Overstock.com encourages you to responsibly report any security issues you're able to identify on Overstock.com!
For the initial prioritization/rating of findings, this program will use theBugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
This program only awards points for VRT based submissions.
Target name | Type
www.overstock.com | Website
<https://api.overstock.com> | Other
Overstock Android Mobile App | Other
Overstock iOS Mobile App | Other
cars.overstock.com | Website
pets.overstock.com | Website
*.overstock.com | Other
Target name | Type
financehub.overstock.com | Website
investors.overstock.com | Website
blog.overstock.com | Website
help.overstock.com | Website
miq.overstock.com | Other
snow.overstock.com | Website
hotels.overstock.com | Website
Any domain/property of Overstock not listed in the targets section is out of scope. This includes any/all subdomains not listed above.
Please note this is a production environment.
Mobile Downloads :
This webapp allows users to search for pets to adopt with other related functionality.
The Contact Seller form is sent to 3rd parties and is out of scope.
This is a webapp that allows users to search for cars, among other functionalities, but doesn't have any authenticated components.
Of note, the "contact dealer" and "get quote" functionality are off domain, and thusly out of scope.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
Contact us if you want more information.