HackerOne provides functionality to allow you to define your program's scope by listing assets that are considered in or out of scope for your program.
HackerOne supports the following types of assets:
|CIDR||Any valid IPv4 or IPv6 CIDR range.||220.127.116.11/16 2001:db8::/48 fe80:0000:0000:0000:0204:61ff:fe9d:f156/3 18.104.22.168|
|URL||Complete web address identifying a specific resource. Default to using the Domain asset type unless you are specifying a specific application on the domain.||www.example.com/app1 www.example.com/app2|
|Domain||Domain of the asset. For wild card scopes, use the Wildcard scope type.||www.example.com myprogram.com|
|Wildcard||A way to specify multiple domains or subdomains.||www.amazon.* or *.vpn.hackerone.net|
|iOS: App Store||An Apple iOS mobile app provided via the App Store. The identifier in the Apple Store to locate your App.||App Store hyperlink|
|iOS: Testflight||An Apple iOS mobile app provided via Testflight, often used for pre-production versions of mobile applications. A standard Apple identifier (https://developer.apple.com/testflight/).
Note: If you are providing a different version than the one available in the App Store, please detail the invitation process in the instructions.
|iOS: .ipa||An Apple iOS mobile app provided via a file. A standard Apple identifier.
Note: If you are providing a different version than the one available in the App Store or Testflight, please detail where they can be located.
|Android Play Store||A Google Android mobile app provided via the Play Store. The ID in Play Store used to locate your application||https://developer.android.com/studio/build/application-id.html|
|Android: .apk||A Google Android mobile app provided via a file. A standard APK identifier.
Note: If you are providing a different version than the one available in the Play Store, please detail where they can be located.
|Windows: Microsoft Store||A Windows Phone mobile app. The identifier in the Microsoft Store used to locate your app. It can be either a store ID like '9WZDNCRFHVJL' or an identifier name like 'Microsoft.SDKSamples ApplicationDataSample'.||9WZDNCRFHVJL Microsoft.SDKSamples.ApplicationDataSample|
|Source code||Link to the repository of an open source project.||https://github.com/Hacker0x01/docs.hackerone.com|
|Executable||Packaged executable on Linux, Windows, or Mac. Open-source projects with releases can and should link as a Downloadable executable too.|
|Hardware/IoT||Identifiable model number and make of any physical device. Be sure to explain in the instructions how to locate the model details and what they may look like.||100-440-0.750-3434-A|
|Other||Any other type of asset that is not contained within the existing taxonomy. Common asset types in this category include: Autonomous System Numbers (ASNs)- a globally unique identifier for a set of IP prefixes belonging to a network or a collection of networks that are all managed, controlled, and supervised by a single company||ASN: 13335|
|Smart Contracts||Programs stored on a blockchain that run when predetermined conditions are met. This should be a URL with a link to the smart contract.||https://polygonscan.com/address/0xfede379e48c873c75f3cc0c81f7c784ad730a8f7 https://github.com/magiceden-oss/erc721m/releases/latest|
Other, Source Code, Downloadable Executables, and Hardware Identifiers aren't validated. You're free to use this in a way that suits your naming conventions.
You can edit your scope in your settings under Program Settings > Program > Scope.