Projects

Tier 2
Other

Select open source projects are now eligible for bounties.
The rest of our open source projects are technically in scope, but at a reduced rate for the time being.

Yahoo Search

Tier 2
Other

Yahoo Sports: Best Ball

Tier 2
Other

Yahoo Sports: Daily Fantasy

Tier 2
Other

Yahoo Sports: Editorial

Tier 2
Other

In Scope

Out of scope

  • shop.yahoosports.com (Third party)

Yahoo Sports: Fantasy Games

Tier 2
Other

In Scope

Out of Scope

  • *.sendbird.com (Third Party, SendBird)

Yahoo Sports: Fantasy Slate/PicknWin

Tier 2
Other

Yahoo Sports: Fantasy Sports

Tier 2
Other

In Scope

Notes

The betting feature in Fantasy is provided by a third party, BetMGM. https://sports.yahoo.com/odds/, is the page from where it redirects the user to the BetMGM. This is geographically restricted.

Yahoo Sports: Fantasy Wallet

Tier 2
Other

Yahoo Sports: Mobile

Tier 2
Other

In Scope

Yahoo Sports: Rivals

Tier 2
Other

In Scope

Notes

All testing against rivals is to be MANUAL only. ZERO automated tools are allowed. This notice is your warning.

Out of Scope

  • *.rivalsfanstore.com (3rd party, Fanatics Inc.)
  • *.rivalscamps.com (3rd party)
  • *.rivalscampseries.com (3rd party)
  • Rivals iOS

Yahoo Sports: Rivals Forums

Tier 2
Other

In Scope

  • *.forums.rivals.com

Notes

  • All testing against rivals is to be MANUAL only. ZERO automated tools are allowed. This notice is your warning.
  • This is third party software and will be awarded at a 50% bounty rate.
  • Reports on this asset will not be eligible for bonuses.

Yahoo Video

Tier 2
Other

Yahoo Weather

Tier 2
Other

Yahoo! (Misc)

Tier 2
Other

Notes

Only use this asset when nothing else can be reasonably selected.

Bugs with Yahoo! that are not listed in scope of our other Yahoo-related assets can still be submitted to this asset and might be eligible for award, at the sole discretion of the Yahoo Bug Bounty team.

Tier 2
URL

yimg is a resource storage and content distribution network (CDN).

Note: ## Reports submitted that exploit bugs only in the context of the yimg.com domain are most likely to be closed as Informative. Most bugs in *.yimg.com will require a proof-of-concept or proof-of-exploit that escalates into one of the primary brand or product domains (e.g. yahoo.com or aol.com) to be eligible for bounty. CVSS Environmental scores have been set to account for this limitation.

What does that mean for my report?

  1. If you show escalation into a trusted domain's context (such as yahoo.com) it will be accepted at 100% bounty rate. A bonus may be applied for different instances within the trusted domain list only; not for other instances of vulnerabilities content on yimg.com.
  2. If you show execution in the context of *.yimg.com only, the vulnerability MAY be accepted by the business owner in some instances. In that case, a minimum bounty would be offered only if the content is removed. There are no "same bug different host" or other vulnerability grouping bonus offers for this asset.

Flurry

Out of scope
Other

TW eCommerce: Store

Out of scope
Other

In Scope

Out of Scope

  • *.yahoo.com.tw
In scope

We are Paranoid

Our information security team is known as the Paranoids, and we’re committed to protecting our brands and our users. As part of this commitment, we invite security researchers to help protect Yahoo and its users by proactively identifying security vulnerabilities via our bug bounty program. Our program is inclusive of all Yahoo brands and offers competitive rewards for a wide array of vulnerabilities. We encourage security researchers looking to participate in our bug bounty program to review our policy to ensure compliance with our rules and also to help you safely verify any vulnerabilities you may uncover.

Full Bounty Table

Low Medium High Critical
$100 - $500 $500 - $3,000 $3,000 - $10,000 $10,000 - $15,000

Click here to discover how we lead the way in crowd-sourced security

Review our Github Repository here

Check out our last Intigriti Live Hacking Event here

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

yahoo-logo-2019-879b7bed612d4bbc97065dce2a0f2d73.png
{407093} 3/20/2023, 9:01:42 AM
paranoids.png
{938541} 3/22/2023, 7:55:57 AM
Out of scope

The following issues are considered out of scope:

● Assets that resolve to third-party services
● Issues that do not affect the latest version of modern browsers
● Issues that we are already aware of or have been previously reported
● Issues that require unlikely user interaction
● Disclosure of information that does not present a significant risk
● CSV injection without security impact

List of Domains and Products not in scope for the Bug Bounty program

List 1 List 2 List 3 List 4
Yahoo Cricket and related assets *.yahoo.net *.vdms.com *.yahooinc.com
Yahoo Operated WordPress blogs *.yahoo.com.tw *.verizondigitalmedia.com *.aolcdn.com
The Factual and related domains *.yahoo.com.hk files.molo.ch
Wagr.com and related domains *.aolpublishers.com
CommonStock and related domains
Artifact.news and related domains

SSP Advertising Platforms

These products (listed domains) and any related domains are NOT eligible for bounty or reputation

  • CRS - crs-prd.aws.oath.cloud
  • Deals UI - deals.o2.verizonmedia.com
  • O2 - adaptv.advertising.com
  • OneAdServer - console.oneadserver.aol.com
  • OneAPI - oneapi.aol.com
  • OneCreative - onecreative.aol.com
  • OneInsights - alephd.com
  • OneMobile - onemobile.aol.com
  • OneReporting - vidible.tv
  • OneVideo - onevideo.aol.com
  • SSP - ssp.verizonmedia.com
  • SSP External API - ext.api.ssp.aol.com
  • Store - store.vzbuilders.com, sales.oath.com

List of products and companies which were previously owned but have been shut down or sold and are not in scope of Yahoo.

List 1 List 2 List 3 List 4
Aabaco Small Business (YSB) and related assets About.me EdgeCast Flickr
Go90 Huffington Post (Huffpost) IDS MapQuest
Media Group One MovieFone Movies Hong Kong Oath: Impact
Onwander Patch Media PawNation Polyvore
Shoutcast Style Me Pretty Tumblr Uplynk
Volicloud Volicon Winamp Yahoo Answers
Yahoo Groups Yahoo Japan Yahoo Messanger Yahoo Play
Yahoo Small Business Yahoo Together (Squirrel) Yahoo TW eSports
Severity assessment

Valued Vulnerabilities

All reports will be awarded based on the Common Weakness Enumeration classification. This table provides the CWEs that we will accept, the severity ranges we will classify reports within for the CWE, and some examples of common vulnerability and attack names that we classify within each CWE that we will accept. This table serves only as a guide and the severity classification of a particular vulnerability will be determined by Yahoo at its sole discretion.

Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a variety of severity ratings determined by scope/scale of exploitation and impact.

Severity (low) Severity (high) CWE-ID Common Weakness Enumeration Bug Examples
None Medium CWE-16 Misconfiguration Brand and Non-Brand Subdomain Takeover (SDTO); Dangling CNAME Takeover; DNS Zone Takeover; Social Media Takeover (Brand, <12mo, w/creds); Social Media (w/o creds)
Informative Medium CWE-22 Improper Limitation of a Pathname to a Restricted Directory Path Traversal
Critical Critical CWE-78 OS Command Injection Code Injection; LDAP Injection; Remote Code Execution
Low Medium CWE-79 Cross-Site Scripting
High Critical CWE-89 SQL Injection SQL Injection
Critical Critical CWE-91 XML Injection XML Injection
Medium Medium CWE-93 CRLF Injection CRLF Injection
Critical Critical CWE-120 Classic Buffer Overflow Buffer Overflow
High Critical CWE-134 Uncontrolled Format String Insecure Deserialization
Medium Critical CWE-138 Improper Neutralization of Special Elements Path Normalization
Low High CWE-200 Information Exposure Credentials on GitHub; Confidential Information Exposure
Low Low CWE-203 Information Exposure Through Discrepancy PHP Admin Information page; MySQL Information page (w/ credentials); Apache Status page
Medium Critical CWE-250 Execution with Unnecessary Privileges Privilege Escalation to System Account
Low Critical CWE-284 Improper Access Control Horizontal and Vertical Privilege Escalation; IDOR;
Medium Critical CWE-287 Improper Authentication Lack of Authentication
Low Low CWE-304 Missing Critical Step in Authentication T2 Login Page exposed
Medium High CWE-306 Missing Authentication for Critical Function Exposed Administrative Interface
Medium High CWE-352 Cross-Site Request Forgery State-Changing CSRF;
Informative Informative CWE-359 Privacy Violation Privacy Violation
Medium High CWE-434 Unrestricted Upload of File with Dangerous Type Unfiltered File Upload
Medium High CWE-444 Inconsistent Interpretation of HTTP Requests HTTP Request Smuggling
Medium Medium CWE-494 Download of Code Without Integrity Check Download code from untrusted location
Low Low CWE-601 Open Redirect Open Redirect
Critical Critical CWE-611 Improper Restriction of XML External Entity Reference XXE
Low High CWE-798 Use of Hard-coded Credentials Hard-coded Credentials
Informative High CWE-829 Inclusion of Functionality from Untrusted Control Sphere Server Side Includes Injection; Local File Inclusion; Host Dependency Confusion
Medium High CWE-862 Missing Authorization
Informative High CWE-863 Incorrect Authorization Authorization Bypass
Medium Critical CWE-918 Server-Side Request Forgery Blind, Semi-restricted, Unrestricted SSRF.

Borderline Out-of-Scope, No Bounty

These issues are eligible for submission, but not eligible for bounty or any award. Once triaged, they will be closed as Informative if found to be valid or Spam if found to be not valid. When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

List 1 List 2 List 3
Any non-Yahoo Applications "Self" XSS Missing Security Best Practices
Confidential Information Leakage Clickjacking/UI Redressing Use of known-vulnerable library (without proof of exploitability)
Intentionally Open Redirects Missing cookie flags Reflected file download
SSL/TLS Best Practices Incomplete/Missing SPF/DKIM Physical attacks
Social Engineering attacks Results of automated scanners Login/Logout/Unauthenticated CSRF
Autocomplete attribute on web forms Using unreported vulnerabilities "Self" exploitation
Issues related to networking protocols Flash-related bugs Software Version Disclosure
Verbose error pages (without proof of exploitability) Denial of Service attacks Yahoo software that is End of Life or no longer supported
Account/email Enumeration Missing Security HTTP Headers (without proof of exploitability) Internal pivoting, scanning, exploiting, or exfiltrating data

Note: 0-day and other CVE vulnerabilities may be reported 30 days after initial publication (CVE List Status of Published). We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.

Special Situations

Some situations exist that may earn partial bounties or bonuses on top of a base bounty per report. Here are a few of the most common examples:

Same Bug, Different Host
For each report, please allow Yahoo sufficient time to patch other host instances. If you find the same bug on a different (unique) host, prior to the report reaching a triaged state, file it within the existing report to receive an additional 5% bonus (per host, not domain). Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.

Same Bug, Different Path
For each report, please allow Yahoo sufficient time to patch related paths. If you find the same bug on a different (unique) path, prior to the report reaching a triaged state, file it within the existing report to receive an additional 5% bonus (per path). Any reports filed separately while we are actively working to resolve the issue will be treated as a duplicate.

Same Payload, Different Parameter
In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.

Note: Additional payloads, parameters, hosts and paths will not receive multiple bonuses.

FAQ

Where can we get credentials for the app?

Most of our applications allow self register. For any applications that do not support self register, we do not provide test credentials.

Is there an SSRF sheriff?

If you think you've got an SSRF attack against our network, please use these two groups of servers to prove it to us. There's a whole bunch of different file formats on these servers and they're all identical. To prove your SSRF, please send your attacks in a way that attempt to read or write content to/from one of these servers in each network segment (Prod + Corp). The difference between each host within each category is just their geolocation, which in most circumstances does not matter what you target. HTTPS is also enabled on these servers.

Production Network

Oath Domain Yahoo Domain
banana.stand.ne1.prod.oath banana.stand.ne1.yahoo.com
banana.stand.gq1.prod.oath banana.stand.gq1.yahoo.com
banana.stand.bf1.prod.oath banana.stand.bf1.yahoo.com
banana.stand.bf2.prod.oath banana.stand.bf2.yahoo.com
banana.stand.sg3.prod.oath banana.stand.sg3.yahoo.com
banana.stand.ir2.prod.oath banana.stand.ir2.yahoo.com
banana.stand.tw1.prod.oath banana.stand.tw1.yahoo.com
banana.stand.tp2.prod.oath banana.stand.tp2.yahoo.com

Corporate Network

Oath Domain Yahoo Domain
banana.stand.corp.gq1.cic.oath banana.stand.cgq1.yahoo.com
banana.stand.corp.bf1.cic.oath banana.stand.cbf1.yahoo.com
banana.stand.corp.sg3.cic.oath banana.stand.csg3.yahoo.com
banana.stand.corp.ne1.cic.oath banana.stand.cne1.yahoo.com

Files to target take the filename format of <extension>_###.<extension>. For example: txt_001.txt and zip_001.zip. We've put up a bunch of different file formats that can be targeted for your testing needs. There is one other file that is simple text, but does not have a file extension, reach that by asking for noext_01.

File types available include:
avi, bmp, css, csv, doc, docx, dtd, flv, gif, html, icns, ics, ico, jar, jpg, js, json, md, mkv, mov, mp3, mp4, odp, ods, odt, ogg, pdf, php, png, ppt, rss, svg, tiff, txt, wav, wmv, xls, xlsx, xml, xsl, zip

We’ve also set the 404 error page to show you that you’ve hit the bananastand and not just some other unknown host: <html>...404 no bananas for you!...</html>

When testing, it would be super helpful if (along with the file you pull down) you try to fetch http://<hostname>/intigriti-<username> so that we can identify your activity in the logs more easily.

When submitting a report (in addition to all the usual details) please make sure to:

  1. Attach a copy of the file you fetched.
  2. Include the timestamp you fetched the file.
  3. Note the SSRF server that you fetched the file from.

The Fine Print

If you can’t hit these servers but can hit something else inside our network, you must provide a working POC and understand that we will individually evaluate impact of the host you tested with.

We reserve the right to award a $0 bounty for any SSRF (or similar) reports that are not able to touch these servers.

Also, we will periodically review the logs on these servers and may reach out to hackers that have hit the server but not submitted a report. If this happens, you will be eligible for a maximum award of 10% for the report.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Overall stats
submissions received
N/A
average payout
$979
accepted submissions
39
total payouts
N/A
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
+3 weeks
avg. time to triage
< 3 days
Activity
11/22
Yahoo
closed a submission
11/22
Yahoo
closed a submission
11/22
Yahoo
closed a submission
11/21
Yahoo
closed a submission
11/21
logo
zere
created a submission
11/20
logo
codermak
created a submission
11/20
logo
codermak
created a submission
11/20
logo
codermak
created a submission
11/20
Yahoo
closed a submission
11/19
logo
zere
created a submission