|Scope Type||Scope Name|
|android_application||Yahoo TW Stock Android|
|android_application||Yahoo Sports Android|
|android_application||Yahoo Mail Android|
|android_application||Yahoo Mail AndroidGo|
|android_application||Yahoo Search Android|
|android_application||Yahoo Fantasy Sports Android|
|android_application||Yahoo TW Auction Android|
|android_application||Yahoo HK Shopping Android|
|android_application||Yahoo HK News Android|
|android_application||Yahoo TW News Android|
|android_application||Yahoo TW eSports Android|
|android_application||Yahoo HK Auctions Android|
|android_application||[Yahoo Weather Android](|
|android_application||Yahoo TW Shopping Android|
|android_application||HuffPost Android App|
|ios_application||Yahoo TW Stock iOS|
|ios_application||Yahoo Sports iOS|
|ios_application||Yahoo Mail iOS|
|ios_application||Yahoo Search iOS|
|ios_application||Yahoo Fantasy Sports iOS|
|ios_application||Yahoo TW Auction iOS|
|ios_application||Yahoo HK Shopping iOS|
|ios_application||Yahoo HK News iOS|
|ios_application||Yahoo TW News iOS|
|ios_application||Yahoo TW eSports iOS|
|ios_application||Yahoo Live Web Insights iOS|
|ios_application||Yahoo HK Auctions iOS|
|ios_application||Minimum OS version: iOS 11|
|ios_application||Yahoo Weather iOS|
|ios_application||Yahoo TW Shopping iOS|
|ios_application||HuffPost iOS App|
|other||Yahoo TW Store|
|other||*.txmblr.com - Various safe-domains used to host UGC that could be malicious (e.g. safe.txmblr.com).|
|other||Must use mobile device user-agent to access when testing with desktop browser. It's a completely new architecture, different tech stack from regular web dashboard.|
|other||Yahoo Sports tvOS|
|other||Yahoo Sports (web)|
|other||Yahoo Mail FireOS|
|other||Yahoo Mail (web)|
|other||OBI Premium Checkout:|
|other||API WebSockets Streaming Market Data:|
|other||Yahoo Search (web)|
|other||Yahoo Fantasy Sports (web)|
|other||Yahoo TW Store (web)|
|other||Use this asset tag when a more specific brand/domain/property does not exist.|
|other||can be used to identify if the domain is a blog on the Blog Network|
|other||View the domain in a browser, there will be a Tumblr banner visible.|
|other||Pages can be framed; Clickjacking or other X-Frame-Options attacks are excluded from eligibility.|
|other||Yahoo TW Auction (web)|
|other||Yahoo HK Shopping (web)|
|other||Yahoo TW News (web)|
|other||Yahoo Video FireTV|
|other||Yahoo Video tvOS|
|other||Yahoo TW eSports (web)|
|other||Yahoo HK Auctions (web)|
|other||Minimum OS version: API 21|
|other||Twitter api key in code|
|other||Yahoo Weather (web)|
|other||Yahoo TW Shopping (web)|
|other||Use this asset when nothing else can be reasonably selected.|
|other||Mobile Apps and APIs included|
|other||HuffPost Plus (no reimbursement will be provided)|
|other||Any accounts you need will be self-service signup.|
|other||Please consolidate your reports. Separate reports for the same or similar payload/issue against multiple international editions, will be marked as duplicates and paid only once for Huffington Post international editions.|
|other||use/select/test “Emergency” on the support forms. This will earn you a strike.|
|web_application||t.umblr.com - A link-redirection service domain.|
|web_application||*.tumblr.com - The site itself, the API, sub-services, S3 buckets and more.|
|web_application||*.srvcs.tumblr.com - Various micro-services domains used for logging and metrics, messaging, etc.|
|web_application||*.groups.yahoo.com (main site)|
|web_application||*.rtn.groups.yahoodns.net (returned bounced email)|
|web_application||*.yahoogroups.com (smtp - mail relay)|
|web_application||*.huffingtonpost.de (decommissioned edition)|
|web_application||*.huffingtonpost.com.mx (decommissioned edition)|
|web_application||*.huffpost.de (decommissioned edition)|
|web_application||*.huffpost.com.mx (decommissioned edition)|
|web_application||*.huffpostarabi.com (decommissioned edition)|
|web_application||*.huffpo.net (anything here will likely will exist on some other domain with very few exceptions)|
|web_application||news.huffingtonpost.com (3rd party, CampaignMonitor)|
|web_application||coupons.huffpost.com (3rd party, Groupon)|
|web_application||huffpost.atlassian.net (3rd party, Atlassian)|
|web_application||huffpoststuff.com (3rd party, StackCommerce)|
Out of Scope
|Scope Type||Scope Name|
|android_application||Yahoo Messenger Android|
|android_application||Yahoo Cricket Android|
|ios_application||Yahoo Messenger iOS|
|ios_application||Yahoo Cricket iOS|
|other||Yahoo Small Business|
|other||is operated under|
|other||Media Group One|
|other||Movies Hong Kong|
|other||Yahoo Operated WordPress blogs|
|other||Yahoo Messanger (web)|
|other||Out of Scope:|
|other||Out of Scope:|
|other||Style Me Pretty|
|other||Yahoo Together (Squirrel)|
With brands like Yahoo, HuffPost and TechCrunch, Verizon Media helps people stay informed and entertained, communicate and transact, while creating new ways for advertisers and partners to connect. With technologies like XR, AI, machine-learning, and 5G, we’re transforming media for tomorrow, too.
Our information security team is known as the Paranoids, and we’re committed to protecting our brands and our users. As part of this commitment, we invite security researchers to help protect Verizon Media and its users by proactively identifying security vulnerabilities via our bug bounty program. Our program is inclusive of all Verizon Media brands and offers competitive rewards for a wide array of vulnerabilities. We encourage security researchers looking to participate in our bug bounty program to review our policy to ensure compliance with our rules and also to help you safely verify any vulnerabilities you may uncover.
By submitting reports or otherwise participating in this program, you agree that you have read and will follow the Program Rules and Legal Terms sections of this program Policy.
Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program. Three strikes will earn you a temporary ban. Four strikes means a permanent ban.
Verizon Media reserves the right to change or modify the terms of this program at any time. You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. sanctions lists (such as the lists administered by the US Department of the Treasury’s OFAC).
Verizon Media does not give permission/authorization (either implied or explicit) to an individual or group of individuals to (1) extract personal information or content of Verizon Media users or publicize this information on the open, public-facing internet without user consent or (2) modify or corrupt programs or data belonging to Verizon Media in order to extract and publicly disclose data belonging to Verizon Media.
Verizon Media employees (including former employees that separated from Verizon Media within the prior 12 months), contingent workers, contractors and their personnel, and consultants, as well as their immediate family members and persons living in the same household, are not eligible to receive bounties or rewards of any kind under any Verizon Media programs, whether hosted by Verizon Media or any third party.
Verizon Media will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this Policy.
Please understand that if your security research involves the networks, systems, information, applications, products, or services of another party (which is not us), that third party may determine whether to pursue legal action. We cannot and do not authorize security research in the name of other entities. If legal action is initiated by a third party against you and you have complied with this Policy, we will take reasonable steps to make it known that your actions were conducted in compliance with this Policy.
You are expected, as always, to comply with all applicable laws and regulations.
Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this Policy.
We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 90 days of being triaged.
Each brand that is part of Verizon Media is represented in at least one of the programs listed here. Please review the program scope before submitting a report. Private scope is accessible to invited researchers only.
Web traffic to and from Verizon Media properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do one or both of the following when participating in one of the Verizon Media bug bounty programs:
<username>+firstname.lastname@example.org. Some of our properties will require this to be eligible for bounty.
When testing for a bug, please also keep in mind:
touch /root/<your H1 username>
touchalso prove execution)
If our security team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:
Note: Failure to adhere to these minimum requirements may result in the loss of a reward.
All supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services.
For each report, please allow Verizon Media sufficient time to patch other
host instances. If you find the same bug on a different (unique) host,
prior to the report reaching a
triaged state, file it within the existing
report to receive an additional 10% bonus (per host, not domain). Any reports
filed separately while we are actively working to resolve the issue will be
treated as a
In some cases, rewards may be consolidated into a single payout. For example, multiple reports of the same vulnerability across different parameters of a resource, or demonstrations of multiple attack vectors against a fundamental framework issue. We kindly ask you to consolidate reports rather than separate them.
Vulnerabilities on a specific brand or web property should be reported to the
program to which it belongs. Please see our detailed scope list at the bottom
of this page for a full list of assets that are out of scope. This list is
subject to change without notice. To reduce the amount of assets listed in
each program we operate, out of scope assets are only listed on our
public program policy page.
If you’ve found a vulnerability that affects an asset belonging to Verizon Media, but is not included as in scope on any of the Verizon Media programs, please report it to this program.
You will be eligible for a bounty only if you are the first person to disclose an unknown issue. Qualifying bugs will be rewarded based on severity, to be determined by Verizon Media in its sole discretion. Rewards may range from HackerOne Reputation Points and swag to monetary rewards up to $15,000 USD. Awards are granted entirely at the discretion of Verizon Media.
At Verizon Media's discretion, providing more complete research, proof-of- concept code and detailed write-ups may increase the bounty awarded. Conversely, Verizon Media may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations. A reduction in bounty is also warranted for reports that require specific browser configurations.
Where a monetary bounty is presented, eligible reports will be awarded based on severity after identifying final impact, as determined by Verizon Media.
Severity | Payout Range
Critical | $10,000 - $15,000
High | $3,000 - $10,000
Medium | $500 - $3,000
Low | $0 - $500
None | $0
All reports will be awarded based on the Common Weakness Enumeration classification. This table provides the CWEs that we will accept, the severity ranges we will classify reports within for the CWE, and some examples of common vulnerability and attack names that we classify within each CWE that we will accept. This table serves only as a guide and the severity classification of a particular vulnerability will be determined by Verizon Media in its sole discretion.
Note: Non-listed vulnerabilities may also be eligible. Some vulnerability types may fall under a variety of severity ratings determined by scope/scale of exploitation and impact.
Severity (low) | Severity (high) | CWE-ID | Common Weakness Enumeration | Bug
Critical | Critical | CWE-78 __| OS Command Injection | Remote Code Execution; Code Injection; LDAP Injection
Critical | Critical | CWE-120 __| Classic Buffer Overflow | Buffer Overflow
High | Critical | CWE-89 __| SQL Injection | SQL Injection
High | Critical | CWE-918 __| Server-Side Request Forgery | SSRF
Medium | Critical | CWE-732 __| Incorrect Permission Assignment for Critical Resource | IDOR; Horizontal Privilege Escalation; Vertical Privilege Escalation
Critical | Critical | CWE-91 __| XML Injection | XML Injection
High | Critical | CWE-134 __| Uncontrolled Format String | Insecure Deserialization
High | Critical | CWE-250 __| Execution with Unnecessary Privileges | Privilege Escalation to System Account
Low | Critical | CWE-829 __| Inclusion of Functionality from Untrusted Control Sphere | Server Side Includes Injection; Local File Inclusion; XML External Entity; Directory Traversal
Medium | High | CWE-306 __| Missing Authentication for Critical Function | Exposed Administrative Interface
Medium | Critical | CWE-862 __| Missing Authorization | Horizontal Privilege Escalation; Vertical Privilege Escalation; IDOR
Low | Critical | CWE-200 __| Information Exposure | User Enumeration with PII; Credentials on GitHub
Medium | High | CWE-863 __| Incorrect Authorization | Authorization Bypass; Account Takeover
Medium | High | CWE-798 __| Use of Hard-coded Credentials | Hard Coded Credentials
Medium | High | CWE-434 __| Unrestricted Upload of File with Dangerous Type | Unfiltered File Upload
Low | High | CWE-203 __| Information Exposure Through Discrepancy | PHP Admin Information page; MySQL Information page (w/ credentials); Apache Status page
Medium | Medium | CWE-494 __| Download of Code Without Integrity Check | S3 Bucket Upload
Low | Medium | CWE-311 __| Missing Encryption of Sensitive Data | Cleartext Submission of Passwords
Low | Medium | CWE-807 __| Reliance on Untrusted Inputs in a Security Decision |
Low | Medium | CWE-79 __| Cross-Site Scripting | Stored XSS; POST-Based XSS; GET-Based XSS; DOM-Based XSS; Flash-based XSS; CSS Injection
Medium | Medium | CWE-352 __| Cross-Site Request Forgery | State-Changing CSRF; Non-State-Changing CSRF
Low | Medium | CWE-16 __| Misconfiguration | Subdomain Takeover; Dangling DNS Record
Medium | Medium | CWE-93 __| CRLF Injection | CRLF Injection
Low | Low | CWE-601 __| Open Redirect | Open Redirect
Informative | Low | CWE-327 __| Use of a Broken or Risky Cryptographic Algorithm | Weak CAPTCHA
Informative | Low | CWE-307 __| Improper Restriction of Excessive Authentication Attempts | Lack of Rate Limiting on Login; CAPTCHA Bypass
These issues are eligible for submission, but not eligible for bounty or any
award. Once triaged, they will be closed as
Informative only if found to be
Spam if found to be not valid. When reporting vulnerabilities,
please consider (1) attack scenario / exploitability, and (2) security impact
of the bug.
Any non-Verizon Media Applications | "Self" XSS
Missing Security Best Practices | HTTP Host Header XSS
Confidential Information Leakage | Clickjacking/UI Redressing
Use of known-vulnerable library (without proof of exploitability) | Intentional Open Redirects
Missing cookie flags | Reflected file download
SSL/TLS Best Practices | Incomplete/Missing SPF/DKIM
Physical attacks | Social Engineering attacks
Results of automated scanners | Login/Logout/Unauthenticated CSRF
Autocomplete attribute on web forms | Using unreported vulnerabilities
"Self" exploitation | Issues related to networking protocols
XSS in flash files not developed by Verizon Media (e.g. Camtasia, JW Player, Flowplayer swf files) | Software Version Disclosure
Verbose error pages (without proof of exploitability) | Denial of Service attacks
Verizon Media software that is End of Life or no longer supported | Account/email Enumeration
Missing Security HTTP Headers (without proof of exploitability) | Internal pivoting, scanning, exploiting, or exfiltrating data
Note: 0-day vulnerabilities may be reported 30 days after initial publication. We have a team dedicated to tracking these issues; hosts identified by this team and internally ticketed will not be eligible for bounty.
The following issues are considered out of scope: