T-Mobile Bug Bounty Program

Program Overview

T-Mobile runs a bug bounty program on Bugcrowd with a maximum payout of $133,700. The program has 85 in-scope assets and is managed by Bugcrowd's triage team.

In-Scope Assets

Asset	Type	Max Severity	Eligible
Self Register Account on T-Mobile Microsoft Entra ID	OTHER
Cellular Network Auth Bypass via Web/Mobile App	NETWORK
T&P Servers	NETWORK
Full Corporate Network Access or Access to Sensitive Network Segments	NETWORK
https://apps.apple.com/us/app/t-life-t-mobile-tuesdays/id1111876388	IOS
https://play.google.com/store/apps/details?id=com.tmobile.tuesdays&hl=en_US&gl=US	ANDROID
https://account.t-mobile.com	WEBSITE
https://metrobyt-mobile.com	WEBSITE
https://sprint.com	WEBSITE
https://t-mobile.com	WEBSITE
https://api.t-mobile.com	API
https://tfb.t-mobile.com	WEBSITE
https://devedge.t-mobile.com	WEBSITE
https://tess.service-now.com	WEBSITE
https://digits.t-mobile.com	WEBSITE
https://metrobyt-mobile.com	WEBSITE
https://t-mobile.com	WEBSITE
https://sprint.com	WEBSITE
https://api.vistarmedia.com	WEBSITE
https://packages.cortexpowered.com	WEBSITE
https://api.vistarmedia.eu	WEBSITE
https://production-dynam-creative.vistarmedia.com	WEBSITE
https://storybook.vistarmedia.com	WEBSITE
https://creatives.vistarmedia.com	WEBSITE
https://sflower.cortexpowered.com	WEBSITE
https://production-delivery-metrics-svc.vistarmedia.com	WEBSITE
https://maps.vistarmedia.com	WEBSITE
https://transcodes-cdn.vistarmedia.com	WEBSITE
https://assets-cdn.vistarmedia.com	WEBSITE
https://docker-staging.adstruc.com	WEBSITE
https://staging-trafficking.vistarmedia.com	WEBSITE
https://job-svc-b.vistarmedia.com	WEBSITE
https://docsite.vistarmedia.com	WEBSITE
https://sfleet.cortexpowered.com	WEBSITE
https://audience-builder.vistarmedia.com	WEBSITE
https://staging-login.vistarmedia.com	WEBSITE
https://clients.adstruc.com	WEBSITE
https://demo.adstruc.com	WEBSITE
https://*.uscc.net	WEBSITE
https://*.uscc.com	WEBSITE
https://*.uscellular.com	WEBSITE
https://dashboard-101.moengage.com	WEBSITE
https://www.assurancewireless.com	WEBSITE
https://*.assurancewireless.com	WEBSITE
https://assets.platform.blis.com	WEBSITE
https://assets.development.amazon-tacticalplanner.com	WEBSITE
https://assets.platform.development.blis.com	WEBSITE
https://assets.platform.rc.blis.com	WEBSITE
https://audiencelogos.blis.com	WEBSITE
https://blis.com	WEBSITE

Showing 50 of 85 in-scope assets. View all on Bugcrowd.

Out-of-Scope Assets

• *.sprint.net
• /self-service-*
• *.mobile.uscc.net
• *.mobile.uscc.com
• https://*.moengage.com
• Any domain, property, product, protocol, or service of the app/hardware/software version not explicitly listed in the In-Scope section is out of scope; submissions are welcome but not guaranteed for the bounty/bonus.

Tips for Hacking T-Mobile

1. Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
2. Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
3. Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
4. Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
5. Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking T-Mobile?

Sign up on Bugcrowd, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does T-Mobile pay bounties?

Yes, T-Mobile offers monetary rewards for valid security vulnerabilities.

What types of vulnerabilities does T-Mobile accept?

T-Mobile accepts reports for vulnerabilities found in their 85 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.