OZON is one of the biggest Russian online multicategory e-commerce platforms. We look forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe. We take security seriously and our bug bounty program is one of the major parts of this. We will be glad to see you among bug hunters. You can send us reports in ?? English or ?? Russian.
We are interested in critical ? server-side application security flaws. Examples from OWASP Top 10 are: Injections, Broken Authentication, Sensitive Data Exposure, Broken Access Control, XXE and examples from OWASP Mobile Top 10: Improper Platform Usage, Insecure Data Storage, Insecure Communication (not for advertisement content or another that doesn't contain sensitive information), Insecure Authentication, Insecure Authorization, Extraneous Functionality . Other types of security issues are also welcome but only ones with Medium+ severity level are eligible for bounty for now. Reports will be rewarded according to their severity on a case-by-case basis as determined by our security team. We may pay more for unique, hard-to-find bugs. We may also pay less for bugs with complex prerequisites that lower risk of exploitation.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Please use your own accounts to conduct your research. Do not try to gain access to others' accounts or any confidential information.
Bend, but not break. When testing use the minimal possible POC to validate a vulnerability; in cases when it may impact systems or users, ask permission first. No matter the case, do not damage or leave a system in a more vulnerable state that when you uncovered it.
We are e-commerce and marketplace service, so take it into account in your research. Be careful with ordering items because it affects our off-line services, e.g. goods reserving and shipping. Your actions should not lead to such results.
We use DDoS and malicious bots mitigation, WAF and other security services. WAF is disabled only for assets in the scope
Please, take into account, that on the web server we check Referrer and Origin headers to protect web application from CSRF attack
XSS in services with implemented "Content Security Policy" mechanism are considered as "Low" severity issues. If researcher demonstrates bypass of CSP for the service then severity of the issue could be increased
If your tests have a negative impact on an element of our service, we can take action to block your IP address without further notice. If you still do a prohibited actions on our platform, we will ban you from this program. In extreme cases we will make a legal action on you.
Please keep all communication within the HackerOne program. Please do not directly contact our Customer Support or any OZON employee regarding the status of a submission. This will result in automatic disqualification for any reward, regardless of severity.
You must not be employed by OZON or its subsidiaries or related entities, currently or in the last 12 months
Following activities are prohibited:
Exploit vulnerabilities beyond what is required to prove its existence
Performing actions that may negatively affect OZON or its customers (e.g. Spam, Brute force, Denial of Service). If you see that your test impact on OZON you must stop them and inform us about that
Conducting any kind of physical attack on OZON's personnel, property or data centers
Social engineering (e.g. phishing, vishing, smishing) any OZON's help desk, employee or contractor or user
Scans using automated tools are prohibited. Due to the nature of our e-commerce service, please do not use automated scanners without a narrow scoping. Automated scanners when run across the entire site result in spam in the comments, as well as purchasing items.
Username enumeration through login or password reset.
Invite/Promo and Gift card code enumeration
When reporting vulnerabilities, please consider attack scenario / exploitability, and security impact of the bug. The following issues are considered out of scope:
Non-technical issues (e.g. fraud)
Theoretical attacks without proof of exploitability
Session expiration bugs. We are aware that sessions do not expire immediately after exit, and consider it accepted risks
Clickjacking (yes, nobody likes it)
Cross-Site Request Forgery (CSRF) issues. We implemented CSRF-protection based on SameSite cookie attribute plus identifying source origin (via Origin/Referer header)
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Missing best practices in SSL/TLS configuration
Yandex API key in our JS code - we know that it is here, and it has all currently possible limitations and restrictions
XSS on our CDN domains (like *.ozone.ru), even if it was uploaded through www.ozon.ru, unless you can prove that it can work in the context of www.ozon.ru
Any activity that could lead to the disruption of our service (DoS)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
Possibility to register account with non-russian mobile number: it's intended behaviour, we have clients in many countries
Spamming with OTP, emails etc.
We know about the risks of short OTP code, and have implemented compensation measures, further measures will be implemented later
DNS Lookup (External service interaction) to domain in host header is not SSRF, it's standard behaviour of our Web Application Firewall, Imperva (former Incapsula)
Decompile/reverse engineer an app, Frida-injections, code-tampering
SQL injection in content providers with no privilege boundary
Root detection (application does not detect if it is on a rooted device)
Issues that only occur on rooted/jailbroken devices or the emulator
Phishing and social engineering attacks, attack scenarios requiring physical access to victim
App requesting excessive permissions
Developer mode bugs
Reports on non-eligible device versions
Screenshot of the application contains sensitive data
Lack of binary protection, such as the absence of Stack Canary
Vulnerabilities requiring extensive user interaction
Exposure of non-sensitive data on the device
Vulnerabilities on third-party libraries without showing specific impact to the target application
Use of deprecated/banned API
Sensitive info in logs in staging/test builds
It is not a vulnerability if an app exports an activity, receiver, content provider, or service unless it can be used to gain unauthorized access to application data or functionality
Disclosure of API keys that do not give access to user data or do not lead to financial losses for the company
Weak cryptography that used for code obfuscation and data in internal storage
All in-scope target applications are publicly accessible. Credentials can be self-provisioned as needed. Currently you will need at least mobile phone number to register or log in.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep OZON and our users safe!
|Scope Type||Scope Name|
|Scope Type||Scope Name|
This program have been found on Hackerone on 2020-07-21.