Ozon

Accepted languages:

• English
• Russian

Program Rules

 

Program Scope

The program scope includes:

• www.ozon.ru — customer storefront;
• seller.ozon.ru — seller account;
• id.ozon.ru — SSO and authentication service;
• *.finance.ozon.ru — all Ozon Bank domains and subdomains;
• job.ozon.ru — job vacancy website;
• job-api.ozon.ru — API for job vacancy website;
• api-seller.ozon.ru — API for seller,

• pvz.ozon-dostavka.ru — order and pick-up point management tool,
• chatzone.o3team.ru — corporate messenger (desktop and mobile app),
• performance.ozon.ru — seller advertising account,
• dev.ozon.ru — resource for developers using public Ozon API.

And also mobile apps:

• Customer app (Android, iOS);
• Seller app (Android, iOS);
• Bank app (Android, iOS)
• App for pick-up point employees (Android, iOS)
• Corporate messenger — landing page with information on all apps in the bug bounty software scope

General

Use the following guidelines for your reports:

• the report should fully describe the reproduction of the vulnerability;
• one report should describe one vulnerability, except for vulnerabilities of the same reason;
• if the reports are identical, only the first received report will get the reward (if it can be fully reproduced);
• if several vulnerabilities of the same cause are discovered, the reward is paid only once.
• avoid breaches of confidentiality, data erasure, as well as interruption or deterioration of our business processes. Use only your accounts or the accounts for the use of which you have an explicit permission from their owners;
• use your own accounts for your research. Do not try getting access to other accounts or any other confidential information;
• use the lowest possible PoC (Proof of Concept) for checking vulnerabilities when testing; if it may affect the systems or users, please contact us first. At all events, do not interrupt the operation of the system and do not leave it more vulnerable than it was before your research.

Vulnerability information disclosure policy

Do not disclose any information on the report without the explicit approval from our Information Security Department.

Forbidden research methods

The following research methods are forbidden:

• using vulnerabilities more than it is necessary to prove they exist;
• actions that may negatively affect Ozon or its clients (for example, spam, brute-force, Denial of Service-type attacks );
• any physical pressure on the Ozon staff, property or data centers.
• social engineering applied to the Ozon staff, contractors or users;
• scanning with automatic tools. Due to the character of our e-commerce service, do not use automatic scanners without narrow application field. Automatic scanners applied to the whole website may cause spam in comments and purchase of products;
• brute-forcing usernames through login or password reset;
• brute-forcing invitation/promotion and gift card codes.

 

Vulnerabilities outside testing area

For your reports, describe the scenario of the attack/ exploitation of the vulnerability and its influence on the security. The following vulnerabilities are not part of the testing area:

• non-technical vulnerabilities (for example, fraud);
• theoretic attacks, if the exploitation possibilities cannot be proved;
• clickjacking;
• Self-XSS;
• attacks requiring MITM or physical access to the user device;
• report on using a vulnerable library without proof of influence;
• Comma Separated Values (CSV) injections without vulnerability demonstration;
• failure to implement best practices for SSL/TLS communications settings;
• disclosure of limited API keys in a JS code;
• XSS on CDN domains (*.ozone.ru), if it is not stated that XSS is operating in the scope of *.ozon.ru;
• any activity that may cause DOS (denial of service);
• vulnerability with content substitution and text injection without showing the attack vector/without possibility to change HTML/CSS;
• rate-limit vulnerabilities or bruteforce attacks on the resources without authentication;
• failure to implement best practices in Content Security Policy;
• no secure Cookie flags;
• failure to implement best practices when setting up email boxes (incorrect, partial or lacking SPF/DKIM/DMARC records or other);
• vulnerabilities concerning only users of old browser versions;
• disclosure of software versions, error description display, stacktrace, etc.;
• remuneration for public Zero-day vulnerabilities fixed less than 1 month ago, will be considered individually for each case;
• tabnabbing;
• open redirect – if the effect on the security is not demonstrated;
• vulnerabilities requiring active user interaction;
• spam using OTP, emails or other communication means;
• DNS Lookup (External service interaction).

Vulnerabilities outside the testing area for mobile apps

• possibility of mobile app decompiling/reverse, Frida-injection, code changes;
• no limits in the mobile app operation on a device with root/jailbreak;
• vulnerabilities that may be applied only on devices with root/jailbreak/enabled developer mode;
• phishing, social engineering and scenarios requiring physical access to the attacked device;
• requests for excessive permissions;
• tapjacking;
• screenshots with sensitive information from the app;
• no SSL pinning of certificates/keys;
• no native libraries secure flags, such as Stack Canary;
• disclosure of non-sensitive information on the device;
• vulnerabilities in dependencies without obvious influence on the security of the target app;
• exported activity, reciever, service are not considered vulnerabilities, if they do not cause unauthorized access to the app data or its functions;
• disclosure of API keys that do not cause user data leakage or financial damage to the company;
• use of “weak” cryptography/security measures for obfuscation of the add and data in the internal storage of the app.

 

Access and account data

All assets from the testing area are publicly available. The account data may be obtained by the researchers themselves if necessary according to the Ozon legal documents that impose rules and order of registration in the Product.

 

Security assurance

Researchers' actions within the framework of this Bug Bounty program will be considered behavior sanctioned by Ozon, and we will neither initiate any legal action against you, nor complain to law enforcement authorities nor try to hold you legally accountable in any other way.

If we become aware that third parties take the above mentioned actions against you, we will make reasonable efforts to inform the third parties that your actions as a researcher comply with the terms of the program, and we do not have any claims against you.

Please note that the security guarantees above are applicable only if you fully comply with the terms of this Bug Bounty program. If you have any concerns about the rightfulness of your actions regarding the program terms and conditions, contact us for consultation.

Thank you for helping ensure security for Ozon and our users!

Remuneration for researchers and legal terms

As a general rule, the remuneration you can get as a researcher depends on the danger level of the discovered vulnerability. But in some cases (by Ozon decision), the remuneration may be changed upwards or downwards. For example, the payment may be increased if the information presented covers unique errors that are hard to research, or reduced if the information covers vulnerabilities that require a lot of specific conditions for fulfilling or low risk of exploitation of this vulnerability.

To claim the remuneration for a discovered vulnerability, submit a report on the vulnerability to Ozon using the corresponding interface on the Standoff 365 Bug Bounty platform. The report is a detailed description of a specific vulnerability in an Ozon product discovered by you as a researcher. It must contain instruction on addressing the vulnerability or description how to fix it. Reports with unverifiable (i.e. those that cannot be empirically verified) hypotheses, statements that are not based on the facts, or ways to fix the vulnerabilities that need unreasonable expenses to implement, etc. are not subject to consideration.

After receiving the report, Ozon checks its compliance with the requirements and terms of this bug bounty program and relevance of the presented vulnerability, evaluates the level of its danger and measures to eliminate the vulnerability submitted by the researcher, and then makes the final decision about the amount of the remuneration to be paid.

Please note that Ozon does not establish any other requirements or terms for receiving remunerations except for those stipulated by this bug bounty program, and does not perform direct payment of such remuneration. These actions are conducted exclusively by Ozon partner and owner of the Standoff 365 Bug Bounty platform – Positive Technologies joint-stock company (107061, Russia, Moscow, Preobrazhenskoye internal territorial city district, Preobrazhenskaya St, 8, office 60, PSRN 1127746201087). This means, one should contact directly the person or entity that depending on the circumstances, legal relations between you and provisions of the applicable law, may establish additional requirements and terms for receiving remunerations (for example, by requesting your banking details).

Current employees of Ozon and/or Ozon affiliates, as well as individuals performing services for Ozon and/or Ozon affiliates on the basis of relevant civil law agreements, are not allowed to participate in this bug bounty program. The stipulated restriction for such individuals remains for one year from the time of the termination of their relations with Ozon and/or Ozon affiliates.

Ozon may change the terms of this program, which includes terminating the program at any time unilaterally at its discretion and without special notice. Therewith the changes become effective from the moment the updated edition is placed on the Standoff 365 Bug platform.

Violation of any terms of this bug bounty program by the researcher is an unconditional ground for termination of the researcher's participation in the program and refusal to pay the remuneration.