OTTO.DE Bug Bounty

Company

Otto.de is the second-largest online shop in Germany and its currently transitioning to be a leading platform that connects sellers and buyers. Our aim is to provide our customers with a one-stop shop that contains a vast and ever-expanding selection of products.

At otto.de, security is an important component of our organizational culture; we take security issues seriously and work closely with our development teams to not only ensure security during our software development process, but also validate these assumptions through security testing.

This Bug Bounty program is the next logical step that serves as an additional security layer that helps further elevate the privacy and security posture of our site.

We thank you for joining our Private Program and for your help keeping Otto.de safe!

Program Rules

• Report security bugs no later than 24 hours after discovery and exclusively through yeswehack.com

• We will respond to you in a timely manner

• We will work with you and keep you updated while working on a fix that addresses your reported bug

• We reserve the right to cancel this program or change its scope at any time

• Compliance with the Permitted Services and Prohibited Activities sections within the Amazon Web Services Penetration Testing guidelines is required.

  • This means any type of Denial of Service as well as any interference with network equipment and infrastructure is strictly forbidden.

• We reserve the right to use a "OneFixOneReward" rule, i.e., if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the ensuing flaws, only one report will be considered as eligible for a reward and other reports will be closed as informative. However, all reports will be reviewed edge by edge.

Eligibility & Disclosure Policy

Any non-security related issue will not be eligible for a money reward.

To be eligible for a reward, we require that issues being reported have an actual security impact in a realistic scenario.

Otto will ultimately determine, at our own discretion, whether a reward should be granted. But we aim to be fair and look forward to your contributions.

In order to qualify for a reward, you must strictly adhere to the following eligibility requirements:

• You must be the first reporter of a vulnerability (any duplicate reports will not be rewarded)

• The reported bug must be a qualified vulnerability according to Scope, Qualifying and Non-Qualifying Vulnerabilities (see below)

• You must send a clear textual description of the bug report along with possible real world attack scenarios and steps to reproduce the issue, please include attachments such as screenshots or proof of concept code to increase your chances of getting rewarded.

• You must not be a former or current employee of OTTO or one of its affiliates / contractors.

• Vulnerability disclosure of any kind (public, partial, social media, etc) is strictly forbidden

• While looking for vulnerabilities you are bound to the rules defined by existing laws especially those concerning GDPR.

• Discovered vulnerabilities may not be exploited, not even to find additional problems

• Prohibited are non-technical attacks such as social engineering, phishing or physical attacks

• The following are examples of how to prove a vulnerability to us:

  • XSS verification:
    Allowed: alert(17)
    Prohibited: Including external scripts

  • SQL Injection:
    Allowed: Extracting the DBMS’s version number
    Prohibited: Access to tables containing actual content such as customer data

  • Code Injection:
    Allowed: Extracting the operating system user’s ID that is used to run the code with onboard tools (e.g. “id” or “whoami”)
    Prohibited: Executing external code

  • Creating, altering or deleting data or settings:
    Allowed: Altering one’s own data
    Prohibited: Altering data of third persons or central data such as configuration settings; Deletion of data

  • Sending unwanted notifications
    Allowed: One-time usage of a contact form
    Prohibited: Mass distribution of messages via a contact form; Distribution to third parties

Rules for you

We ask that you fully read and understand our Program Rules and Eligibility & Disclosure Policy before you begin testing.

• Additionally, we ask that you do NOT:
  • attempt to gain access to personal data or personally identifiable data of third persons
  • attempt to gain access to non-public corporate data or services
  • create, alter or delete data or settings of third persons
  • cause outages or disturbances of services. All tests must be non-invasive / non-destructive.
  • execute tests that result in unwanted messages being dispatched
  • perform tests of 3rd-Party services, that are not operated by us
  • impact other users in any way, shape or form during your testing
  • use of automated security scanners (e.g., Nessus)
  • use fully automated techniques to find vulnerabilities over extended periods of times
  • utilise illegal Bots, BotNets or any other compromised computers / devices to perform your testing
  • Do not place multiple orders in a short period of time and try to cancel your orders as soon as possible after your testing
  • Attacks against end users as well as OTTO employees and customers are strictly forbidden.

Reports of leaks and exposed credentials

In the context of this program, we do not accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope.

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

To summarize our policy, you may refer to this table :

This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources
• Exposed credentials that are not applicable on the program’s scope
• Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
• Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
• Exposed PII on an out-of-scope asset

Reports of Subdomain Takeovers

For subdomain takeovers that are not within the defined scope but still present a valid proof of concept, a reward of €250 will be granted. We reserve the right to apply the "OneFixOneReward" rule, if multiple subdomains can be attributed to the same team. This is often identifiable by the third level of the subdomain name, such as {TEAM}.[bi|platform|cloud].otto.de. If multiple subdomains for the same team are identified, a single compensation of €250 will be provided, regardless of the number of subdomains.

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

• DO NOT alter compromised accounts by creating, deleting or modifying any data
• DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
• In case of sensitivie information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describing and listing what is exposed.