Program Overview
AboitizPower runs a vulnerability disclosure program on HackerOne. The program has 71 in-scope assets and is managed by HackerOne's triage team.
71
In-Scope Assets
2d
Avg Response
54%
Efficiency
35d
Avg Resolve
In-Scope Assets
| Asset | Type | Max Severity | Eligible |
|---|---|---|---|
| All other applications (web sites, web applications, web services, and mobile applications) owned by AboitizPower and its Business Units | OTHER | Critical | No Bounty |
| *.aboitizpower.com | WILDCARD | Critical | No Bounty |
| *.apps.sofa.csg.aboitizpower.org | WILDCARD | Critical | No Bounty |
| *.cotabatolight.com | WILDCARD | Critical | No Bounty |
| *.davaolight.com | WILDCARD | Critical | No Bounty |
| *.enerzone.com.ph | WILDCARD | Critical | No Bounty |
| *.hedcor.com | WILDCARD | Critical | No Bounty |
| *.oilbu.com | WILDCARD | Critical | No Bounty |
| *.snaboitiz.com | WILDCARD | Critical | No Bounty |
| *.visayanelectric.com | WILDCARD | Critical | No Bounty |
| 1882energyventures.com | URL | Critical | No Bounty |
| 1882energyventures.net | URL | Critical | No Bounty |
| 1apeip-gmis-uat.aboitizpower.com | URL | Critical | No Bounty |
| 1apeip-gmis.aboitizpower.com | URL | Critical | No Bounty |
| aboitizenergysolutions.com | URL | Critical | No Bounty |
| aboitizpower.com.ph | URL | Critical | No Bounty |
| aboitizpower.info | URL | Critical | No Bounty |
| aboitizpower.net | URL | Critical | No Bounty |
| aboitizpower.org | URL | Critical | No Bounty |
| aboitizpower.ph | URL | Critical | No Bounty |
| aboitizpowercorporation.com.ph | URL | Critical | No Bounty |
| aboitizpowercorporation.ph | URL | Critical | No Bounty |
| aboitiztrading.com | URL | Critical | No Bounty |
| adventenergy.com.ph | URL | Critical | No Bounty |
| aesi.com.ph | URL | Critical | No Bounty |
| apsiph.com | URL | Critical | No Bounty |
| balambanenerzone.com | URL | Critical | No Bounty |
| bettersolutions.com.ph | URL | Critical | No Bounty |
| cleanergy.com.ph | URL | Critical | No Bounty |
| cleanergy.ph | URL | Critical | No Bounty |
| enerzone.com.ph | URL | Critical | No Bounty |
| http://1ap.aboitizpower.com | URL | Critical | No Bounty |
| http://aboitizpower.cas-oprs.com | URL | Critical | No Bounty |
| http://apportal.aboitizpower.com | URL | Critical | No Bounty |
| http://apps.hedcor.com | URL | Critical | No Bounty |
| http://emsc.aboitizpower.com | URL | Critical | No Bounty |
| http://energytrading.aboitizpower.com | URL | Critical | No Bounty |
| http://entrypass1ap.web.app | URL | Critical | No Bounty |
| http://gnpd.ph | URL | Critical | No Bounty |
| http://lrms.hedcor.com | URL | Critical | No Bounty |
| http://metering-services.aboitizpower.com | URL | Critical | No Bounty |
| http://pport4.hedcor.com | URL | Critical | No Bounty |
| http://watchapp-test.aboitizpower.com | URL | Critical | No Bounty |
| http://watchapp.aboitizpower.com | URL | Critical | No Bounty |
| http://wise.gnpd.ph | URL | Critical | No Bounty |
| http://www.aboitizpower.com | URL | Critical | No Bounty |
| http://www.adventenergy.com.ph | URL | Critical | No Bounty |
| http://www.aesi.com.ph | URL | Critical | No Bounty |
| http://www.aprenewablesres.ph | URL | Critical | No Bounty |
| http://www.cotabatolight.com | URL | Critical | No Bounty |
Showing 50 of 71 in-scope assets. View all on HackerOne.
Out-of-Scope Assets
- aboitiz.account.box.com
- http://pri-webprd-apg.aboitiz.com
- https://visayanelectric.com/
- iflex.snaboitiz.com/wp-content/*
Tips for Hacking AboitizPower
- Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
- Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
- Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
- Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
- Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.
Frequently Asked Questions
How do I start hacking AboitizPower?
Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.
Does AboitizPower pay bounties?
No, AboitizPower runs a Vulnerability Disclosure Program (VDP) without monetary rewards. You may receive recognition or swag.
What types of vulnerabilities does AboitizPower accept?
AboitizPower accepts reports for vulnerabilities found in their 71 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.