Welcome to the Wildberries Bug Bounty Program! If you have information about security vulnerabilities in our products, please report it to us following the rules listed below. We greatly appreciate those who uncover vulnerabilities in Wildberries' systems and helps us improve our security.
General rules
Participants are required to maintain confidentiality regarding vulnerability information. Disclosure of this information is only permitted with prior agreement from Wildberries.
The following individuals are not allowed to participate:
- Wildberries employees
- Employees of partner companies
Scope
Vulnerabilities in the following resources can be reported: *.wildberries.ru, *.wb.ru, *.paywb.com, *.paywb.ru, *.wb-bank.ru, *.wbwh.ru, *.wbbasket.ru, *.wbwh.tech, *.wbheld.ru. The payout amount is determined by the criticality of the resource, as outlined in the classification below.
Tier 1
Tier 2
| Resource | Links | Description |
|---|
| WB Bank | Web - wb-bank.ru | A service providing banking solutions for customers, sellers, and franchisees |
| "Vsem Rabota" Portal | Web - executors.vsemrabota.ru | A platform for self-employed individuals to accept tasks from the company and its partners |
| WB Suppliers | Web - ssp.wildberries.ru | A service for suppliers to manage documents and access various tools |
| WB Digital | Web - digital.wildberries.ru | An online store for buying and selling digital goods |
| Call Center | Web - callcenter.wildberries.ru, сallcenter.wb.ru, portal-cc.wildberries.ru | Support portal for interacting with users |
| WB Team | Web - team.wb.ru | An app designed for company employees |
| WB Рядом | 1. IOS - https://apps.apple.com/ru/app/wb-%D1%80%D1%8F%D0%B4%D0%BE%D0%BC/id6467810106?l=en-GB
2. Android - https://play.google.com/store/apps/details?id=ru.wildberries.wbcityshopping&pcampaignid=web_share | An app for receiving discounts and cashback at partner retail locations |
Tier 3
| Resource | Links | Description |
|---|
| * | *.wildberries.ru, *.wb.ru, *.paywb.com, *.paywb.ru, *.wb-bank.ru, *.wbwh.ru, *.wbbasket.ru, *.wbwh.tech, *.wbheld.ru | Everything else not included in Tier 1 and Tier 2 |
Exclusions
The scope of resources for testing does not include a number of white-label services, such as:
To confirm that a resource belongs to Wildberries, check if its IP address falls within the following ASNs:
AS49053AS57073AS201513AS201512
Special Test Scenarios
Within the program, there's a special scenario for the seller's portal that offers a maximum payout of 500 000 rubles.
Criteria for completion:
- Full access without any restrictions to the functionality of the test seller's personal account
- Detailed description of the reproduction steps with the provision of a flag from an unpublished product card ("products" - "product cards" - "product with the tag flag")
- Demonstration of deleting an existing product card (https://www.wildberries.ru/catalog/190622575/detail.aspx)
Testing Rules
- Only use your own accounts or accounts of users who have explicitly agreed to such actions for the purpose of participating in the program.
- Access to third-party accounts or any confidential information is prohibited.
- Any activity that may harm Wildberries services, its infrastructure, clients, or partners is prohibited. Prohibited activities include, but are not limited to, social engineering, phishing, denial-of-service attacks, and physical damage to the infrastructure.
- To confirm the presence of a vulnerability, use the minimum possible proof of concept (POC). If it may affect other users or system functionality, participants must contact Wildberries for permission. Further exploitation of the vulnerabilities is strictly prohibited.
- Automatic scanning should be limited to 10 requests per second
Program Exclusions
We only accept reports that contain information about real security issues. Below are examples of exceptions to our program that are not considered valid vulnerabilities.
General Exclusions:
- Non-security issues
- Unlikely or theoretical attacks without proof of feasibility
- Disclosure of public user information
- Use of outdated or potentially vulnerable software
- Phishing, social engineering, and scenarios requiring physical access to the victim
- Disclosure of technical or non-sensitive information (e.g., product version or software used)
- Scanner output or scanner-generated reports, including any automated or active exploit tool
- Ability to upload malicious software
Web Application Exclusions:
- Self XSS
- XSS and HTML injections on wbbasket.ru subdomains
- Vulnerabilities affecting only users of outdated browser versions
- CSRF for non-critical actions
- Clickjacking
- Open Redirect without an additional attack vector (e.g., authorization token theft)
- Publicly accessible metrics (e.g., prometheus and pprof)
- Disclosure of API keys intended for client use (e.g., dadata, Yandex maps)
- Lack of recommended protection mechanisms (e.g., HTTP security headers, cookie security flags, or CSRF protection)
- Insecurely configured TLS or SSL
- Lack of metadata cleaning in saved files
- SSRF with DNS request only
- DOS attacks
- User Enumeration attacks
- Spam through email or PUSH notifications
- Bypassing brute-force protection mechanisms (e.g., IP address rotation, captcha recognition)
- Access to test accounts without privileges
Mobile Application Exclusions:
- Reverse engineering of mobile applications
- Lack of response from the mobile app on devices with root permissions or jailbreak
- Lack of SSL pinning of certificates or keys
- Lack of protective flags in native libraries
- Vulnerabilities requiring the presence of malicious software, root permissions, or jailbreak on the device
- Attacks requiring MITM of someone else's connection or physical proximity to another person's device (e.g., attacks via NFC, Bluetooth, or Wi-Fi)
Report Requirements
The report should contain a description of one vulnerability or a chain of related vulnerabilities and should include:
- Description of the vulnerability
- Steps to reproduce
- Severity analysis
The report should also include:
- List of URLs and affected parameters
- Vulnerability type
- Screenshots or videos confirming the presence of the vulnerability and demonstrating the reproduction steps
Failure to meet the minimum requirements may result in a reduction in the reward amount.If a report lacks sufficient data to verify the existence of a vulnerability, no reward is paid.
Handling Duplicates
We pay rewards only for the first report received (provided it contains all necessary information to reproduce the vulnerability). Any subsequent reports on the same vulnerability are marked as duplicates. Reports containing similar attack vectors may also be considered duplicates if the security team believes that information from one report is sufficient to fix all registered issues. A report could be a duplicate of another researcher's report or the internal security team.
Publicly known 0-day or 1-day vulnerabilities may be considered duplicates if they are known to our team from public sources.
Reward Sizes
Rewards are paid to participants only for discovering previously unknown security issues to the company and complying with all the conditions specified in the program. Below is a table comparing the level of criticality and the reward amount:
| Severity | Tier 1 | Tier 2 | Tier 3 |
|---|
| Critical | 200 000 ₽ - 500 000 ₽ | 100 000 ₽ - 250 000 ₽ | 50 000 ₽ - 125 000 ₽ |
| High | 60 000 ₽ - 200 000 ₽ | 30 000 ₽ - 100 000 ₽ | 15 000 ₽ - 50 000 ₽ |
| Medium | 20 000 ₽ - 60 000 ₽ | 10 000 ₽ - 30 000 ₽ | 5 000 ₽ - 15 000 ₽ |
| Low | 5 000 ₽ - 20 000 ₽ | 5 000 ₽ - 10 000 ₽ | 5 000 ₽ - 5 000 ₽ |
The reward amount is determined individually by Wildberries in each case, taking into account the criteria outlined in the program and within the specified range.