We had an absolute blast all week long in Las Vegas at BSides, BlackHat, DefCon and of course H1-702. If you were in town and came to the Paranoids party at Mansion 54, make sure to give us a shout `@theparanoids` and send us your resume if you are interested in a job that is posted on our job listings website.
At H1-702 we set the event scope to cover `*.yahoo.com` which was pretty daunting for a lot of folks because of the sheer size and scale of what is included there. Those that weren’t scared by the size told us that they were a bit disappointed because “Yahoo has had a bug bounty program for 6 years, so all the bugs have probably already been found”. If you saw the leaderboard then you would know that is clearly not the case!
But why? *Simple my dear Watson:*
We are still developing these products.
All of them.
New features, new products, new subscriptions, new services, usability bug fixes, and of course - security bug fixes.
All this new development means that the thing you looked at 6 years ago, 6 months ago, or maybe even 6 weeks ago, is probably different than when you last looked. You bring new skills from your experience in between, new tools you learned and wrote, and just a fresh set of eyes connected to that brilliant brain of yours. Come hack away. We paid out over $1,000,000 for the bugs we received at H1-702. Almost all of that was on `*.yahoo.com`.
That wasn’t all we included in H1-702 scope though, which brings us to what this message is all about...
Let’s keep this party going with more hacking on The Huffington Post.
* Begin your recon and testing!
* New assets will be listed on the program page in the Scope section.
* Start submitting reports to us and make sure to use the new assets.
* All reports submitted during this period will be deduplicated against each other, any bounties will be evenly split among all reports for the same vulnerability.
* **All** duplicated reports during this phase will receive full credit when ranked at the end of this cycle.
1. Register accounts (self-service) using your `<username>@wearehackerone.com` addresses.
2. Make sure to add the `X-Bug-Bounty: hackerone-<username>` header to your traffic.
* *.huffingtonpost.de (decommissioned edition)
* *.huffingtonpost.com.mx (decommissioned edition)
* *.huffpost.de (decommissioned edition)
* *.huffpost.com.mx (decommissioned edition)
* *.huffpostarabi.com (decommissioned edition)
* *.huffpo.net (anything here will likely will exist on some other domain with very few exceptions)
* Mobile Apps and APIs included
* HuffPost Plus (no reimbursement will be provided)
* *Any accounts you need will be self-service signup.*
* **DO NOT** use/select/test “Emergency” on the support forms. This will earn you a strike.
* news.huffingtonpost.com (3rd party, CampaignMonitor)
* coupons.huffpost.com (3rd party, Groupon)
* huffpost.atlassian.net (3rd party, Atlassian)
* huffpoststuff.com (3rd party, StackCommerce)
*For a quick refresher on our Scope Release Event design, please see the update from `July 1` titled `Hack in the Saddle Again! New Scope Release Event Coming Soon`*
## This phase will end on August 23.