Program Description

-

Azbuka Vkusa LLC pays special attention to security, integrity and availability of its data and systems as well as its customers, employees and partners. We value the work of security researchers aimed to improve the security of our products and services and encourage the community to participate in our rewards program for vulnerabilities found.

⠀⠀⠀⠀⠀

Reports from automated vulnerability scanners (without verifying them) are considered out of scope.

⠀⠀⠀⠀⠀

Response time

-

As a rule, we try to reach the following response time:

• Time until first response (starting from the moment the report is received) - 5 business days;

• Time for report processing (starting from the moment the report is received) - 10 business days;

• Time for payment of the reward (starting from the moment the report is processed) - 20 business days.

Response times are extended on weekends, holidays and national holidays.

Disclosure Policy

-

• To comply with the general principles of information disclosure;

• To refrain from disclosing the information about vulnerabilities (even if they are already fixed) and providing any information to third parties without explicit consent of Azbuka Vkusa LLC;

• Not to exploit the discovered vulnerability for own and/or any other benefit except for the benefit of the author of this program. This requirement includes exposing additional risks, attempting to disclose confidential data or find other vulnerabilities;

• Unless otherwise specified in this policy, please refer to the information disclosure instructions of Hacker One disclosure guidelines.

Program Rules

=

General Rules

-

• In the case of duplicate reports, compensation will be paid only for the first report sent (provided that the vulnerability described in the report can be fully replicated);

• Multiple reports or multiple vulnerabilities described in a single report caused by a single underlying problem will be paid with one reward only.

It means that the same vulnerability that is found on multiple domains will be treated as a SINGLE vulnerability. Please report all affected domains on a single report. All subsequent reports will be closed as a Duplicate;

• Test accounts may be provided on request in exceptional cases.

• Any reports submitted on out of scope entries will be taken into account but not rewarded;

• Members of this program may not be employees of Azbuka Vkusa LLC (current or former) or their affiliates;

• Accepted languages: English, Русский.

When looking for vulnerabilities and reporting, the following requirements must be met:

• To provide detailed reports with made steps including full http queries leading to exploitable vulnerability;

• Please refer to one vulnerability in each report, except for the need to link multiple vulnerabilities to successfully exploit the attack;

• To refrain from disclosing the information about vulnerabilities and providing any information to third parties;

• Not to use vulnerability testing tools that automatically generate significant amounts and/or frequency of network traffic;

• Not to carry out attacks that may harm the reliability and/or integrity of the services of Azbuka Vkusa or data (denial-of-service attacks etc.);

• Not to open and/or make changes to customer accounts. If necessary, to use own accounts to find vulnerabilities;

• Not to send spam or social engineering attacks on customers and employees, including phishing;

• Not to perform any physical attacks;

• Any further exploitation of the vulnerability after the vulnerability report has been sent is prohibited.

Scope definition for the purposes of this policy

-

In scope

Targets:

Services located on domain names: av.ru (and subdomains), azbukavkusa.ru (and subdomains);

Services located at network addresses: 195.19.210.0/24;

Services available on the Company’s wireless networks and the wireless networks themselves owned by Azbuka Vkusa.

Vulnerabilities

Scope is limited exclusively to technical vulnerabilities in our services and web applications. Any design or implementation vulnerability that significantly affects data confidentiality or integrity is likely to be applicable to this policy.

Should be reproducible in the following browsers:

• Chrome;

• Firefox;

• Safari;

• Opera;

• Edge;

• Internet Explorer.

The browsers should be updated to the latest version (latest stable release) at the time of report submission. Vulnerabilities that require the installation of specific services, extensions and plug-ins are out of scope.

Out of scope

Targets

Everything not explicitly listed as in scope.

If web pages are redirected to other domain names, they are out of scope.

Vulnerabilities

• CSRF vulnerabilities for non-critical actions (logout and others);

• Vulnerabilities such as Self-XSS without demonstrating a real impact on user or system security;

• Framing and clickjacking vulnerabilities without a documented series of clicks confirming the existence of the vulnerability;

• No security mechanism / non-compliance with best practices without demonstrating a real impact on user or system security;

• No SSL/TLS, use of insecure SSL/TLS ciphers;

• Google/Yandex API keys;

• Attacks that require full access to passwords, tokens, browser profile, or local system;

• Disclosure of non-critical information (such as product version, protocol, etc.);

• Errors that do not affect the latest versions of modern browsers and errors associated with browser extensions;

• Vulnerabilities that only affect users with certain browsers;

• Attacks that require extremely unlikely user interaction;

• Denial-of-service attacks or vulnerabilities related to request frequency limits;

• Temporary attacks that prove the existence of a user account, etc.;

• Unsafe cookie settings (for non-critical cookies);

• Errors in the content/services that are not owned or managed by the Company (this includes third-party services operating on subdomains);

• Vulnerabilities that the Company defines as vulnerabilities with an acceptable level of risk;

• Scripting or other automation, iterating through the intended functionality and parameters;

• No DMARC record on subdomains.

Reports on zero-day vulnerabilities in third-party software will be considered case by case basis and will no guarantee any award.

Further Exploitation of the Vulnerability after the Vulnerability Report Has Been Sent

All further exploitation of the vulnerability after the report has been sent on it is out of scope, except for the minimum required to prove the exploitation of the vulnerability.

In case of an RCE attack or injection, you can enter commands specifying the database version, system name, or local IP address.

All subsequent exploitation of a vulnerability that would lead to further vulnerabilities and/or risk of impairing the stability or integrity of systems is out of scope.