submit bug report:https://www.trendyol.com/Program Rules
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Do not perform physical attacks against any Trendyol facility.
Follow HackerOne's disclosure guidelines.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Do not compromise or test Trendyol Group accounts that are not your own.
Do not threaten the Trendyol Group and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered.
Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Trendyol Group services.
Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop Trendyol Group's business operations.
Reports on outdated versions/builds of in-scope Mobile Apps.
It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)
Scope
Our scopes are listed in the assets section below.
www.trendyol.com (Called from web and mobile apps API will be accepted in scope)
m.trendyol.com (Called from web and mobile apps API will be accepted in scope)
www.dolap.com (Called from web and mobile apps API will be accepted in scope)
Test Plan
Web traffic to and from Trendyol properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Trendyol bug bounty programs:
Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.
Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.
Format -> X-Bug-Bounty: hackerone-{username}
Note: 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.
Out-of-scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
Any non-Trendyol Applications
OTP Rate Limit
Issues About Deeplink
XSS due to Swagger-UI
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS)
Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS
CORS without exploitation
Missing security-related HTTP headers which do not lead directly to a vulnerability
Rate limiting or brute force issues relying on Cloudflare
Missing best practices in Content Security Policy
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Host header Injection without a demonstrable impact
Issues that require unlikely user interaction
Vulnerabilities relating to root detection and cert pinning
Vulnerabilities relating to outdated versions of Android
Cloudflare public IP leaks
Any issues relating to chat features
Automated scans and vulnerabilities found by it
Performing actions that may negatively affect Trendyol or its’ customers
Conducting any kind of physical attack on Trendyol’s personnel, property or data centers
Exfiltrating data. Please test only the minimum necessary to validate a vulnerability
Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities
Any form of brute force attacks
As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium
We'll accept notifications of domain takeover, but they're not eligible for bounty. Please note that performing the takeover is strictly prohibited.
XML-RPC Vulnerabilities
Confidential Information Leakage
Missing cookie flags
Physical attacks
Results of automated scanners
Autocomplete attribute on web forms
"Self" exploitation
Flash-based XSS
Verbose error pages (without proof of exploitability)
Missing Security HTTP Headers (without proof of exploitability)
"Self" XSS
Social Engineering attacks
Issues related to networking protocols
Reports on outdated version/builds of in-scope Mobile Apps
Banner Grabbing
Scanner Outputs
Password Complexity
User Enumeration
Host header Injection without a demonstrable impact
Stack Traces, Path Disclosure, Directory Listings
X-XSS-Protection Header
Software Version Disclosure
Internal pivoting, scanning, exploiting, or exfiltrating data
All Flash-related bugs
Confidentiality and Protection of Personal Data
The “Confidential Information” shall include, any information provided by Trendyol Group to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.
In principle, Trendyol Group does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.
If the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.
If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.
Safe Harbor
Please note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.
Legal
Trendyol reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.
Thank you for keeping Trendyol Group and our users safe!
