Souq looks forward to working with the security community to find
vulnerabilities in order to keep our businesses and customers safe. Please
take the time to review our Security Page below before submitting
vulnerabilities. Thank you for working with us to keep Souq and our users
- Souq.com will provide rewards to eligible reporters of qualifying vulnerabilities ONLY as described in this program.
- Minimum reward is $50 USD.
- Maximum reward is $1,500 USD.
- Range of rewards vary depending upon the impact of the vulnerability reported in subject to Souq.com
- Rewards are issued at end of month after being processed in bulk
- We don’t pay for Duplicates, Informative, Spam or NA
Rewards Criteria goes as the following:
High: These are eligible for rewards up to 500 -1500 USD, based on the evaluated risk on Souq.com, ON CASE BY CASE.
- Medium: These are eligible for 100 - 500 USD
- Low: These are eligible for 50-100 USD
- Negligible: Lower scored reports will be treated as INFORMATIONAL. Hence, it is eligible for “THANK YOU” message or Swag.
2 Targets in Scope
The following targets ONLY. All other subdomains or targets are not eligible.
2.3 Mobile Apps
- Android App Ver. 4.52 and above
- Android Seller App Ver. 1.0.17 and above
- iOS App Ver. 5.57 and above
3 Qualifying Vulnerability Types
The following vulnerabilities ONLY are eligible. Any other vulnerability (even
critical) is accepted as "Informative".
- Injection (SQL and Commands)
- Remote Code Execution
- Bulk customer sensitive information leaks (not individual leaks)
- Bypassing authentication and authorization for Souq API access to gain/modify customer data/orders
- Leaked encryption keys or bypassing encryption mechanisms
4 Qualified Report Format
4.1 Mandatory Format
All Security Reports shall follow the following format. Failure to include all
of this information will result in an invalid submission:
- Title: [Vulnerability Type] at [Target vulnerable URL or App]
- Steps: How to reproduce (Step-by-Step). Generic and vague description will be discarded. Don’t forget to mention what browser version is used to reproduce. Reported vulnerabilities should be reproducible under the latest versions of the browsers (1 week old)
- Describe the perceived impact.
- Screenshots and videos must be submitted as an evidence of successful exploitation.
- How to mitigate the impact.
5 What are the Program Rules?
Souq.com is pleased to work with the entire community and acknowledge all
efforts to help us secure our platform. Hence, we appreciate your conformance
to the following rules:
- Do not intentionally harm the experience or usefulness of the site.
- Do not attempt to view, modify, or damage data belonging to site users and customers.
- Do not make any information public until the issue has been resolved.
- Do not attempt any type of denial-of-service- like attack against the site.
- Do not attempt to hide your real-world identity.
- Do not perform any research or testing against the site in violation of law.
- Do not take a copy of any vulnerabilities or entire sensitive information or source-code in the site.
- Do not publicly disclose the vulnerability prior to our resolution and make it publicly disclosed on hackerone.com site.
6 Who is Eligible to Subscribe to this Program?
All hackerone members are welcomed to the program, except the following users:
- Residents of any countries/regions that are under United States sanctions, such as Cuba, Iran, North Korea, Sudan, and Syria.
- Current employees of Souq.com or a Souq.com subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee.
- A contingent staff member or vendor employee currently working with Souq.com and/or involved in any part of the administration and execution of this program.
Hall of Fame