Rules for us

• We respect the time and effort of researchers;
• We respond within 5 business days;
• We process reports within 10 business days after initial response;
• We may extend processing times, but you will be informed about any delays;
• We determine the reward amount within 10 business days after processing;
• We do our best to keep you updated on our progress throughout the review.

Rules for creating entities to avoid disturbance for site users

Scope

• ati.su
• job.ati.su
• trace.ati.su
• userdata.ati.su
• billing.ati.su
• api.ati.su
• help.ati.su
• tm.ati.su
• id.ati.su
• d.ati.su
• tenders.ati.su
• trucks.ati.su
• r1.ati.su
• files.ati.su
• loads.ati.su
• faq.ati.su
• about.ati.su
• news.ati.su
• adv.ati.su
• chat.ati.su
• academy.ati.su
• zen.ati.su
• iOS - "ATI Cargo and Transport" version 221 (2.17.0) and later
• Android - "ATI Cargo and Transport" version 221 (2.17.0) and later

What Vulnerabilities to Look For?

• Remote Code Execution (RCE)
• Injections (SQL, XML, LDAP, etc.)
• LFR/LFI/RFI
• Server-Side Request Forgery (SSRF)
• Insecure authentication/authorization, session management
• Authorization bypass and account takeover
• Business logic vulnerabilities (including fraud schemes related to system flaws)
• Sensitive information leakage to third-party services
• IDOR, privilege escalation, and other access control vulnerabilities
• Disclosure of sensitive information or personal data

What Not to Submit?

• Ability to perform actions that are unavailable through the UI without identified security risks
• Disclosure of non-sensitive information such as product version, server file path, stack trace, etc.
• Issues unrelated to security (for non-security issues, contact via technical support email at bb@ati.su)
• Reports about potential DDoS attacks
• Information about IP addresses, DNS records, and open ports
• Disclosure of private IP addresses or domains pointing to private IP addresses
• Vulnerability scanner reports and other automated tool outputs
• Reports about publicly accessible login panels
• Clickjacking
• Root and jailbreak detection bypass
• Reports about mobile application reverse engineering possibility
• Leakage of confidential tokens (e.g., password reset token) to trusted third parties over secure connections (HTTPS)
• Previously known vulnerable libraries without working proof of concept
• Attacks requiring MITM on another's connection or physical proximity to another's device (e.g., NFC, Bluetooth, Wi-Fi attacks, and shoulder surfing)
• Unlikely or theoretical attacks without proof of concept
• Reports without detailed impact description

What Is Not Eligible for Rewards and will be closed as "Informative"?

• Vulnerabilities requiring browser versions released 6+ months prior to report submission (or no longer supported)
• Self-XSS
• XSS in unpopular browsers (e.g., IE, browser versions older than 6 months)
• Flash-based XSS
• XSS without impact on sensitive data
• CORS misconfiguration*
• Use of outdated or potentially vulnerable third-party software*
• Fraud or theft-related attacks
• DoS-type attacks*
• Insecurely configured TLS or SSL*
• Disclosure of username, email, or phone number existence in the system
• Full Path Disclosure
• Disclosure of technical or non-sensitive information* (e.g., product version, software used, stack traces)
• Missing security mechanisms or best practices without demonstrating real impact on user or system security* (e.g., security HTTP headers, cookie security flags, or CSRF protection)
• Open Redirect without additional attack vector (e.g., authorization token theft)
• Content spoofing on pages
• Tabnabbing
• Vulnerabilities requiring complex or unlikely user interaction scenarios
• Vulnerabilities requiring malware, root access, or jailbreak on the device for exploitation
• Missing best practices in DNS and mail service configuration (DKIM/DMARC/SPF/TXT)
• Ability to send emails without content control and without restrictions
• 0-day or 1-day vulnerabilities with official patches released less than two weeks agoтАФreward payment is at the discretion of ATI.SU security specialists and reviewed individually
• Broken links to social media pages or unclaimed social media links and similar pages
• Ability to create user accounts without restrictions
• User enumeration
• Disclosure of public user information
• Missing notifications for important user actions
• PDF document scripting

What Is TEMPORARILY Not Eligible for Rewards and will be closed as "Informative"?

• All XSS found in the forums.ati.su domain
• CSRF in any ati.su domain or subdomain
• Any vulnerabilities in the "Special Offers from Partners" section (https://ati.su/partners, https://ati.su/partner-page)
• Any vulnerabilities in the "Insurance" section (https://ati.su/landings/insurances/, https://ati.su/Insurances/)
• Any vulnerabilities in the "Forums" section (https://forums.ati.su/forum/)
• Any vulnerabilities in the "Claims and Recommendations" section (https://ati.su/Reliability/RecommendsAndClaims.aspx, https://ati.su/Reliability/AddClaim.aspx)
• Any vulnerabilities in the Distance Calculation API (https://ati.su/Content.aspx?Path=RoutesServiceDescription, https://ati.su/RoutesService.asmx, https://ati.su/Content.aspx?Path=tc_promo)
• Any vulnerabilities in the "Certificates" section (https://ati.su/Landings/RatingCertificate)
• All vulnerabilities related to authorization token creation or usage in all mobile applications
• Any vulnerabilities related to user pop-up alerts and "bell" notifications
• Any vulnerabilities related to the UPD editor
• Any vulnerabilities found in the following sections:
  • files.ati.su/res/
  • files.ati.su/thumbs/
  • api.ati.su/webapi/filestorage/
  • api.ati.su/webapi/avatars/
  • api.ati.su/mobile/v1.0/filestorage/
  • api.ati.su/v1.0/filestorage/
  • api.ati.su/webapi/atidocs/filestorage/
  • api.ati.su/v1.0/atidocs/filestorage/
  • api.ati.su/v2/mobile/avatars
  • d.ati.su/api/next/filestorage/

What Is TEMPORARILY Not Eligible for Rewards in Android and iOS Applications and will be closed as "Informative"?

• Application can run on jailbroken or rooted devices - That is intentional.
• Possibility of SSL pinning
• Migration of third-party service keys to more secure storage
• Possible app crashes/ANR
• The cleartextTrafficPermitted flag in the manifest and HTTP usage in WebView
• Any vulnerabilities related to authorization tokens

Participation Rules

• By participating in our Bug Bounty program, you confirm that you have read and agreed to the "Participation Rules." Violation of the rules may result permanent ban or ;
• Reports submitted by current or former employees (up to one year after termination) of ATI.SU are accepted without reward eligibility;
• Any activity that could harm company applications, infrastructure, clients, or partners such as denial-of-service attacks and physical interference with infrastructure are prohibited;
• Social engineering attacks such as phishing, vishing, smishing are prohibited;
• It is permitted to Interact only with accounts you own or accounts that you have explicit permission from the account owner. If additional accounts are required, such as privilege escalation or Atis** crediting, contact us for assistance;
• If confidential information is accessed during exploitation, it cannot be stored, transmitted, or processed in any other way after initial discovery. All copies of confidential information must not be retained and must be returned to ati.su;
• Always limit exploitation to the minimum proof of concept necessary to demonstrate the vulnerability;***
• Do not attempt to access ati.su accounts, data, or other users' accounts after exploiting other vulnerabilities. Report your findings, and request permission for additional testing;
• Use the minimum impact for Proof of Concept to confirm a vulnerability. If it may affect other users or system availability, contact us for permission;
• Follow the command execution demonstration rules specified below in this program;
• Submit reports in Russian language only.

Traffic Identification

RCE Testing Policy

• Executing commands: ifconfig (ipconfig), hostname, whoami, id
• Reading contents of /etc/passwd and /proc/sys/kernel/hostname (drive:/boot.ini, drive:/install.ini)
• Creating an empty file in the current user's directory
  Any other actions require prior approval from our security specialists.

SQL Injection Testing Policy

• Retrieving current database information (SELECT database()), its version (SELECT @@version), current user (SELECT user(), SELECT system_user()), or hostname (SELECT @@hostname)
• Retrieving database schema (SELECT table_schema), table list (SELECT table_name), and column names (SELECT column_name)
• Executing mathematical, conversion, or logical queries (including SLEEP) without extracting data (except those listed above)
  Any other actions require prior approval from our security specialists.

File Upload and Read Policy

• Modifying, deleting, or replacing any files on the server (including system files), except those associated with your account or an account whose owner has explicitly consented
• Uploading files that may cause denial of service (e.g., large files)
• Uploading malicious files (e.g., malware or spyware)
  When gaining arbitrary file read access, all actions are prohibited except reading files such as /etc/passwd and /proc/sys/kernel/hostname (drive:/boot.ini, drive:/install.ini). Any other actions require prior approval from our security specialists.

Vulnerability Rewards

Vulnerability Severity Determination

• Privilege level required to execute the attack
• Difficulty of discovery and exploitation
• User interaction requirement
• Impact on integrity, availability, and confidentiality of affected data
• Business and reputational risk impact
• Number of affected users
• Please note that our site uses two account types: verified and unverified (detailed information here). Under this program, vulnerabilities related to unverified accounts are assessed at a reduced coefficient since some security measures don't apply to them.

• Contact email: BB@ati.su
• Rewards are paid only if our security specialists verify that all conditions are met and the identified vulnerability is significant.
• The paid reward amount is final and not subject to negotiation.

FAQ

How to Write a Good Report?

• Vulnerability description
• Reproduction steps
• Severity analysis
• Clear impact description
• Remediation recommendations
• Vulnerable application URL
• Type of vulnerability discovered
• Screenshots or video confirming the vulnerability and demonstrating reproduction steps
• Formatted request example from BurpSuite (or any other POC)
• Code snippets in some cases

How Are Duplicates Handled?