avatar
Bug bounty
Public

OTTO.DE Bug Bounty

Online Shop

Reward

Bounty
Hall of fame
€50
Low
€250
Medium
€500
High
€1,000
Critical
€2,500

Program

Avg reward
€621.1
Max reward
€3,000
Scopes
11

Supported languages
English

Hacktivity

Reports
151
1st response
< 1 day
Reports last 24h
-
Reports last week
12
Reports this month
12

Company

Otto.de is the second-largest online shop in Germany and its currently transitioning to be a leading platform that connects sellers and buyers. Our aim is to provide our customers with a one-stop shop that contains a vast and ever-expanding selection of products.

At otto.de, security is an important component of our organizational culture; we take security issues seriously and work closely with our development teams to not only ensure security during our software development process, but also validate these assumptions through security testing.

This Bug Bounty program is the next logical step that serves as an additional security layer that helps further elevate the privacy and security posture of our site.

We thank you for joining our Private Program and for your help keeping Otto.de safe!

Program Rules

  • Report security bugs no later than 24 hours after discovery and exclusively through yeswehack.com

  • We will respond to you in a timely manner

  • We will work with you and keep you updated while working on a fix that addresses your reported bug

  • We reserve the right to cancel this program or change its scope at any time

  • Compliance with the Permitted Services and Prohibited Activities sections within the Amazon Web Services Penetration Testing guidelines is required.

    • This means any type of Denial of Service as well as any interference with network equipment and infrastructure is strictly forbidden.
  • We reserve the right to use a "OneFixOneReward" rule, i.e., if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the ensuing flaws, only one report will be considered as eligible for a reward and other reports will be closed as informative. However, all reports will be reviewed edge by edge.

Eligibility & Disclosure Policy

Any non-security related issue will not be eligible for a money reward.

To be eligible for a reward, we require that issues being reported have an actual security impact in a realistic scenario.

Otto will ultimately determine, at our own discretion, whether a reward should be granted. But we aim to be fair and look forward to your contributions.

In order to qualify for a reward, you must strictly adhere to the following eligibility requirements:

  • You must be the first reporter of a vulnerability (any duplicate reports will not be rewarded)

  • The reported bug must be a qualified vulnerability according to Scope, Qualifying and Non-Qualifying Vulnerabilities (see below)

  • You must send a clear textual description of the bug report along with possible real world attack scenarios and steps to reproduce the issue, please include attachments such as screenshots or proof of concept code to increase your chances of getting rewarded.

  • You must not be a former or current employee of OTTO or one of its affiliates / contractors.

  • Vulnerability disclosure of any kind (public, partial, social media, etc) is strictly forbidden

  • While looking for vulnerabilities you are bound to the rules defined by existing laws especially those concerning GDPR.

  • Discovered vulnerabilities may not be exploited, not even to find additional problems

  • Prohibited are non-technical attacks such as social engineering, phishing or physical attacks

  • The following are examples of how to prove a vulnerability to us:

    • XSS verification:
      Allowed: alert(17)
      Prohibited: Including external scripts

    • SQL Injection:
      Allowed: Extracting the DBMS’s version number
      Prohibited: Access to tables containing actual content such as customer data

    • Code Injection:
      Allowed: Extracting the operating system user’s ID that is used to run the code with onboard tools (e.g. “id” or “whoami”)
      Prohibited: Executing external code

    • Creating, altering or deleting data or settings:
      Allowed: Altering one’s own data
      Prohibited: Altering data of third persons or central data such as configuration settings; Deletion of data

    • Sending unwanted notifications
      Allowed: One-time usage of a contact form
      Prohibited: Mass distribution of messages via a contact form; Distribution to third parties

Rules for you

We ask that you fully read and understand our Program Rules and Eligibility & Disclosure Policy before you begin testing.

  • Additionally, we ask that you do NOT:
    • attempt to gain access to personal data or personally identifiable data of third persons
    • attempt to gain access to non-public corporate data or services
    • create, alter or delete data or settings of third persons
    • cause outages or disturbances of services. All tests must be non-invasive / non-destructive.
    • execute tests that result in unwanted messages being dispatched
    • perform tests of 3rd-Party services, that are not operated by us
    • impact other users in any way, shape or form during your testing
    • use of automated security scanners (e.g., Nessus)
    • use fully automated techniques to find vulnerabilities over extended periods of times
    • utilise illegal Bots, BotNets or any other compromised computers / devices to perform your testing
    • Do not place multiple orders in a short period of time and try to cancel your orders as soon as possible after your testing
    • Attacks against end users as well as OTTO employees and customers are strictly forbidden.

Reports of leaks and exposed credentials

In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

To summarize our policy, you may refer to this table :

Type of leak Source of leak is in-scope Source of leak belongs to MyCompany but is out-of-scope Source of leak does not belong to MyCompany and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset) Eligible (✅) Eligible (✅) Not eligible (❌)
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset) Eligible (✅) Not eligible (❌) Not eligible (❌)

This excludes, but is not limited to:

  • Stolen credentials gathered from unidentified sources
  • Exposed credentials that are not applicable on the program’s scope
  • Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
  • Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
  • Exposed PII on an out-of-scope asset

Reports of Subdomain Takeovers

For subdomain takeovers that are not within the defined scope but still present a valid proof of concept, a reward of €250 will be granted. We reserve the right to apply the "OneFixOneReward" rule, if multiple subdomains can be attributed to the same team. This is often identifiable by the third level of the subdomain name, such as {TEAM}.[bi|platform|cloud].otto.de. If multiple subdomains for the same team are identified, a single compensation of €250 will be provided, regardless of the number of subdomains.

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

  • DO NOT alter compromised accounts by creating, deleting or modifying any data
  • DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
  • DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
  • In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
  • In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describing and listing what is exposed.


Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Medium
€250€500€1,000€2,500
Low
€250€500€1,000€2,000

Scopes

ScopeTypeAsset value
https://www.otto.de web-application
Medium
Low
€250
Medium
€500
High
€1,000
Critical
€2,500
https://www.otto.de/jobs web-application
Medium
Low
€250
Medium
€500
High
€1,000
Critical
€2,500
https://play.google.com/store/apps/details?id=de.cellular.ottohybrid&hl=de mobile-application-android
Medium
Low
€250
Medium
€500
High
€1,000
Critical
€2,500
https://apps.apple.com/de/app/otto-shopping-m%C3%B6bel/id404844644 mobile-application-ios
Medium
Low
€250
Medium
€500
High
€1,000
Critical
€2,500
https://www.lascana.de/ web-application
Low
Low
€250
Medium
€500
High
€1,000
Critical
€2,000
https://teleoptiprd.otto.de web-application
Low
Low
€250
Medium
€500
High
€1,000
Critical
€2,000
https://mmp.otto.de web-application
Low
Low
€250
Medium
€500
High
€1,000
Critical
€2,000
https://partnerprogramm.otto.de web-application
Low
Low
€250
Medium
€500
High
€1,000
Critical
€2,000
https://orbidder.otto.de web-application
Low
Low
€250
Medium
€500
High
€1,000
Critical
€2,000
https://supplier-connect.otto.de web-application
Low
Low
€250
Medium
€500
High
€1,000
Critical
€2,000
https://retail-api.otto.de web-application
Low
Low
€250
Medium
€500
High
€1,000
Critical
€2,000

Out of scopes

  • Out-Of-Scope are also other applications hosted under the www.otto.de domain but have a different path, that is not part of our core online shop itself (you will notice, since the design of the page is completely different)
  • Those include but are not limited to (if unsure, contact us before executing the tests):
  • https://www.otto.de/reblog
  • https://www.otto.de/roombeez
  • https://www.otto.de/twoforfashion
  • https://www.otto.de/soulfully
  • https://www.otto.de/updated
  • https://www.otto.de/newsroom
  • https://www.otto.de/kundenchat
  • https://www.otto.de/clara
  • https://www.otto.de/or
  • https://www.otto.de/user/sendcallbackrequest
  • https://www.otto.de/user/contactFormSubmit
  • https://keycloak.apps.otto.de
  • All domains not listed In-Scope
  • /apps-messenger (the chatbot in general is out of scope)
  • /tracking
  • Please let us know if you have any questions regarding the scope.

Vulnerability types

Qualifying vulnerabilities

  • Cross-Site Scripting (XSS)
  • Broken authentication
  • Session Management
  • CORS with real security impact
  • Privilege escalation of any kind
  • Remote code execution (RCE)
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Code injections (HTML, JS, NoSQL, ...)
  • Insecure Direct Object References
  • Reports regarding Open Redirects will be classified with severity "low" and rewarded 100 EUR by default, unless you can demonstrate any further impact or exploitation.

Non-qualifying vulnerabilities

  • User or Email enumeration of any kind
  • Password Complexity attacks (Brute-Force or Credential Stuffing attacks against the otto.de login functionality)
  • Missing CAPTCHA or MFA
  • Lack of rate limit on non-sensitive endpoints and/or bruteforce attacks
  • Cross-Site Requests Forgery (CSRF) issues with low impact
  • Reports from automated web vulnerability scanners that have not been validated
  • Reports of outdated / insecure libraries without exploit evidence
  • Issues related to software or protocols not under Otto.de controls
  • Used software and their version
  • Reverse Tabnabbing
  • Vulnerabilities related to unpatched / outdated browsers and platforms
  • Issues without clearly identified security impact, such as missing or misconfigured security headers, missing cookie flags, clickjacking on a static website or descriptive error messages
  • Recently disclosed Zero-day vulnerabilities
  • Denial of service (DOS) attacks using automated tools
  • Self-XSS, which includes any payload entered by the victim
  • XSS that is not exploitable in a modern browser
  • Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs) Disclosure of used software and their version
  • Issues that require physical access to a victim’s computer/device
  • Issues that require your target to open the developer tools of a browser
  • Content injection if the only attack scenario is social engineering
  • Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
  • Vulnerabilities that only affect one browser will be considered on a case-by-case basis, and may be closed as informative due to the reduced attack surface
  • Information disclosure of public or non-protected information (e.g. code in a public repository, server banners, etc.)
  • Exposed credentials that are either no longer valid, or do not pose a risk to an in-scope asset
  • Any other submission determined to be low risk, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact
  • Vulnerabilities on third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Autocomplete functionality in forms
  • Internal IP disclosure
  • Lack of the X-FRAME-OPTIONS header on static pages or pages that don’t contain dangerous or sensitive actions.
  • Vulnerabilities that require extensive social engineering
  • Lack of the secure or HTTPOnly flag on cookies
  • Issues regarding DMARC and DKIM
  • Subdomain takeover without taking the subdomain over
  • Lack of obfuscation
  • Lack of jailbreak & root detection
  • We already know that our mobile apps are violating the following requirements from the OWASP Mobile Application Security Testing Guide (MASTG) (e.g. MSTG-ARCH-1, MSTG-CODE-2, etc.) and we will not consider this kind of submission unless you can demonstrate a significant security impact with a reproducible PoC
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope

Hunting requirements

Account access

If you require a user account, please feel free to create it yourself. We kindly ask that you use your YesWeHack email aliases to make it identifiable.

Note: Please do NOT mass create accounts to perform your testing and make an effort to limit yourself to the number of aliases you have on the platform.

If you want to test the order functionality for otto.de, please limit yourselves to a small number of orders and make sure to cancel those in a short delay after your test.

User agent

Please append to your user-agent header the following value: ' Bug-Bounty-Hunter-#YesWeHackUserName# '.


Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.