OZON is one of the biggest Russian online multicategory e-commerce platforms. We look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. We take security seriously and our bug bounty program is one of the major parts of this. We will be glad to see you among bug hunters. You can send us reports in ?? English or ?? Russian.

What security issues best to look for ?

We are interested in critical ? server-side application security flaws. Examples from OWASP Top 10 are: Injections, Broken Authentication, Sensitive Data Exposure, Broken Access Control, XXE and examples from OWASP Mobile Top 10: Improper Platform Usage, Insecure Data Storage, Insecure Communication (not for advertisement content or another that doesn't contain sensitive information), Insecure Authentication, Insecure Authorization, Extraneous Functionality . Other types of security issues are also welcome but only ones with Medium+ severity level are eligible for bounty for now. Reports will be rewarded according to their severity on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs. We may also pay less for bugs with complex prerequisites that lower risk of exploitation.

Disclosure Policy ?

• By participating in this program, you agree to follow HackerOne's disclosure guidelines.

Program Rules ?

Common

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• Please use your own accounts to conduct your research. Do not try to gain access to others' accounts or any confidential information.

• Bend, but not break. When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.

Specific ?

• We are e-commerce and marketplace service, so take it into account in your research. Be careful with ordering items because it affects our off-line services, e.g. goods reserving and shipping. Your actions should not lead to such results.

• We use DDoS and malicious bots mitigation, WAF and other security services. WAF is disabled only for assets in the scope

• Please, take into account, that on the web server we check Referrer and Origin headers to protect web application from CSRF attack

• XSS in services with implemented "Content Security Policy" mechanism are considered as "Low" severity issues. If researcher demonstrates bypass of CSP for the service then severity of the issue could be increased

• If your tests have a negative impact on an element of our service, we can take action to block your IP address without further notice. If you still do a prohibited actions on our platform, we will ban you from this program. In extreme cases we will make a legal action on you.

• Please keep all communication within the HackerOne program. Please do not directly contact our Customer Support or any OZON employee regarding the status of a submission. This will result in automatic disqualification for any reward, regardless of severity.

• You must not be employed by OZON or its subsidiaries or related entities, currently or in the last 12 months

Please, do not ⛔️

Following activities are prohibited:

• Exploit vulnerabilities beyond what is required to prove its existence

• Performing actions that may negatively affect OZON or its customers (e.g. Spam, Brute force, Denial of Service). If you see that your test impact on OZON you must stop them and inform us about that

• Conducting any kind of physical attack on OZON's personnel, property or data centers

• Social engineering (e.g. phishing, vishing, smishing) any OZON's help desk, employee or contractor or user

• Scans using automated tools are prohibited. Due to the nature of our e-commerce service, please do not use automated scanners without a narrow scoping. Automated scanners when run across the entire site result in spam in the comments, as well as purchasing items.

• Username enumeration through login or password reset.

• Invite/Promo and Gift card code enumeration

Out of scope vulnerabilities

When reporting vulnerabilities, please consider attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope:

• Non-technical issues (e.g. fraud)

• Theoretical attacks without proof of exploitability

• Session expiration bugs. We are aware that sessions do not expire immediately after exit, and consider it accepted risks

• Clickjacking (yes, nobody likes it)

• Self-XSS

• Cross-Site Request Forgery (CSRF) ­issues. We implemented CSRF-protection based on SameSite cookie attribute plus identifying source origin (via Origin/Referer header)

• Attacks requiring MITM or physical access to a user's device

• Previously known vulnerable libraries without a working Proof of Concept

• Comma Separated Values (CSV) injection without demonstrating a vulnerability

• Missing best practices in SSL/TLS configuration

• Yandex API key in our JS code - we know that it is here, and it has all currently possible limitations and restrictions

• XSS on our CDN domains (like *.ozone.ru), even if it was uploaded through www.ozon.ru, unless you can prove that it can work in the context of www.ozon.ru

• Any activity that could lead to the disruption of our service (DoS)

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Rate limiting or bruteforce issues on non-authentication endpoints

• Missing best practices in Content Security Policy

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

• Possibility to register account with non-russian mobile number: it's intended behaviour, we have clients in many countries

• Spamming with OTP, emails etc.

• We know about the risks of short OTP code, and have implemented compensation measures, further measures will be implemented later

• DNS Lookup (External service interaction) to domain in host header is not SSRF, it's standard behaviour of our Web Application Firewall, Imperva (former Incapsula)

Out of scope vulnerabilities for mobile applications

• Decompile/reverse engineer an app, Frida-injections, code-tampering

• SQL injection in content providers with no privilege boundary

• Root detection (application does not detect if it is on a rooted device)

• Issues that only occur on rooted/jailbroken devices or the emulator

• Compromised devices

• Phishing and social engineering attacks, attack scenarios requiring physical access to victim

• App requesting excessive permissions

• Hardware attacks

• Developer mode bugs

• Reports on non-eligible device versions

• Tapjacking

• Screenshot of the application contains sensitive data

• Certificate pinning

• Lack of binary protection, such as the absence of Stack Canary

• Vulnerabilities requiring extensive user interaction

• Exposure of non-sensitive data on the device

• Vulnerabilities on third-party libraries without showing specific impact to the target application

• Use of deprecated/banned API

• Sensitive info in logs in staging/test builds

• It is not a vulnerability if an app exports an activity, receiver, content provider, or service unless it can be used to gain unauthorized access to application data or functionality

• Disclosure of API keys that do not give access to user data or do not lead to financial losses for the company

• Weak cryptography that used for code obfuscation and data in internal storage

Access & Credentials

All in-scope target applications are publicly accessible. Credentials can be self-provisioned as needed. Currently you will need at least mobile phone number to register or log in.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep OZON and our users safe!