At OLX, we take security issues seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it. We'll investigate all reports and do our best to fix these issues as soon as possible.

Scope

The scope of our program includes the following sites:

• Poland: olx.pl, otodom.pl, otomoto.pl
• Portugal: olx.pt
• United Arab Emirates: dubizzle.com
• South Africa: olx.co.za
• Pakistan: olx.com.pk
• India: olx.in
• International: tradus.com

You can review OLX sites in the scope section. Android/iOS apps related to these sites are also included in the scope. Vulnerabilities need to be documented in a way that they can be reproduced. Send screen-shots, code, video to helps to understand it.

Other OLX products from different countries are not included in scope.

What about public disclosure?

We're more than happy to publicly disclose your bug once it has been fixed by our developers.

Exceptions & Rules

Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed. Please do not mass create accounts to perform testing. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.

The following are strictly prohibited:

• Denial of Service attacks.
• Physical attacks against offices and data centers.
• Social engineering of our service desk, employees or contractors.
• Compromise of a OLX users or employees account.
• Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.

Out of Scope/Non-qualifying vulnerabilities

This vulnerabilities are out of scope since we're currently aware of these vulnerabilities in some of our products and actively working on them.

• WordPress/CPanel vulnerabilities

• Software version disclosure

• HttpOnly and Secure cookie flags

• SSL/TLS scan reports (this means output from sites such as SSL Labs)
• Password strength policies
• Session timeout
• Session Hijacking (cookie reuse)
• Missing security headers
• Autocomplete
• Account enumeration
• Rate-limiting (for none authentication flow)
• Self XSS attacks
• Self-exploitation (i.e. password reset links or cookie reuse)
• Tabnabbing with partner links
• Use of a known-vulnerable library (without proof of exploitability)
• Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
• Directory listing
• Open redirects
• Content Spoofing
• Missing SPF/DKIM/DMARC records

Rewards

At this time, we are not awarding bounties or cash rewards for reported vulnerabilities.

At OLX, we take security issues seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it. We'll investigate all reports and do our best to fix these issues as soon as possible.