We launched a public bug bounty program on HackerOne - now you can get a reward for the vulnerabilities found on the Ozon website, and at the same time help the company, the service of which is used by friends, acquaintances and relatives. In this article, the Ozon information security team answers the most popular questions about the program.

What Ozon resources are participating in the program?

So far, only the main site, but we plan to connect other services.

How much do we pay for bugs found?

In each case, the amount of remuneration depends on the criticality of the vulnerability, the quality of the report and other criteria - in the end, we determine it individually. Details can be found here .

Has someone already been paid?

Yes, in March the program started behind closed doors, and we have already paid researchers about 360,000 rubles.

We got the first report from r0hack in the then still private program, about the lack of protection against CSRF attacks. We really do not use the classic way of protection against such attacks in the form of the so-called. CSRF token with which the corresponding request is signed (see OWASP Cross-Site Request Forgery Prevention Cheat Sheet ), we have relied on a relatively new mechanism of marking session cookies with the attribute SameSite . Its essence is that such a session cookie ceases to be transmitted (depending on the value of the attribute) during normal cross-site requests. In this way, the original cause leading to CSRF is resolved. The problem for us was that the session cookie also changed on the browser side in JavaScript ( yes, this is bad in itself and we’ll get rid of it soon ) and there this attribute was reset, turning it off protection - and this turned out to be an unpleasant surprise for us, and the researcher had to make an effort to prove to us with the help of PoC and video that the problem exists. For which special thanks to him!

Why didn’t they immediately start in the public domain?

The classic story for almost all bug bounty programs is the first wave of reports that covers the security team. At the same time, it is important to keep a valid SLA for responses and generally reactions in reports. Therefore, we decided to start first in private mode, gradually increasing the number of invited researchers and debugging the corresponding internal processes.

Now Ozon itself does not intend to engage in security?

On the contrary, we strengthen the team and plan to not only work more actively with the hacker community, but also continue to build processes within the framework of S-SDLC, including: control of code security, analysis of service security and employee training, and even hold meetings on information security. By the way, the speech of the head of the food safety group Taras Ivashchenko from the previous OWASP meeting can be read on our blog.

We stock up on coffee and successful hacking !.