FireBounty
52235 policies in database
Link to program      
2021-06-01
2021-06-04
Lazada logo
Thank
Gift
HOF
Reward

Reward

Lazada

ABOUT THE PROGRAM

Welcome to the Lazada public program. We know you want to start hunting ASAP. However, we also do not want you to miss out important information in the program rules. To make it easier, we have summarized key ideas for the different sections. Note: It should not be seen as a substitute for reading the actual text!

Notes on Vulnerabilities

This section lists rules/requirements on specific vulnerabilities:

  • demonstrating impact
  • report requirements
  • rewards

Rewards Guideline

This section contains:

  • examples of High/Critical impacts which are specific to Lazada as an ecommerce platform
  • We have many wildcard scopes and it is not possible to list all of them (even if we could it wouldn't be a good idea). Hence here we have listed the 3 reward grids we will use, and how we assess which grid a scope should belong to
  • We also include a txt file (known-subdomains.txt ) containing subdomains with known corresponding grids, focusing primarily on the CORE (+++) grid

Qualifying/Non-qualifying vulnerabilities

We have a long list of non-qualifying vulnerabilities. Please have a second look before submitting your reports. Repeated submissions from non-qualifying vulnerabilities would be marked as "Invalid" and result in deduction of points

User Agent

Last but not least, please append to your user-agent header the following value: 'LZD_YWH_BBP_PUBLIC'.

  • END OF SUMMARY -

PROGRAM RULES

Participants are permitted to perform any tests and investigations on the systems, as long as they act in good faith and respect the scope and rules described below.

GENERAL RULES

Please read the following rules carefully, especially the information regarding the scopes of this program and the corresponding reporting requirements.

  • If the definition of the scope prevents you from exploiting other server-side vulnerabilities, this will be taken into consideration when calculating the compensation (e.g. you successfully pwn a server and are ready for lateral movement, but you do not exploit surrounding systems because they are out of scope).
  • No support will be provided on how to use the applications in scope or on account creation.
  • In-scope subdomains that are running 3rd party services (i.e. SaaS) are considered out of scope. When in doubt, please raise a report to confirm the application is in scope

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Lazada. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below)
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through yeswehack.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit your requests per second). If you over do it, your IP address might be throttled or even (temporarily) blocked to protect our infrastructure.
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of Lazada/Alibaba or one of its contractor.
  • No vulnerability disclosure, including partial is allowed for the moment.

Reports about vulnerabilities are examined by our security analysts. Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.

Notes on Vulnerabilities

  • Demonstrating impact on RCE/SQLi/SSRF: Please use the following approved actions for your PoC. If we would like you to go further, we will mention it directly on your report

    • RCE : id / whoami / hostname / ifconfig
    • SQLi : send us the version and/or the database diagram
    • SSRF : content page or specific behavior
    • The triage team will use the "OneFixOneReward" process: if two or more endpoints/forms use the same code based and a single fix can be deployed to fix all the others weakness, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. In any case, all reports will be reviewed edge by edge.

  • Domain variation: The following domains lead to different applications sharing the same code base and subject to "OneFixOneReward".
    ( www | pages | checkout | store | cart | member | member-m | my | my-m | acs-m | sellercenter | m.sellercenter | nest.sellercenter | api.sellercenter | gsp | bms ).lazada.(com.my|com.ph|co.id|co.th|vn|sg)

  • Subdomain takeover without interaction on a production environment will be considered as max CVSS High
    Example: A subdomain takeover can be used to perform a external resource hijacking (JavaScript file for example) which will be loaded on another domain, no interaction is needed by victim user to execute this malicious JS.

  • Subdomain takeover with interaction on a production environment will be considered as max CVSS Medium
    Example: A subdomain takeover can be performed but it's only visible if a victim user visits this domain.

  • Subdomain takeover, DNS dangling, Cache Poisoning...: If you find multiple similar issues across multiple scopes at the same time, we recommend submitting all the affected assets in a single report. We will, on a case-to-case basis, consider increasing the bounty amount accordingly.

  • Discovered vulnerabilities must not have any impact on other users' activities, or modify the application. E.g. : stored XSS should use console.log() instead of the usual alert(), confirm(), prompt()

  • Authorization bypass / IDOR: We would only consider cross-seller (two different shops) vulnerabilities to be valid or of higher severity. Please use two separate Seller accounts from two different shops for this purpose as seller accounts belonging to the same shop are treated as having the trust of the shop to a certain extent.

REWARD GUIDELINES

We are mostly focusing on HIGH and CRITICAL vulnerabilities.
Here are a few example of practical impacts that we would rate as MAX CRITICAL (max $10000):

  • Massive dumping / leak of PII of customer data (i.e. buyers - The information should include identifiers such as full name, phone number, address, identification number, payment information and any other information that may further be used to deanonymize Lazada customers.).

Here are some examples of practical impacts that we would rate as CRITICAL (max $3000) :

  • RCE on production infrastructure for CORE Applications. (Direct impact on our customers or vendors - not in a sandbox/staging)
  • Massive dumping / leak of PII of seller data
  • Ability to bypass business logic in order management, cancellation and returns that leads to financial losses to Lazada (without the use of social engineering)
  • Perform unauthorized CRUD operations on other shops on Sellercenter to disrupt major selling abilities of their daily operations (e.g. deactivate shops, reduce stock count, adding/deleting products)
  • Complete an "Unpaid Order" successfully without making any payment
  • Manipulation of product, pricing, eligibility criteria rule in products sold in Sellercenter to disrupt Lazada revenue stream
  • Abusing the use of Lazada Wallet's payment related features on Lazada (e.g. top-up without making any payment, use another customer’s wallet)
  • Complete defacement of main Lazada pages (e.g. Homepage, Category, Lazada Main Campaign Pages, Redmart)
  • At scale fraud on coupon code (e.g. monitoring/dumping of LAZADA vouchers at real-time, ignoring voucher restrictions)

Here are some examples of practical impacts that we would rate as HIGH (max $1600):

  • Ability to dump products' future promotional prices, flash sales on promotional periods (11.11, 12.12, Birthday campaigns)
  • Ability to bypass cart, voucher, checkout, promotion rules to gain price advantage (e.g. if cart rule gives 10% off for 2 items from the same seller, obtain the same 10% off for 1 item)
  • Ability to create normal seller products under LazMall (i.e. LazMall is a curated selection of leading international and local brands, top-rated online brands and authorized brand distributors)

Reward Grids

Some scoped assets contain multiple applications with different security and business impacts. These scopes will be marked with the security requirements: (+++), (++), (+). A vulnerability on these scopes will be determined by its corresponding impact.

Eg: A vulnerability discovered on .lel.global* that has no direct impact on our customers, vendors or Lazada capabilities will be processed as the scope .lel.global (+)* and rewarded based on Reward grid for other Applications (+).

For the list of known subdomains and their corresponding reward grids, please refer to: known-subdomains.txt

Reward grid for CORE Applications (+++)

Impact: Direct impact on our customers or vendors

Rating CVSS score Bounty
None 0.0 $0
Low 0.1 - 3.9 $0
Medium 4.0 - 6.9 $200 - 400
High 7.0 - 8.9 $800 - 1600
Critical 9.0 - 10.0 $2000 - 3000
MAX Critical 9.0 - 10.0 $3000 - 10000

Reward grid for CORE related Applications (++)

Impact: Indirect impact on our customers or vendors, but direct impact on Lazada capabilities

Rating CVSS score Bounty
None 0.0 $0
Low 0.1 - 3.9 $0
Medium 4.0 - 6.9 $100 - 200
High 7.0 - 8.9 $400 – 800
Critical 9.0 - 10.0 $1600 - 2000

Reward grid for other Applications (+)

Impact: No direct impact on our customers, vendors, or Lazada capabilities

Rating CVSS score Bounty
None 0.0 $0
Low 0.1 - 3.9 $0
Medium 4.0 - 6.9 $50 - 100
High 7.0 - 8.9 $200 – 400
Critical 9.0 - 10.0 $800 - 1000

In Scope

Scope Type Scope Name
android_application

https://play.google.com/store/apps/details?id=com.lazada.android&hl=en_SG
android_application

https://play.google.com/store/apps/details?id=com.sc.lazada&hl=en_SG
ios_application

https://apps.apple.com/us/app/lazada-best-shopping-online/id785385147
ios_application

https://apps.apple.com/sg/app/lazada-seller-center/id1315605408
web_application

*.lazada.(sg|vn|co.id|co.th|com|com.ph|com.my) (+++)
web_application

*.lazada.(sg|vn|co.id|co.th|com|com.ph|com.my) (++)
web_application

*.lazada.(sg|vn|co.id|co.th|com|com.ph|com.my) (+)
web_application

*.redmart.com (+++)
web_application

*.redmart.com (++)
web_application

*.redmart.com (+)
web_application

*.lel.asia (+++)
web_application

*.lel.asia (++)
web_application

*.lel.asia (+)
web_application

*.lex.(co.id|com.my|in.th|ph|vn) (+++)
web_application

*.lex.(co.id|com.my|in.th|ph|vn) (++)
web_application

*.lex.(co.id|com.my|in.th|ph|vn) (+)
web_application

*.lazada-seller.cn
web_application

*.lazlogistics.(co.id|in.th|sg|vn|my|ph)

Out of Scope

Scope Type Scope Name
undefined

In-scope subdomains that are running 3rd party services (i.e. SaaS). When in doubt, please raise a report to confirm the application is in scope
undefined

*-lel-(vn|id|in|th|ph|my|sg)-stg.lazada.(vn|id|in|th|ph|my|sg)
undefined

*.pickmee.(vn|id|in.th|ph|my|sg)
undefined

sellercenter.lazada.(sg|vn|co.id|co.th|com|com.ph|com.my) User Management Access Control issues within the same shop
web_application

sellersupport.redmart.com
web_application

fms.lazada.com

Firebounty have crawled on 2021-06-01 the program Lazada on the platform Yeswehack.

FireBounty © 2015-2024

Legal notices | Privacy policy