Asset Types
HackerOne provides functionality to allow you to define your program's scope by listing assets that are considered in or out of scope for your program.
HackerOne supports the following types of assets:
Type | Details |
---|---|
CIDR | Any valid IPv4 or IPv6 CIDR range. Examples:
2001:db8::/48 fe80:0000:0000:0000:0204:61ff:fe9d:f156/3 |
Domain | Domain of the asset. Wild card (* ) may be used. Example:
myprogram.com |
iOS: App Store | The identifier in the Apple Store to locate your App. Example:
com.example.myapp |
iOS: Testflight | A standard apple identifier (https://developer.apple.com/testflight/). Note: If you'll be providing a different version than the one available in the App Store, please detail the invitation process in the instructions. Example:
|
iOS: .ipa | A standard apple identifier. Note: If you'll be providing a different version than the one available in the App Store or Testflight, please detail where they can be located. Example:
|
Android Play Store | The id in Play Store used to locate your application (https://developer.android.com/studio/build/application-id.html). Example:
|
Android: .apk | A standard APK identifier. Note: If you'll be providing a different version than the one available in the Play Store, please detail where they can be located. Example:
|
Windows: Microsoft Store | The identifier in the Microsoft Store used to locate your app. It can be either a store ID like '9WZDNCRFHVJL' or an identifier name like 'Microsoft.SDKSamples.ApplicationDataSample'. Examples:
Microsoft.SDKSamples.ApplicationDataSample |
Source code | Link to the repository of an open source project. |
Executable | Packaged executable on Linux, Windows, or Mac. Open source projects with releases can and should link as a Downloadable executable too. |
Hardware/IoT | Identifiable model number and make. Be sure to explain in the instructions how to locate the model details and what they may look like. Example:
|
Other | Any other type of asset that is not contained within the existing taxonomy. |
Source Code, Downloadable Executables, and Hardware Identifiers aren't validated. You're free to use this in whatever suits your naming conventions.
You can edit your scopes in your settings under Program Settings > Program > Scope.