Being one of the biggest streaming service providers in Russia, Okko offers a vast collection of movies, shows, cartoons, TV channels, sports coverage, and more. Sharing Okko subscriptions is easy: users can create up to five profiles per account, for adults or kids. Each profile has its own personalized recommendations and watch history.
Program description

Our code of conduct

  • We respect the time and efforts of our researchers.
  • We will reply to you within 10 business days.
  • We aim to process the report within 20 business days of replying to your submission.
  • If we need more time to process the report, we will let you know.
  • We will define the reward amount within 10 business days of finishing triage.
  • We will do our best to keep you informed about our progress throughout the entire process.
 

Your code of conduct

  • Be an ethical hacker and respect the privacy of other users.
  • Avoid actions that might result in privacy violations, destruction of data, or interruption or degradation of our services.
  • After gaining initial access, you must not proceed with lateral movement or post-exploitation.
  • When testing web resources or API, set the User-Agent header in your HTTP requests. This will help to avoid the potential blocking of anomalous activity.
  • When registering an account for research purposes, include the word "Standoff" in the "Фамилия" (Last name) field value. This will help to avoid the potential blocking of the account.
  • When using automated security scanners, make sure they make no more than 15 requests per second to a single host (including all streams and scanners running simultaneously).
  • Carefully read the program terms and conditions before proceeding with your research.
  • Try to provide information about the discovered vulnerabilities promptly and accurately.
  • If you identify multiple security issues in Okko services, prepare a separate report for each vulnerability.
 

Scope

Primary targets

  • api.okko.tv
  • auth.okko.sport
  • auth.okko.tv
  • auth.playfamily.ru
  • auth.yotaplay.ru
  • auth2.playfamily.ru
  • cdp.playfamily.ru
  • config.tvgateway.ru
  • ctx.playfamily.ru
  • ctx.yotaplay.ru
  • drm.playfamily.ru
  • drm.yotaplay.ru
  • mimimi.okko.team
  • mimimi.okko.tv
  • nex.okko.team
  • okko.sport
  • okko.tv
  • ovpn.okko.team
  • payments.playfamily.ru
  • playbackstatus.playfamily.ru
  • player.okko.tv
  • stat.okko.sport
  • stat.okko.tv
  • stat.playfamily.ru
  • stat2.okko.tv
  • static.okko.tv
  • tvgateway.ru
  • vp.okko.tv

Secondary targets

  • *.okko.sport
  • *.okko.tv
  • *.playfamily.ru
  • *.tvgateway.ru
 
We do not guarantee rewards for vulnerabilities discovered in secondary targets.
If awarded, a bounty for a vulnerability found in a secondary target will be 30% less than the standard rate.
 

Rewards

All reports are considered on a case-by-case basis. We pay bounties only for the discovery of previously unknown vulnerabilities, provided that all participation rules are complied with. Bounty payouts are determined by our internal vulnerability management policy. We reserve the right to make the final decision on the severity of the discovered vulnerability and criticality of the affected component.
SeverityCriticalHighMediumLow
Maximum bounty₽400,000₽200,000₽50,000₽10,000
 

Report requirements

The report must be exhaustive and intelligible. It must include all the steps, commands, and dependencies necessary to reproduce the vulnerability. Provide detailed steps that specify what is vulnerable and how it can be exploited. You must also present evidence that backs up your findings, such as screenshots of requests and results or videos demonstrating the entire attack kill chain.
Be sure to describe the potential risks related to the vulnerability. We would appreciate it if you would also provide recommendations for remediation.
Since lateral movement is prohibited, vulnerabilities can be demonstrated with the following data:
  • SQL injection: database version.
  • XXE or XML injection: demonstration of XXE without DoS.
  • XSS: output of the alert or log message.
  • RCE: hostname, id, ifconfig.
  • SSRF: curl to the internal domain http://10.2.221.92:8080; the expected response is 302.
Any other actions must be coordinated with our security specialists.
 

Vulnerabilities

We prioritize the following critical vulnerabilities:
  • RCE
  • Injections
  • SSRF
  • LFI/RFI
  • XXE
 

No reward will be given for the following submissions:

  • Any malicious activities that may lead to denial of service (DoS).
  • Reports generated by security scanners or other automated tools.
  • Information about IP addresses, DNS records, and open ports.
  • Reports of issues and vulnerabilities based on the product version without demonstrating exploitation.
  • Reports of vulnerabilities whose exploitation is prevented by information security tools (such as WAF) without demonstrating how to bypass the security tools.
  • Reports of insecure SSL/TLS ciphers without demonstrating exploitation.
  • Reports of vulnerabilities already reported by other participants (duplicate reports).
  • 0-day or 1-day vulnerabilities publicly disclosed less than 30 days before the report submission.
  • 0-day or 1-day vulnerabilities with a CVSS score higher than 8 disclosed less than 21 days before the report submission.
  • 0-day or 1-day vulnerabilities with a CVSS score lower than 8 not related to architecture flaws.
  • Self-XSS and other vulnerabilities that do not directly affect users or application data.
  • Vulnerabilities that can only be exploited via browser versions released six or more months before the report submission or browser versions that are no longer supported.
  • Reports of cross-origin resource sharing (CORS) misconfigurations without demonstrating exploitation.
  • Disclosure of a username, email address, or phone number that exists in the system.
  • Disclosure of technical or non-sensitive information (such as product or software versions and stack traces).
  • Tabnabbing.
  • Clickjacking.
  • Reports of Content Security Policy (CSP) issues for domains without CSP and domain policies with 'unsafe-eval' and/or 'unsafe-inline'.
  • Attacks that rely on full access to a local account or browser profile.
  • Disclosure of sensitive user information via third-party resources that Okko has no control of (such as spyware).
  • Vulnerabilities with overly sophisticated, unrealistic, or unlikely user interaction scenarios.
  • Lack of best practices in DNS and mail service configuration (such as DKIM, DMARC, SPF, and TXT).
  • Broken or outdated links to social media pages and similar resources.
  • Ability to perform an action unavailable via the user interface without identifiable security risks.
  • Unlimited ability to create user accounts.
  • User enumeration.
  • Disclosure of publicly available user information.
  • Lack of notifications about important user actions.
  • Leakage of sensitive tokens (such as password reset tokens) to trusted third parties over a secure connection (HTTPS).
  • Issues not related to security. (Please report such issues to our technical support: https://help.okko.tv/)
  • Reports of missing protection mechanisms or best practices without demonstrating real security impact on the user or system. (Such reports will be considered as informative.) For example: missing HTTP security headers (CSP, HSTS, etc.), cookie security flags (HttpOnly, Secure, etc.), anti-CSRF tokens, or SSL certificates.
  • Authorization with a bruteforced Device ID.
 

Public vulnerability disclosure

Disclosure by mutual consent: you and Okko must discuss and agree upon the disclosure timing and other details.
 

Prohibited actions

You are not allowed to do the following:
  • Gain access to data belonging to another user without the user's permission, change or destroy the data, or disclose any sensitive information obtained inadvertently during the vulnerability testing process or exploit demonstration. Deliberate access to sensitive data is prohibited and can be deemed illegal.
  • Tamper with user accounts without their owners' permission.
  • Use detected vulnerabilities for personal purposes.
  • Use vulnerability testing tools that automatically generate large amounts of traffic and cause resource exhaustion attacks.
  • Conduct attacks that compromise integrity and availability of services (for example, DoS and brute-force attacks) or attempt to exploit a resource exhaustion vulnerability. If you find such a vulnerability, report it to the Okko security team for simulation of an attack in a test environment.
  • Perform physical attacks on Okko employees, data centers, or offices.
  • Spam or carry out social engineering attacks (phishing, vishing, and so on) against Okko customers, partners, or employees.
  • Analyze server infrastructure where web applications are hosted.
  • Disclose information about a vulnerability before public disclos
Launched April 2, 14:37
Edited October 8, 10:59
Program format
Vulnerabilities
Reward for vulnerabilities
up to ₽500K
Program statistics
₽1,171,000
Paid in total
₽34,441
Average payment
₽827,000
Paid in the last 90 days
73
Valid reports
81
Submitted reports
Description
Vulnerabilities
Ranking
Versions