Souq looks forward to working with the security community to find
vulnerabilities in order to keep our businesses and customers safe. Please
take the time to review our Security Page below before submitting
vulnerabilities. Thank you for working with us to keep Souq and our users
- Souq.com will provide rewards to eligible reporters of qualifying vulnerabilities ONLY as described in this program.
- Minimum reward is $50 USD.
- Maximum reward is $1,500 USD.
- Range of rewards vary depending upon the impact of the vulnerability reported in subject to Souq.com
- Rewards are issued at end of month after being processed in bulk
- We don’t pay for Duplicates, Informative, Spam or NA
2 Targets in Scope
Please see our structured scope section at the bottom of the Policy Page for
assets that are in scope. We are only rewarding vulnerabilities on these
3 Qualifying Vulnerability Types
The following vulnerabilities ONLY are eligible. Any other vulnerability (even
critical) is accepted as "Informative".
- Injection (SQL and Commands)
- Remote Code Execution
- Bulk customer sensitive information leaks (not individual leaks)
- Bypassing authentication and authorization for Souq API access to gain/modify customer data/orders
- Leaked encryption keys or bypassing encryption mechanisms
- XSS (Stored ONLY)
- CSRF affecting orders and/or customer data ONLY
4 Qualified Report Format
4.1 Mandatory Format
All Security Reports shall follow the following format. Failure to include all
of this information will result in an invalid submission:
- Title: [Vulnerability Type] at [Target vulnerable URL or App]
- Steps: How to reproduce (Step-by-Step). Generic and vague description will be discarded. Don’t forget to mention what browser version is used to reproduce. Reported vulnerabilities should be reproducible under the latest versions of the browsers (1 week old)
- Describe the perceived impact.
- Screenshots and videos must be submitted as an evidence of successful exploitation.
- How to mitigate the impact.
5 What are the Program Rules?
Souq.com is pleased to work with the entire community and acknowledge all
efforts to help us secure our platform. Hence, we appreciate your conformance
to the following rules:
- Do not intentionally harm the experience or usefulness of the site.
- Do not attempt to view, modify, or damage data belonging to site users and customers.
- Do not make any information public until the issue has been resolved.
- Do not attempt any type of denial-of-service- like attack against the site.
- Do not attempt to hide your real-world identity.
- Do not perform any research or testing against the site in violation of law.
- Do not take a copy of any vulnerabilities or entire sensitive information or source-code in the site.
- Do not publicly disclose the vulnerability prior to our resolution and make it publicly disclosed on hackerone.com site.
6 Who is Eligible to Subscribe to this Program?
All hackerone members are welcomed to the program, except the following users:
- Residents of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria.
- Current employees of Souq.com or a Souq.com subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
- A contingent staff member or vendor employee currently working with Souq.com and/or involved in any part of the administration and execution of this program.