Banner object (1)

Hack and Take the Cash !

790 bounties in database
  Back Link to program      
11/07/2016
OLX logo
Thanks
Gift
Hall of Fame
Reward

OLX

At OLX, we take security issues seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it. We'll investigate all reports and do our best to fix these issues as soon as possible.

Scope

The scope of our program includes the following sites:

  • Poland: olx.pl, otodom.pl, otomoto.pl
  • Portugal: olx.pt
  • United Arab Emirates: dubizzle.com
  • South Africa: olx.co.za
  • Pakistan: olx.com.pk
  • India: olx.in
  • International: tradus.com

You can review OLX sites in the scope section. Android/iOS apps related to these sites are also included in the scope. Vulnerabilities need to be documented in a way that they can be reproduced. Send screen-shots, code, video to helps to understand it.

Other OLX products from different countries are not included in scope.

What about public disclosure?

We're more than happy to publicly disclose your bug once it has been fixed by our developers.

Exceptions & Rules

Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed. Please do not mass create accounts to perform testing. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.

The following are strictly prohibited:

  • Denial of Service attacks.
  • Physical attacks against offices and data centers.
  • Social engineering of our service desk, employees or contractors.
  • Compromise of a OLX users or employees account.
  • Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.

Out of Scope/Non-qualifying vulnerabilities

This vulnerabilities are out of scope since we're currently aware of these vulnerabilities in some of our products and actively working on them.

  • Outdated WordPress Plugins
  • Cross domain leakage
  • Information disclosure
  • Software version disclosure
  • Vulnerabilities which are already publicly known or variations of such
  • HttpOnly and Secure cookie flags
  • SSL/TLS scan reports (this means output from sites such as SSL Labs)
  • Password and account recovery policies
  • Session timeout
  • Session Hijacking (cookie reuse)
  • Missing X-Frame or X-Content headers
  • Autocomplete
  • Account enumeration
  • Rate-limiting
  • XSS attacks via POST or headers
  • Self-exploitation (i.e. password reset links or cookie reuse)
  • Tabnabbing with partner links
  • Use of a known-vulnerable library (without proof of exploitability)
  • Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
  • Directory listing
  • Open redirects
  • Content Spoofing
  • Unrestricted file upload
  • Missing SPF/DKIM/DMARC records.

Rewards

At this time, we are not awarding bounties or cash rewards for reported vulnerabilities.

At OLX, we take security issues seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it. We'll investigate all reports and do our best to fix these issues as soon as possible.

FireBounty © 2015-2019

Legal notices