Update to the Brief
Please ensure to read the brief as updates have been made. Namely, p1 and p2 submissions must include a working proof of concept to be eligible for a reward.
Please remember that JSON, JS and CSS submissions will not be rewarded or marked as out of scope and that reflected XSS will be marked as p4 and stored XSS as P3.
Also, keep in mind that assets in scope are variations on a core web application handling all requests. Security issues reproduced in one domain will be reproducible in other domains, making them a single core issue and only worth a single reward.
Good luck and happy hunting!