Flowwow
Company: FlowwowFlowwow is a flower and gift marketplace that brings together over 16,000 local sellers. The platform specializes in fast delivery of flowers, cakes, sweets, and a variety of gifts from stores in 1,200 cities across Russia and around the world.
Rewards are paid to individual entrepreneurs and self-employed persons
Program description
PROGRAM
Flowwow's mission is to bring joy through flowers, sweets, and local brand merchandise even from a distance connecting thousands of local brands and hundreds of thousands of customers. We strive to provide not only convenience but also maximum security for everyone who trusts us with their orders and data.
We understand that no system is perfect and that's why we launched the Bug Bounty program. We believe in the power of community and invite talented researchers from around the world to partner with us to strengthen the platform's security.
Your help is invaluable in creating a secure environment for millions of users. Join the program and help us find and fix vulnerabilities before they can cause harm.
We understand that no system is perfect and that's why we launched the Bug Bounty program. We believe in the power of community and invite talented researchers from around the world to partner with us to strengthen the platform's security.
Your help is invaluable in creating a secure environment for millions of users. Join the program and help us find and fix vulnerabilities before they can cause harm.
TRAFFIC IDENTIFICATION RULES
During testing traffic generated by program participants may be classified as malicious. In this regard the use of a VPN is necessary. https://api.standoff365.com/api/bug-bounty/program/docs/2a2ba9bc-60fd-4b6b-956e-38eef48749d4
SCOPE
https://flowwow.com/ – the company 's main domain ; *
apis . flowwow . com – third-level domain;*
envio . flowwow . com – third-level domain;*
api 2. flowwow .com – third -level domain;*
api - shop . flowwow . com – third-level domain ;*
api - email . flowwow . com – third-level domain ;*
clientweb . flowwow . com – third-level domain ;*
envio . flowwow . com – third-level domain;*
api 2. flowwow .com – third -level domain;*
api - shop . flowwow . com – third-level domain ;*
api - email . flowwow . com – third-level domain ;*
clientweb . flowwow . com – third-level domain ;*
Mobile app: iOS :
Flowwow : Flowers & Gifts https :// apps . apple . com / us / app / flowwow - flowers - gifts / id 1201155481
Hoog - https :// apps . apple . com / ru / app / hoog -system-accounting/ id 1670351411
Hoog is an ERP system that helps retailers manage basic inventory and optimize their business processes.
Hoog - https :// apps . apple . com / ru / app / hoog -system-accounting/ id 1670351411
Hoog is an ERP system that helps retailers manage basic inventory and optimize their business processes.
Android :
Google Apps Play – Flowwow : Flowers and Gifts https://play.google.com/store/apps/details?id=com.flowwow&hl=ru&pli=1
Google Apps Play – Flowwow Seller : for sellers https :// play . google . com / store / apps / details ? id = com . fwapp & hl = ru
Hoog - accounting system - Apps on Google Play https://play.google.com/store/apps/details?id=com.hoog.prod
Google Apps Play – Flowwow for couriers https://play.google.com/store/apps/details?id=com.fwdelivery&hl=ru
Google Apps Play – Flowwow Seller : for sellers https :// play . google . com / store / apps / details ? id = com . fwapp & hl = ru
Hoog - accounting system - Apps on Google Play https://play.google.com/store/apps/details?id=com.hoog.prod
Google Apps Play – Flowwow for couriers https://play.google.com/store/apps/details?id=com.fwdelivery&hl=ru
Before submitting your report please ensure that the scope of the issue you've identified matches the one stated in the program. If the scope doesn't match the target, but you believe the issue you've identified is worth investigating, submit your report on the Standoff 365 platform (not via email or other channels) and include a couple of sentences outlining your opinion on its applicability.
IMPORTANT!
Publication or disclosure of report details without the consent of the Flowwow Information Security Team is prohibited .
Flowwow's information security team reserves the right to decline any request for public disclosure of the report.
Publication or disclosure of report details without the consent of the Flowwow Information Security Team is prohibited .
Flowwow's information security team reserves the right to decline any request for public disclosure of the report.
PRIORITY VULNERABILITIES
Our top priority is identifying critical server-side vulnerabilities. However, we welcome reports of any vulnerabilities which exploitation could negatively impact our company and its operations. Before submitting a report, we recommend that you review the base list of vulnerabilities we are interested in. Please also note that we have identified a list of vulnerabilities that we do not reward under this program.
Remote Code Execution ( RCE );
Injections (e.g. SQL injections or XML injections);
SSRF ;
Memory leaks;
Business logic vulnerabilities;
IDOR ;
Access control vulnerabilities;
Disclosure of sensitive information;
Account hijacking;
Authentication/authorization flaws;
XSS and CSRF with impact on sensitive data.
VULNERABILITIES NOT ELIGIBLE FOR A REWARD
- Reports from vulnerability scanners and other automated tools;
- Disclosure of non-confidential information such as product version;
- Disclosure of public information about a user such as nickname ;
- Reports based on product/protocol version without demonstrating the actual presence of a vulnerability;
- Reports of missing protection mechanism/best current practice (e.g. no CSRF token, protection against framing / clickjacking ) without demonstrating real impact on user or system security;
- Messages about published and unpublished SPF and DMARC policies ;
-
- Cross-site request forgeries resulting in logout (CSRF );*
- Vulnerabilities in partner products or services;
- Security of rooted jailbroken or otherwise modified devices and applications;
- Application reverse engineering capability or lack of binary protection;
-
- Open redirections are only accepted if a security impact is determined such as the possibility of credential theft. token;*
- Inputting unformatted text, sound, images, or video into a server response outside of the user interface (for example, in JSON data or an error message) if this does not result in substitution of the user interface, change in user interface behavior or other negative consequences;
-
- Same Site scripting , reflected download and similar attacks with questionable impact;*
-
- CSP -related reports for domains without CSP and domain policies with insecure eval and/or insecure inline ;*
-
- IDN homography attacks ;*
-
- XSPA ( IP /port scanning to external networks );*
-
- Excel Formula Injection CSV ;*
-
- Scripting in PDF documents ;*
-
- Self - XSS ;*
- Attacks that require full access to a local account or browser profile;
- Theoretical attacks without proof of possibility of use;
- Denial of service ( DoS ) vulnerabilities associated with sending a large number of requests or data (flood );
- Ability to send a large number of messages;
- Possibility of sending spam or malware file ;
- Disclosure of information through external links not controlled by the company;
- Exploding unused or properly restricted JS keys API (e.g. API key for an external mapping service );
- Messages about possible DDOS attacks ;
- Information about IP addresses, DNS records and open ports;
- Disclosure of private IP addresses or domains pointing to private IP addresses ;
- Reports from vulnerability scanners and other automated tools;
- Messages about publicly accessible login panels;
REPORTING
The report should also contain:
URL of the vulnerable application;
Type of vulnerability detected;
Screenshots or video recording confirming the presence of the vulnerability and demonstrating the steps to reproduce it;
An example of a formatted request from BurpSuite (or any other POC );
In some cases, pieces of code.
Failure to meet the minimum requirements may result in a reduced reward amount. If the report does not contain sufficient data to verify the presence of a vulnerability, the reward will not be paid.
All information about the vulnerability found (including attachments) should be kept only in the report you submit. Do not post it on external resources.
URL of the vulnerable application;
Type of vulnerability detected;
Screenshots or video recording confirming the presence of the vulnerability and demonstrating the steps to reproduce it;
An example of a formatted request from BurpSuite (or any other POC );
In some cases, pieces of code.
Failure to meet the minimum requirements may result in a reduced reward amount. If the report does not contain sufficient data to verify the presence of a vulnerability, the reward will not be paid.
All information about the vulnerability found (including attachments) should be kept only in the report you submit. Do not post it on external resources.
HOW TO WRITE A GOOD REPORT?#
Each report should describe one vulnerability. Exceptions are cases where the vulnerabilities are either related or can be combined into a chain.
A good vulnerability report should include the following components:
Description of vulnerability;
CVE
CVSS 3.1 severity level analysis ;
Playback steps;
Criticality analysis;
Recommendations for elimination.
A good vulnerability report should include the following components:
Description of vulnerability;
CVE
CVSS 3.1 severity level analysis ;
Playback steps;
Criticality analysis;
Recommendations for elimination.
PROHIBITED ACTIONS
If you conduct research using prohibited methods and tools, we reserve the right to withhold your reward or exclude you from the program. Therefore, violating the rules may result in the forfeiture of any reward you would otherwise receive for your work or permanent exclusion from this and any other Flowwow programs.
- The use of social engineering methods is prohibited, including: phishing, vishing , smishing , etc.;
- Physical attacks on the company and its infrastructure are prohibited;
-
Using other people's accounts is prohibited: hacking and accessing users' accounts without their consent is unacceptable;
-
When accessing confidential information, copying, storing and transferring it is prohibited: all copies made by you during the testing process must be returned to our security team;
- Exploitation of vulnerabilities after completion of testing work is prohibited;
- Use basic commands to demonstrate exploitation of the vulnerability you have discovered: attacks aimed at taking systems offline (e.g. DDoS ) are prohibited.
TESTING RULES
When testing any issues we find, we ask that you adhere to the following guidelines:
- Use only your own accounts;
- Do not violate the confidentiality, integrity and availability of information in our services during testing;
- Do not commit actions that may cause damage to the company, its infrastructure, clients and partners;
- Use basic commands for POC or other minimal evidence of a vulnerability in the system;
- Please contact us if you understand that you need to break these rules to continue testing.
Are accounts provided for testing?
We do not provide additional access or accounts (including test ones). Please use your own accounts for testing.
How and within what timeframe are reports verified?
Vulnerability reports are reviewed by our internal security team. Response times vary depending on workload but we strive to process requests within two (2) weeks.
Reports with the "Insufficient Hacker Information" status and no activity for a month are closed at the discretion of the security team.
Reports with the "Insufficient Hacker Information" status and no activity for a month are closed at the discretion of the security team.
DISCLOSURE RULES
- Submit reports only through the form on the platform;
- Do not disclose information about the vulnerability you have found publicly without permission from the security team.
If you violate these rules, we will be forced to exclude you from the list of participants in this and any other Flowwow programs , and take measures in accordance with the Criminal Code of the Russian Federation.
RULES FOR DETERMINING CRITICALITY
We reserve the right to make the final determination on the severity of a discovered vulnerability. When we receive a report, we conduct an internal investigation and determine its severity based on several factors:
- What privileges does an attacker need to carry out an attack;
- How difficult is it to detect and exploit the vulnerability;
- Is user interaction required for an attack?
- How does vulnerability affect data security and availability;
- What risks does it pose for the company’s business and reputation;
- How many users would be at risk from the vulnerability.
We take all these and other factors into account to make decisions and determine priorities in vulnerability assessment.
RULES FOR WORKING WITH DUPLICATES
We reward only the first report received that contains all the necessary information to reproduce the vulnerability. Repeated reports concerning the same vulnerability will be marked as duplicates and are not eligible for a reward.
Reports containing descriptions of similar attack vectors will also be marked as duplicates if the security team deems that the information from the first report is sufficient to remediate all identified exploit vectors.
The original report may be a report from another researcher or from the company's internal security team.
REWARD
1. Critical from 50,000 to 70,000 rubles;
2. High from 20,000 to 50,000 rubles;
3. Average from 10,000 to 20,000 rubles;
4. Low from 5,000 to 10,000 rubles;
5. Informative program points.
The reward will only be paid if the Flowwow security team deems that all the conditions of the rules are met and the identified vulnerability is significant.