Ozon is one of the largest Russian e-commerce platforms. The OZON infrastructure has a large number of different services that we want to make safer. Any security researcher can help us with this by participating in our bug bounty program. We will be glad and grateful to all participants. You can send us reports in English or Russian.
www.ozon.ru
The program scope includes:
And also mobile apps:
Use the following guidelines for your reports:
Do not disclose any information on the report without the explicit approval from our Information Security Department.
The following research methods are forbidden:
For your reports, describe the scenario of the attack/ exploitation of the vulnerability and its influence on the security. The following vulnerabilities are not part of the testing area:
All assets from the testing area are publicly available. The account data may be obtained by the researchers themselves if necessary according to the Ozon legal documents that impose rules and order of registration in the Product.
Researchers' actions within the framework of this Bug Bounty program will be considered behavior sanctioned by Ozon, and we will neither initiate any legal action against you, nor complain to law enforcement authorities nor try to hold you legally accountable in any other way.
If we become aware that third parties take the above mentioned actions against you, we will make reasonable efforts to inform the third parties that your actions as a researcher comply with the terms of the program, and we do not have any claims against you.
Please note that the security guarantees above are applicable only if you fully comply with the terms of this Bug Bounty program. If you have any concerns about the rightfulness of your actions regarding the program terms and conditions, contact us for consultation.
Thank you for helping ensure security for Ozon and our users!
As a general rule, the remuneration you can get as a researcher depends on the danger level of the discovered vulnerability. But in some cases (by Ozon decision), the remuneration may be changed upwards or downwards. For example, the payment may be increased if the information presented covers unique errors that are hard to research, or reduced if the information covers vulnerabilities that require a lot of specific conditions for fulfilling or low risk of exploitation of this vulnerability.
To claim the remuneration for a discovered vulnerability, submit a report on the vulnerability to Ozon using the corresponding interface on the Standoff 365 Bug Bounty platform. The report is a detailed description of a specific vulnerability in an Ozon product discovered by you as a researcher. It must contain instruction on addressing the vulnerability or description how to fix it. Reports with unverifiable (i.e. those that cannot be empirically verified) hypotheses, statements that are not based on the facts, or ways to fix the vulnerabilities that need unreasonable expenses to implement, etc. are not subject to consideration.
After receiving the report, Ozon checks its compliance with the requirements and terms of this bug bounty program and relevance of the presented vulnerability, evaluates the level of its danger and measures to eliminate the vulnerability submitted by the researcher, and then makes the final decision about the amount of the remuneration to be paid.
Please note that Ozon does not establish any other requirements or terms for receiving remunerations except for those stipulated by this bug bounty program, and does not perform direct payment of such remuneration. These actions are conducted exclusively by Ozon partner and owner of the Standoff 365 Bug Bounty platform – Positive Technologies joint-stock company (107061, Russia, Moscow, Preobrazhenskoye internal territorial city district, Preobrazhenskaya St, 8, office 60, PSRN 1127746201087). This means, one should contact directly the person or entity that depending on the circumstances, legal relations between you and provisions of the applicable law, may establish additional requirements and terms for receiving remunerations (for example, by requesting your banking details).
Current employees of Ozon and/or Ozon affiliates, as well as individuals performing services for Ozon and/or Ozon affiliates on the basis of relevant civil law agreements, are not allowed to participate in this bug bounty program. The stipulated restriction for such individuals remains for one year from the time of the termination of their relations with Ozon and/or Ozon affiliates.
Ozon may change the terms of this program, which includes terminating the program at any time unilaterally at its discretion and without special notice. Therewith the changes become effective from the moment the updated edition is placed on the Standoff 365 Bug platform.
Violation of any terms of this bug bounty program by the researcher is an unconditional ground for termination of the researcher's participation in the program and refusal to pay the remuneration.