Welcome Edit the Doc Site Product Offerings Program Starting Point Navigation Organization Dropdown Program Types Private vs. Public Programs Parent/Child Programs VDP vs. BBP Using Markdown Industry Best Practices Authenticated Testing Scoping Considerations Traffic Identification Engagements Organization Profile Users Groups General Settings User Management Groups and Permissions Security Page Program Metrics Response Target Indicators Top Hackers Asset Inventory Policy and Scope Good Policies Safe Harbor FAQ Gold Standard Safe Harbor Statement Program Levels Defining Scope Scope Best Practices Asset Types Severity Environmental Score Bounty Tables Importance of Bounty Tables Submit Report Form Report Templates Pausing Report Submissions Response Targets Response Target Metrics Setting Response Targets Invitations Reputation Signal and Impact CVE Requests Submission Signal Requirements Human-Augmented Signal Single Sign-On via SAML JIT Provisioning Domain Verification Google Okta OneLogin FAQs Two-Factor Authentication Invalid OTP Code Sessions Credential Management Asset-Based Credential Management Notifications Response Programs Inbox Inbox Views Report Management Report Actions Report States Report Components Quality Reports Locking Reports Duplicate Reports Duplicate Detection Exporting Reports Response Labels Keyboard Shortcuts Custom Fields Disclosure Limiting Disclosed Information Retesting Vacations HackerOne on Your Program Supported Integrations Integration Variables Webhooks API Tokens Assembla AWS Security Hub Azure DevOps Brinqa Bugzilla Freshdesk GitHub GitLab HackEDU IBM Security QRadar SOAR Jira Jira Setup Jira Migration Guide Jira FAQs Kenna Security Linear MantisBT Microsoft Teams OTRS PagerDuty Phabricator Redmine ServiceNow Slack Splunk Sumo Logic Trac Zendesk Billing Bounties Swag Bonuses Dashboards Program Overview Submissions & Bounty Dashboard Statistics Dashboard Hacker Engagement Hacker Feedback Dashboard Response Efficiency Dashboard Explore Audit Logs Industry Benchmarking Hacktivity Communicating with Hackers Message Hackers Banning Hackers Hacker Email Alias Program Mediation & Code of Conduct Review Requests Hacker Reviews Disclosure Assistance HackerOne Clear Gateway FAQs Pentest Overview FAQs Retesting Pentest Automation Common Responses Triggers Hackbot Email Forwarding Embedded Submission Form Import Vulnerabilities IP Allowlists Multi-Party Coordination Password Best Practices Proof of Compliance Slack Shared Channels Reducing Noise Team Member Eligibility Asset Types HackerOne provides functionality to allow you to define your program's scope by listing assets that are considered in or out of scope for your program.
HackerOne supports the following types of assets:
Type
Details
CIDR
Any valid IPv4 or IPv6 CIDR range. Examples: 172.200.0.0/16 2001:db8::/48 fe80:0000:0000:0000:0204:61ff:fe9d:f156/3
Domain
Domain of the asset. Wild card (*
) may be used. Example:
iOS: App Store
The identifier in the Apple Store to locate your App. Example: com.domainname.appname com.example.myapp
iOS: Testflight
A standard apple identifier (https://developer.apple.com/testflight/ ). Note: If you'll be providing a different version than the one available in the App Store, please detail the invitation process in the instructions. Example:
iOS: .ipa
A standard apple identifier. Note: If you'll be providing a different version than the one available in the App Store or Testflight, please detail where they can be located. Example:
Android Play Store
The id in Play Store used to locate your application (https://developer.android.com/studio/build/application-id.html ). Example:
Android: .apk
A standard APK identifier. Note: If you'll be providing a different version than the one available in the Play Store, please detail where they can be located. Example:
Windows: Microsoft Store
The identifier in the Microsoft Store used to locate your app. It can be either a store ID like '9WZDNCRFHVJL' or an identifier name like 'Microsoft.SDKSamples.ApplicationDataSample'. Examples: 9WZDNCRFHVJL Microsoft.SDKSamples.ApplicationDataSample
Source code
Link to the repository of an open source project.
Executable
Packaged executable on Linux, Windows, or Mac. Open source projects with releases can and should link as a Downloadable executable too.
Hardware/IoT
Identifiable model number and make. Be sure to explain in the instructions how to locate the model details and what they may look like. Example:
Other
Any other type of asset that is not contained within the existing taxonomy.
Source Code, Downloadable Executables, and Hardware Identifiers aren't validated. You're free to use this in whatever suits your naming conventions.
You can edit your scope in your settings under Program Settings > Program > Scope .