Bug bounty Ozon faq

image



We launched a public bug bounty program on HackerOne - now you can receive a reward for vulnerabilities found on the Ozon website, and at the same time help a company whose service is used by friends, acquaintances and relatives. In this article, the Ozon information security team answers the most popular questions about the program.



What Ozon resources are involved in the program?



So far, only the main site, but we plan to connect other services as well.



How much do we pay for bugs found?



In each case, the amount of remuneration depends on the severity of the vulnerability, the quality of the report and other criteria - in the end, we determine it individually. Details can be found here .



Has anyone already been paid?



Yes, in March the program started behind closed doors, and we have already paid about 360,000 rubles to the researchers.



The first report we received from r0hack in a then private program, about the lack of protection against attacks like CSRF. We really do not use the classic method of protection against such attacks in the form of the so-called CSRF token, with which the corresponding request is signed (see OWASP Cross-Site Request Forgery Prevention Cheat Sheet ), we have relied on a relatively new, but for a long time supported by all major browsers, mechanism for marking session cookies with the SameSite attribute. Its essence is that such a session cookie stops being transmitted (depending on the value of the attribute) during normal cross-site requests. This solves the original cause leading to the CSRF. The problem for us turned out to be that the session cookie also changed on the browser side in JavaScript ( yes, this is bad in itself and we will get rid of it very soon ) and there this attribute was reset, thus turning off protection - and this turned out an unpleasant surprise for us, and the researcher had to make an effort to prove to us using PoC and video that the problem existed. For which special thanks to him!



Why didn't they start in the public domain right away?



A classic story for almost all bug bounty programs - the first wave of reporting to hit the security team. At the same time, it is important to keep an acceptable SLA for responses and, in general, reactions in reports. Therefore, we decided to start in private mode first, gradually increasing the number of invited researchers and debugging the corresponding internal processes.



Now Ozon itself does not intend to deal with security?



On the contrary, we are strengthening the team and plan to not only work more actively with the hacker community, but also continue to build processes within the S-SDLC, including: code security control, service security analysis and employee training, and even hold meetings about infobase. By the way, the speech of the head of the food safety group Taras Ivashchenko from the previous OWASP meetup can be read on our blog.



Stock up on coffee and happy hacking !



All Articles