Wildberries
Company: WildberriesWildberries is an international e-commerce and logistics platform. Since 2003, it has been developing a convenient site with a wide range of products and additional services, including fintech, travel, and digital distribution. The platform assists entrepreneurs in Russia and abroad in growing their businesses and finding customers. Every day, 270,000 Wildberries employees work to deliver over 10 million orders to their clients.
Rewards are paid to individual entrepreneurs and self-employed persons
Program description
Welcome to the Wildberries Bug Bounty Program!
If you’ve discovered a potential security issue in our products, we encourage you to report it to us in accordance with the guidelines below. We appreciate every researcher who helps us identify vulnerabilities and make Wildberries systems more secure.
General Rules
Participation in the program is open only to individuals who are either registered as individual entrepreneurs or use the special tax regime “Professional Income Tax” (self-employed).
The following are not eligible to participate:
- Current Wildberries employees
- Employees of partner companies
- Former Wildberries employees who left the company less than one year ago
Participants must maintain confidentiality regarding any discovered vulnerabilities. Disclosure of such information is permitted only with prior approval from Wildberries.
Scope
You are welcome to search for vulnerabilities across all our assets, including: *.wildberries.ru, *.wb.ru, *.paywb.com, *.paywb.ru, *.wb-bank.ru, *.wbwh.ru, *.wbbasket.ru, *.wbwh.tech, *.wbheld.ru.
Reward amounts are determined based on the criticality of the affected asset, according to the classification outlined below.
Tier 1
| Asset | Links | Description |
|---|---|---|
| Marketplace | 1. Web – www.wildberries.ru 2. iOS – AppStore 3. Android – Google Play, RuStore | An online store allowing users to browse, order, and purchase goods |
| Seller Portal | 1. Web – seller.wildberries.ru, cmp.wildberries.ru 2. WB API – https://dev.wildberries.ru/ 3. iOS – AppStore 4. Android – Google Play, RuStore | Platform for sellers to manage inventory, pricing, and customer interactions |
| Payment Gateway | Web – alpha.paywb.com, beta.paywb.com | Payment authorization and processing service |
| WB Bank | Web – wb-bank.ru | Banking services for customers, sellers, and franchisees |
| WB Finance | Web – finance.wb.ru | Remote banking services for legal entities |
Tier 2
| Asset | Links | Description |
|---|---|---|
| * | *.wildberries.ru, *.wb.ru, *.paywb.com, *.paywb.ru, *.wb-bank.ru, *.wbwh.ru, *.wbbasket.ru, *.wbwh.tech, *.wbheld.ru | All other assets not in Tier 1 |
Exclusions
The following white-label services are excluded from the testing scope:
- https://vmeste.wildberries.ru/rail
- https://vmeste.wildberries.ru/bus
- https://vmeste.wildberries.ru/ammp
- https://vmeste-hotels.wildberries.ru
- https://vmeste-tours.wildberries.ru
- https://edu.wildberries.ru
To confirm whether a given asset belongs to Wildberries, please check that its IP address is associated with one of the following ASNs:
- AS49053
- AS57073
- AS201513
- AS201512
Special Test Scenarios
The program includes special scenarios that are eligible for a maximum reward of 1,000,000 RUB.
Unauthorized Access to a Seller Account
The goal is to gain full access to the test seller account at https://www.wildberries.ru/seller/3941172, associated with the phone number +7 (993) 965-09-70, through the Wildberries Seller Portal at seller.wildberries.ru.
To qualify for this scenario, the following conditions must be met:
- You successfully obtain unrestricted access to all core features of the test seller's personal account,
- You provide a clear and complete reproduction guide, including the flag located in a hidden product card (Products → Product Cards → item tagged with “flag”)
- You demonstrate the ability to delete an existing product card: https://www.wildberries.ru/catalog/190622575/detail.aspx
Unauthorized Access to a Customer Account
Your objective is to gain full access to the test customer account associated with the phone number +7 (993) 965-09-70 on www.wildberries.ru.
To qualify for this scenario, the following conditions must be met:
- You successfully obtain unrestricted access to all core features of the test customer's personal account
- You provide a detailed step-by-step reproduction guide, including the name or details of a product listed in the “Favorites” section: https://www.wildberries.ru/lk/favorites
- You demonstrate the ability to change the account holder’s name to cjaJKxIYIFGTx2Ew
Unauthorized Financial Gain
This scenario aims to demonstrate the possibility of unauthorized financial gain resulting from the exploitation of vulnerabilities in Wildberries services.
To qualify for this scenario, the following conditions must be met:
- You achieve one of the following:
- Arbitrary crediting of funds to your own balance
- Unauthorized withdrawal of funds from another user’s balance or from the company’s internal accounts
- You provide a detailed reproduction guide, including a working exploit that demonstrates financial impact in the range of 1,000 to 2,500 RUB
- The vulnerability, if scaled, could result in direct financial damage to Wildberries exceeding 500,000 RUB
Only scenarios based on technical vulnerability exploitation are eligible for this category. The following are explicitly out of scope and will not be considered:
- Use of social engineering or phishing techniques
- Fraud schemes or manipulation of business logic unrelated to security flaws
- The presence of significant time or resource constraints (e.g., the need for a large number of accounts)
- Participation in promotional campaigns or any marketing activities
- Repetition of micro-gains to accumulate significant damage (e.g., a bug grants 5 rubles and is exploited a thousand times).
Testing Rules
- You may only use your own accounts or accounts of users who have explicitly given their consent for the purpose of participating in this program.
- Accessing third-party accounts or any confidential information without authorization is strictly prohibited.
- Any activity that could negatively impact Wildberries services, infrastructure, customers, or partners is forbidden. This includes, but is not limited to:
- Social engineering
- Phishing
- Denial-of-Service (DoS) attacks
- Physical tampering with infrastructure
- Proof of Concept (PoC) should be limited to the minimum necessary to demonstrate the issue. If the test may affect other users or system stability, you must contact Wildberries for prior approval. Further exploitation of vulnerabilities is strictly prohibited.
- Automated scanning tools must be throttled to a maximum of 10 requests per second.
Out-of-Scope Issues
We only accept reports that describe real security vulnerabilities. The following are examples of issues that are out of scope and will not be considered valid:
General exclusions
- Bugs or issues that are not related to security
- Low-likelihood or purely theoretical attacks without evidence of exploitability
- Disclosure of public or non-sensitive user information
- Use of outdated or potentially vulnerable software without a working exploit
- Phishing, social engineering, or any scenario that requires physical access to the victim
- Disclosure of technical or low-sensitivity data (e.g. product version, software stack)
- Raw output from vulnerability scanners or other automated tools
- The ability to upload malicious files without actual execution or impact
Web Application Exclusions
- Self XSS
- XSS and HTML injection on *.wbbasket.ru subdomains
- Vulnerabilities affecting only outdated or unsupported browser versions
- CSRF on non-critical actions
- Clickjacking
- Open Redirect without a clear attack vector (e.g., no token theft or credential leak)
- Publicly accessible metrics (e.g., Prometheus, pprof)
- Exposure of client-side API keys intended for public use (e.g., Dadata, Yandex Maps)
- Absence of recommended security mechanisms (e.g., HTTP security headers, cookie flags, CSRF protection)
- Weak or misconfigured TLS/SSL settings
- Lack of metadata stripping in uploadable files
- SSRF limited to DNS queries only
- Denial-of-service (DoS) attacks
- User enumeration
- Sending spam via email or push notifications
- Circumventing brute-force protections (e.g., by rotating IPs or bypassing CAPTCHA)
- Access to low-privilege or test accounts without meaningful impact
Mobile Application Exclusions
- Possibility of reverse-engineering the mobile app
- Lack of detection for rooted or jailbroken devices
- Absence of SSL certificate/key pinning
- Absence of protective flags in native libraries
- Vulnerabilities that require the presence of malware, root access, or a jailbroken device for exploitation
- Attacks that require man-in-the-middle (MITM) interception of someone else's traffic or physical proximity to another user's device (e.g., via NFC, Bluetooth, or Wi-Fi)
Report Requirements
Each report must describe a single vulnerability or a chain of related vulnerabilities and must include:
- A clear description of the vulnerability
- Step-by-step reproduction instructions
- An assessment of the potential impact (severity)
Additionally, the report must contain:
- The URL of the affected application
- The type of vulnerability
- Screenshots or video recordings that confirm the issue and demonstrate the reproduction steps
Failure to meet the minimum requirements may result in a reduced reward. If the report lacks sufficient information to verify the vulnerability, no reward will be issued.
Duplicate Reports
We reward only the first valid report for a given vulnerability — provided that it contains sufficient information to reproduce the issue. Any subsequent reports describing the same vulnerability will be marked as duplicates.
Reports involving similar attack vectors may also be considered duplicates if the security team determines that a single report provides enough information to fix all related issues.
A duplicate may refer to a submission from another researcher or from Wildberries' internal security team.
Publicly known 0-day or 1-day vulnerabilities may be considered duplicates if our team is already aware of them through public sources.
Reward Ranges
Rewards are issued only for previously unknown security vulnerabilities that meet all conditions outlined in this policy. The table below shows approximate reward ranges based on severity and asset tier:
| Severity | Tier 1 | Tier 2 |
|---|---|---|
| Critical | 200,000₽ – 500,000₽ | 100,000₽ – 250,000₽ |
| High | 60,000₽ – 200,000₽ | 30,000₽ – 100,000₽ |
| Medium | 20,000₽ – 60,000₽ | 10,000₽ – 30,000₽ |
| Low | 5,000₽ – 20,000₽ | 5,000₽ – 10,000₽ |
All reward decisions are made at the discretion of the Wildberries security team, based on severity, exploitability, business impact, and report quality.
News and Contact
Subscribe to our Telegram channel to stay updated on news, events, and contests. You can leave feedback or contact us for urgent matters via this form.