Synopsis

Subdomains under *.github.net run services for our internal production network. Many of these services are not accessible from outside our internal network.

Focus areas

• Authentication bypasses allowing access to *.github.net services.
• Subdomain takeovers under *.github.net.
• Server Side Request Forgery vulnerabilities allowing access to our internal network. You may use ssrf-target.iad.github.net to test out SSRF attacks.

Ineligible submissions

Vulnerabilities in out-of-scope subdomains

Not all subdomains are in-scope for rewards at this time and are therefore ineligible for rewards. A list of out-of-scope subdomains is available in our scope section.