Allegro Security Page Content
At Allegro.pl sp. z o.o. (hereinafter referred to as “Allegro”), we take
seriously and we are committed to protect our customers. Allegro believes that
working with skilled security researchers across the globe is crucial in
weaknesses. If you believe you have found a security issue in our product or
encourage you to notify us.
By joining the program, you agree that you have read, understood the
provisions set forth in scope, and agree to observe them.
In this program you can only test our staging environment on
Do not test our production environment on .allegro.pl or .allegrogroup.com.
Attacking our production platform can end in ban your account on this program.
In HackerOne platform exist private Allegro.pl program where researchers can
test our production environment. If your cooperation with us will be on good
level we will think about invite you to our private program.
Here you can find information, how you can create an account with permissions
to sell products: https://developer.allegro.pl/en/about/#Sandbox
Eligibility & Disclosure Policy
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- Follow HackerOne's disclosure guidelines .
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- You must be the first reporter of a vulnerability associated with a participating service (we will also not reward for a known vulnerability which we are actively fixing)
- You must have personally discovered the vulnerability and you may not report a vulnerability that was discovered by another person (including, in particular, someone who does not qualify to participate in the Bug Bounty Program)
- You must not be employed by Allegro or its subsidiaries or related entities, currently or in the last 12 months
- You must comply with these rules when discovering the vulnerability and submitting the vulnerability report
- All user data gathered in attack phase has to be anonymised in report and deleted from your laptop etc.
- Allegro is not legally obliged to pay the bounty
What is forbidden:
- Huge scans using automated tools are strictly prohibited. If your tests have a negative impact on an element of our platform, we can take action to block your IP address without further notice. If you still do a prohibited actions on our platform, we will ban you from this program. In extreme cases we will make a legal action on you.
- Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit authorization from Allegro
- Disclosing the contents of any submission to our program without explicit authorization from Allegro
- Accessing private information of any person stored on a product of Allegro or service – you must use test accounts
- Accessing sensitive information (e.g. credentials)
- Performing actions that may negatively affect Allegro or its customers (e.g. Spam, Brute force, Denial of Service)if you see that your test impact on Allegro you must stop them and inform us about that
- Conducting any kind of physical attack on Allegro’s personnel, property or data centers
- Social engineering (e.g. phishing, vishing, smishing) any Allegro’s help desk, employee or contractor or user
- Conduct vulnerability testing of participating services using anything other than test Accounts
- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if the vulnerability would enable data exfiltration, and will reward respectively)
- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities
Out of scope vulnerabilities
- Bugs in content/services that are not owned/operated by Allegro
- Vulnerabilities affecting users of outdated or unsupported browsers or platforms
- Cross Site Scripting bugs requiring an unlikely amount of user interaction
- CSRF on forms available to anonymous users
- Missing CAPTCHA
- Password complexity or account recovery policies
- Username / email enumeration
- HTTPS Mixed Content
- Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages, cookie flags, lack of CSP
- SSL Forward Secrecy
- Invalid or missing SPF (Sender Policy Framework) records
- Weak SSL/TLS Cipher Suites
- Sending vulnerability reports using automated tools without validation
- Use of a known-vulnerable library without evidence of exploitability
- Attacks requiring physical access to a user's unlocked device
- Reports of spam, phishing or security best practices
- Please keep any and all information obtained as a result of participation in the program in strict confidence and not disclose it; moreover, you shall take necessary precautions while storing this information notwithstanding the form in which it was provided (“Confidential Information”);
- You shall use the Confidential Information obtained as a result of participation in the program only within the scope required for such participation and shall take appropriate measures in order to keep this Confidential Information secret and prevent it from being disclosed to third parties;
- You shall be held liable for any direct and indirect damage that Allegro will incur as a result of disclosure of Confidential Information, including without limitation for any actual damage, lost profits, and any other costs incurred to enforce claims that the Allegro may have for the violation hereof;
The Fine Print
It’s important to mention, that we use OWASP Risk Methodology:
slight different than CVSS used in HackerOne platform. In calculating severity
of report we mainly take into account the likelihood of exploiting issue, not
just technical impact.
We may modify the terms of this program or terminate this program at any time.
We won’t apply any changes we make to these program terms retroactively.
If you have any other questions about the Sandbox environment or about our
API, you can ask them in our forum:
Thank you for helping keep Allegro and our users safe!
Out of Scope
This program have been found on Hackerone on 2019-10-15.