Dear hackers, after two amazing years, our program here on HackerOne will be closed end of November 2018. Until the 10th of November 2018 23:59 CET you will be able to submit reports. (Maybe even longer, but we cannot guarantee that). After that we will only take care of already submitted reports until closing completely on the end of November. We still believe in the power of bug bounty programs and the synergies between hackers and companies and will provide you with an alternative program soon. We are sorry for the inconvenience this may cause. Thanks for making this experience so awesome!
eBay Kleinanzeigen (eBayK) is excited to be working with the hacker community in our inaugural bug bounty program. As such, we are starting small, and once we prove the value to our internal team and management, we will be expanding the program to include additional scope and increase our bounty amounts. We thank you for helping us as we ease into running a bug bounty program.
At eBay Kleinanzeigen we take user safety and the security of our services very serious. We recognize the important role that security researchers and our community play in keeping our services and users safe. We have adopted the responsible disclosure program described here to encourage everyone reporting security vulnerabilities. To recognize your efforts we offer bounty for reporting certain qualifying security vulnerabilities. Please review the following rules before you report a vulnerability. By participating in this program, you agree to be bound to these rules.
To keep our user’s data safe and our services stable please follow the following rules
...to view other users’ data
...that involves the corruption of data
...that conducts any activities that may disrupt our services.
If you think you have discovered a security vulnerability, please report it using the HackerOne reporting tool and provide the there requested information.
Please do not spam e.g. don't send additional comments just for giving us a ping and don't tag people in this organization. There is no need for that and it only creates overhead for us. We handle all incoming reports after each other, it just takes some time. Sadly, there is no way for you to fasten this process.
We are happy to thank everyone who submits valid reports which help us to improve the security of our services. However, only those that meet the following requirements may receive a bounty
Act in good faith. Our security team will assess each vulnerability report to determine if it qualifies for a bounty. A typical bounty will vary based on the probability and the damage impact of exploitation. Only one bounty per vulnerability (or with similar vulnerabilities in different areas, one bounty per type) will be rewarded.
The following security vulnerabilities are eligible for a bounty:
The following security vulnerabilities are NOT eligible for a bounty:
If you give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you, unless we have reason to believe that you do not act in good faith.
If users/individuals do not adhere to the above mentioned rules, we reserve the right to take appropriate (legal) measures and/or get law enforcement involved.
These Security Vulnerability Program is governed by German and European law.
If you are attempting to report spam or abuse please send an e-mail to:
Spam & Abuse - firstname.lastname@example.org
Contact us if you want more information.