Ozon
Company: OzonOzon is one of the largest Russian e-commerce platforms. The OZON infrastructure has a large number of different services that we want to make safer. Any security researcher can help us with this by participating in our bug bounty program. We will be glad and grateful to all participants. You can send us reports in English or Russian.
www.ozon.ru
www.ozon.ru
Rewards are paid to individual entrepreneurs and self-employed persons
Program description
Accepted Languages:
- English
- Russian
Program Rules
Traffic Identification
To tag traffic generated during security research on our resources, include the header
X-Bug-Bounty: <your nickname on the platform>. This can help resolve any disputes.Program Scope
The primary scope of the program includes all resources under the following domains:
- *.ozon.ru
- *.finance.ozon.ru — all domains and subdomains of "Ozon Bank"
- *.o3t.ru
- *.o3team.ru
- *.ozon-dostavka.ru
- *.o3.ru
And the following mobile applications:
- Buyer app (Android, iOS);
- Seller app (Android, iOS);
- Bank app (Android, iOS)
- Pickup Point employee app (Android, iOS)
- Corporate messenger — landing page with information about all apps in scope
- All apps by Internet Solutions LLC on Google Play
- All apps by OZON.ru on the App Store
- Apps listed on the corporate apps page
Extended Scope
The program also covers resources under the following domains (hereafter referred to as the extended scope):
- *.ozonpartners.ru
The maximum bounty for the extended scope is 200,000 (two hundred thousand) rubles.
General Guidelines
When submitting reports, follow these guidelines:
- The report must include a full reproduction guide for the described vulnerability.
- Each report should describe one vulnerability, except for vulnerabilities with the same root cause.
- In case of duplicates, only the first valid report (fully reproducible) will be rewarded.
- For multiple vulnerabilities with a shared root cause, a single reward will be granted.
- Avoid violating confidentiality, destroying data, or disrupting business processes. Only interact with your own accounts or those explicitly authorized by their owners.
- Use your own accounts for testing. Do not attempt to access others' accounts or any sensitive information.
- Use minimal Proof-of-Concept (PoC) to verify vulnerabilities. If testing might impact systems or users, contact us first. Never leave systems in a more vulnerable state than before testing.
Vulnerability Disclosure Policy
Do not disclose any information about reports without explicit consent from our security team.
Prohibited Research Methods
The following activities are strictly prohibited:
- Exploiting vulnerabilities beyond what is necessary to prove their existence.
- Actions harming Ozon or its users (e.g., spam, brute-force attacks, DoS).
- Physical attacks on Ozon personnel, property, or data centers.
- Social engineering targeting employees, contractors, or users.
- Automated scanning tools are prohibited unless narrowly targeted. Avoid broad scans that may trigger spam or unintended purchases.
- Brute-forcing usernames via login/password reset.
- Brute-forcing invitation/promo codes or gift cards.
Out-of-Scope Vulnerabilities
Reports must describe the attack scenario and security impact. The following vulnerabilities are out of scope:
- Non-technical vulnerabilities (e.g., fraud);
- Theoretical attacks without exploitation proof;
- Clickjacking;
- Self-XSS;
- Attacks requiring MITM or physical device access;
- Reports referencing vulnerable libraries without demonstrated impact;
- CSV injections without exploitation proof;
- SSL/TLS misconfigurations (unless critical);
- Limited-scope API keys exposed in JS code;
- XSS on CDN domains (*.ozone.ru) unless proven to affect *.ozon.ru;
- Any activity causing DoS.;
- Content spoofing/text injection without attack vectors or HTML/CSS alteration;
- Rate-limiting/brute-force on unauthenticated resources;
- Rate-limiting vulnerabilities without additional impact;
- Content Security Policy (CSP) misconfigurations;
- Missing security flags on cookies;
- Email security misconfigurations (e.g., SPF/DKIM/DMARC);
- Vulnerabilities affecting only outdated browsers;
- Software version disclosures, error descriptions, or stack traces;
- Zero-day vulnerabilities patched < 1 month ago (reviewed case-by-case);
- Tabnabbing;
- Open redirects without demonstrated impact;
- Vulnerabilities requiring active user interaction;
- OTP/email spam;
- Spam via comments, reviews, messages, etc;
- DNS lookup/external service interactions.
Mobile-Specific Out-of-Scope Vulnerabilities
- Decompilation/reverse engineering, Frida injections, or code modifications;
- Missing root/jailbreak detection;
- Vulnerabilities only applicable on rooted/jailbroken devices or in developer mode;
- Phishing, social engineering, or scenarios requiring physical device access;
- Excessive permission requests;
- Tapjacking;
- Task hijacking;
- Screenshots containing sensitive app data;
- Missing SSL pinning;
- Missing stack canary in native libraries;
- Non-sensitive device data leaks;
- Dependency vulnerabilities without direct app impact;
- Exported activities/receivers/services unless enabling unauthorized data/function access;
- API key leaks unless leading to data breaches or financial loss;
- Weak cryptography/app obfuscation in internal storage.
Access & Credentials
All assets in scope are publicly accessible. Credentials must be obtained in compliance with Ozon’s legal terms.
Safe Harbor
Research conducted under this program is authorized. Ozon will not pursue legal action or involve law enforcement for compliant testing. If third parties take such actions, we will reasonably advocate that your actions were authorized.
Note: Safe harbor applies only if all program rules are followed. If unsure about compliance, contact us for guidance. Thank you for helping secure Ozon and our users!
Note: Safe harbor applies only if all program rules are followed. If unsure about compliance, contact us for guidance. Thank you for helping secure Ozon and our users!
Rewards & Legal Terms
Maximum Reward Amounts
| Vulnerability | Max Bounty |
|---|---|
| RCE* | 1,000,000₽ |
| LFI, RFI, XXE | 600,000₽ |
| SQLi | 600,000₽ |
| SSRF (non-blind) | 600,000₽ |
| SSRF (blind) | 100,000₽ |
| IDOR | 150,000₽ |
| IDOR with sensitive data leaks or critical business impact | 600,000₽ |
| XSS (non-self) | 400,000₽ |
| CSRF | 100,000₽ |
| Other | Case-by-case |
*— RCE in code-execution services must demonstrate security threats (e.g., sandbox escape).
Legal Terms
Rewards depend on severity but may vary based on Ozon’s discretion (e.g., higher for unique findings, lower for low-risk or niche vulnerabilities).
To claim a reward, submit a detailed report via the Standoff 365 Bug Bounty platform. Reports must include reproduction steps and mitigation suggestions. Unverifiable claims or impractical fixes are ineligible.
Ozon reviews reports for compliance, validates the vulnerability, assesses its severity, and determines the final reward.
Note: Ozon does not directly disburse rewards because this is handled by Standoff 365’s owner, Positive Technologies (AO «Позитивные Технологии»). Contact them for payout details.
To claim a reward, submit a detailed report via the Standoff 365 Bug Bounty platform. Reports must include reproduction steps and mitigation suggestions. Unverifiable claims or impractical fixes are ineligible.
Ozon reviews reports for compliance, validates the vulnerability, assesses its severity, and determines the final reward.
Note: Ozon does not directly disburse rewards because this is handled by Standoff 365’s owner, Positive Technologies (AO «Позитивные Технологии»). Contact them for payout details.
Current Ozon employees/affiliates or contractors are ineligible (applies until 1 year post-engagement).
Ozon reserves the right to modify or terminate the program unilaterally without notice. Violations disqualify participants and forfeit rewards.
Ozon reserves the right to modify or terminate the program unilaterally without notice. Violations disqualify participants and forfeit rewards.