Bug bounty Ozon questions and answers
We launched a public bug bounty program on HackerOne - now you can get a reward for the vulnerabilities found on the Ozon website, and at the same time help the company, the service of which is used by friends, acquaintances and relatives. In this article, the Ozon information security team answers the most popular questions about the program.
What Ozon resources are participating in the program?
So far, only the main site, but we plan to connect other services.
How much do we pay for bugs found?
In each case, the amount of remuneration depends on the criticality of the vulnerability, the quality of the report and other criteria - in the end, we determine it individually. Details can be found here .
Has someone already been paid?
Yes, in March the program started behind closed doors, and we have already paid researchers about 360,000 rubles.
Why didn’t they immediately start in the public domain?
The classic story for almost all bug bounty programs is the first wave of reports that covers the security team. At the same time, it is important to keep a valid SLA for responses and generally reactions in reports. Therefore, we decided to start first in private mode, gradually increasing the number of invited researchers and debugging the corresponding internal processes.
Now Ozon itself does not intend to engage in security?
On the contrary, we strengthen the team and plan to not only work more actively with the hacker community, but also continue to build processes within the framework of S-SDLC, including: control of code security, analysis of service security and employee training, and even hold meetings on information security. By the way, the speech of the head of the food safety group Taras Ivashchenko from the previous OWASP meeting can be read on our blog.
We stock up on coffee and successful hacking !.