Banner object (1)

Hack and Take the Cash !

791 bounties in database
  Back Link to program      
eBay Kleinanzeigen logo
Hall of Fame


100 $ 

eBay Kleinanzeigen


Dear hackers, after two amazing years, our program here on HackerOne will be closed end of November 2018. Until the 10th of November 2018 23:59 CET you will be able to submit reports. (Maybe even longer, but we cannot guarantee that). After that we will only take care of already submitted reports until closing completely on the end of November. We still believe in the power of bug bounty programs and the synergies between hackers and companies and will provide you with an alternative program soon. We are sorry for the inconvenience this may cause. Thanks for making this experience so awesome!


eBay Kleinanzeigen (eBayK) is excited to be working with the hacker community in our inaugural bug bounty program. As such, we are starting small, and once we prove the value to our internal team and management, we will be expanding the program to include additional scope and increase our bounty amounts. We thank you for helping us as we ease into running a bug bounty program.

Responsible Disclosure Program

At eBay Kleinanzeigen we take user safety and the security of our services very serious. We recognize the important role that security researchers and our community play in keeping our services and users safe. We have adopted the responsible disclosure program described here to encourage everyone reporting security vulnerabilities. To recognize your efforts we offer bounty for reporting certain qualifying security vulnerabilities. Please review the following rules before you report a vulnerability. By participating in this program, you agree to be bound to these rules.

In Scope

  • Please use the latest mobile app versions.
  • For old browsers or browser versions eBay Kleinanzeigen might not accept and thus not fix the vulnerability based on its discretion.

Responsible Disclosure

To keep our user’s data safe and our services stable please follow the following rules

  • Use only test accounts to avoid compromising privacy of other users
  • Share the security issue with us without making it public
  • Allow us a reasonable amount of time (at least 180 days from where we receive your disclosure under this process) to respond to the issue before disclosing it to others.

Do not engage in security research that involves:

  • Potential or actual damage to users, systems, data or applications.
  • Use of an exploit... view other users’ data
...that involves the corruption of data
...that conducts any activities that may disrupt our services.

  • The use of port scans on our network blocks or executing DDoS attacks.


If you think you have discovered a security vulnerability, please report it using the HackerOne reporting tool and provide the there requested information.

Please do not spam e.g. don't send additional comments just for giving us a ping and don't tag people in this organization. There is no need for that and it only creates overhead for us. We handle all incoming reports after each other, it just takes some time. Sadly, there is no way for you to fasten this process.

Eligibility for Bounty

We are happy to thank everyone who submits valid reports which help us to improve the security of our services. However, only those that meet the following requirements may receive a bounty

  • You must the the first person to report the vulnerability
  • The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above)
  • You may not publicly disclose the vulnerability prior to our resolution

Act in good faith. Our security team will assess each vulnerability report to determine if it qualifies for a bounty. A typical bounty will vary based on the probability and the damage impact of exploitation. Only one bounty per vulnerability (or with similar vulnerabilities in different areas, one bounty per type) will be rewarded.

Qualifying Vulnerabilities

The following security vulnerabilities are eligible for a bounty:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery
  • Server-Site Request Forgery
  • SQL Injection
  • Server-Site Remote Code Execution
  • XML Injection
  • Bypassing Authorization Mechanisms
  • Clickjacking

Non-Qualifying Vulnerabilities / Out of Scope:

The following security vulnerabilities are NOT eligible for a bounty:

  • Security vulnerabilities in third-party application used in our application(s)
  • Security vulnerabilities in third-party websites that integrate with our application(s)
  • Stating that software is out of date/vulnerable without a proof of concept.
  • Issues related to the update of third party software patches, with patch released within the last 3 months.
  • Vulnerabilities that can be exploited by an attacker to hack him/herself only, such as injecting malicious codes in the authentication cookies
  • Security vulnerabilities requiring physical access to a user's device
  • Publicly accessible login masks
  • Denial of Service Vulnerabilities (DoS)
  • Spam or Social Engineering techniques
  • Brute force password cracking
  • Version disclosure of used software
  • Host header issues without PoC
  • Security improvement and best practice issues
  • Self-XSS that can not be used to exploit other users
  • Abuse of website functionalities. (see other programs below)
  • Open redirects. (the majority of open redirects have low security impact)
  • Cross-site Request Forgery (CSRF) with minimal security implications (Logout CSRF, etc.)
  • Vulnerabilities reported by automated tools without additional PoC
  • Reports from vulnerability scanners without additional PoC
  • Open ports without additional PoC
  • API credentials
  • Usernames of employees
  • SSL/TLS implementation and configuration issues


If you give us reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you, unless we have reason to believe that you do not act in good faith.

If users/individuals do not adhere to the above mentioned rules, we reserve the right to take appropriate (legal) measures and/or get law enforcement involved.

These Security Vulnerability Program is governed by German and European law.

Other Programs

If you are attempting to report spam or abuse please send an e-mail to:
Spam & Abuse -

FireBounty © 2015-2019

Legal notices