Ozon

Accepted Languages:

• English
• Russian

Program Rules

Traffic Identification

Program Scope

• *.ozon.ru
• *.finance.ozon.ru — all domains and subdomains of "Ozon Bank"
• *.o3t.ru
• *.o3team.ru
• *.ozon-dostavka.ru
• *.o3.ru

• Buyer app (Android, iOS);
• Seller app (Android, iOS);
• Bank app (Android, iOS)
• Pickup Point employee app (Android, iOS)
• Corporate messenger — landing page with information about all apps in scope
• All apps by Internet Solutions LLC on Google Play
• All apps by OZON.ru on the App Store
• Apps listed on the corporate apps page

Extended Scope

• *.ozonpartners.ru
  The maximum bounty for the extended scope is 200,000 (two hundred thousand) rubles.

General Guidelines

• The report must include a full reproduction guide for the described vulnerability.
• Each report should describe one vulnerability, except for vulnerabilities with the same root cause.
• In case of duplicates, only the first valid report (fully reproducible) will be rewarded.
• For multiple vulnerabilities with a shared root cause, a single reward will be granted.
• Avoid violating confidentiality, destroying data, or disrupting business processes. Only interact with your own accounts or those explicitly authorized by their owners.
• Use your own accounts for testing. Do not attempt to access others' accounts or any sensitive information.
• Use minimal Proof-of-Concept (PoC) to verify vulnerabilities. If testing might impact systems or users, contact us first. Never leave systems in a more vulnerable state than before testing.

Vulnerability Disclosure Policy

Prohibited Research Methods

• Exploiting vulnerabilities beyond what is necessary to prove their existence.
• Actions harming Ozon or its users (e.g., spam, brute-force attacks, DoS).
• Physical attacks on Ozon personnel, property, or data centers.
• Social engineering targeting employees, contractors, or users.
• Automated scanning tools are prohibited unless narrowly targeted. Avoid broad scans that may trigger spam or unintended purchases.
• Brute-forcing usernames via login/password reset.
• Brute-forcing invitation/promo codes or gift cards.

Out-of-Scope Vulnerabilities

• non-technical vulnerabilities (e.g., fraud);
• theoretical attacks without proof of exploitability;
• clickjacking;
• self-XSS;
• attacks requiring MITM or physical access to the user's device;
• reporting vulnerable libraries without demonstrated security impact;
• Comma Separated Values (CSV) injection without vulnerability demonstration;
• failure to follow best practices for SSL/TLS configuration;
• exposure of public API keys, telemetry tokens (Sentry DSN, logging API keys, etc.) or build artifacts in JS code/config files (git variables, debug components, etc.) — without demonstrated security impact;
• XSS on our CDN domains (*.ozone.ru), unless proven to work in the context of *.ozon.ru;
• any actions affecting service availability, including: DoS attacks (including due to missing rate-limit), flood, bruteforce, load testing, resource exhaustion, uploading large files to exhaust disk space or memory, sending resource-intensive API requests aimed at depleting server computing resources;
• content injection vulnerabilities and text insertion without showing an attack vector/without the ability to modify HTML/CSS;
• rate-limit vulnerabilities or bruteforce attacks on unauthenticated resources;
• failure to follow Content Security Policy best practices;
• missing security flags on Cookies;
• failure to follow best practices for email configuration (incorrect, incomplete, or missing SPF/DKIM/DMARC records, etc.);
• vulnerabilities affecting only users with outdated browser versions;
• software version disclosure, error message description, stacktrace, and similar;
• tabnabbing;
• open redirect — without demonstrated security impact;
• vulnerabilities requiring active user interaction;
• OTP, email, or other communication spam;
• spam via comments, reviews, questions, messages, and other user-generated content;
• DNS Lookup (External service interaction);
• Prompt injection and other vulnerabilities allowing manipulation of LLM response content:
  • deviant behavior: discrimination, distortion of well-known facts, providing incorrect or incomplete information;
  • system prompt or user context extraction without disclosing critical technical details;
  • hallucinations: situations where LLM seemingly exposes personal data or executes code, when no actual information disclosure occurs;
• rewards for public Zero-day vulnerabilities fixed less than 7 days ago will be considered on a case-by-case basis.

Mobile-Specific Out-of-Scope Vulnerabilities

• Decompilation/reverse engineering, Frida injections, or code modifications;
• Missing root/jailbreak detection;
• Vulnerabilities only applicable on rooted/jailbroken devices or in developer mode;
• Phishing, social engineering, or scenarios requiring physical device access;
• Excessive permission requests;
• Tapjacking;
• Task hijacking;
• Screenshots containing sensitive app data;
• Missing SSL pinning;
• Missing stack canary in native libraries;
• Non-sensitive device data leaks;
• Dependency vulnerabilities without direct app impact;
• Exported activities/receivers/services unless enabling unauthorized data/function access;
• API key leaks unless leading to data breaches or financial loss;
• Weak cryptography/app obfuscation in internal storage.

Access & Credentials

Safe Harbor

Rewards & Legal Terms

Maximum Reward Amounts

Legal Terms