submit bug report: http://olx.comAt OLX, we take security issues seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it. We'll investigate all reports and do our best to fix these issues as soon as possible.
Important Information
At the moment our program managed by HackerOne is paused, for more information visit security.olx.com.
Scope
You can review OLX sites in the scope by visiting security.olx.com. Vulnerabilities need to be documented in a way that they can be reproduced. Send screen-shots, code, video to helps to understand it.
What about public disclosure?
We're more than happy to publicly disclose your bug once it has been fixed by our developers.
Exceptions & Rules
Any activity that would disrupt, damage or adversely affect any third-party data or account is not allowed. Please do not mass create accounts to perform testing. Also do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.
The following are strictly prohibited:
Denial of Service attacks.
Physical attacks against offices and data centers.
Social engineering of our service desk, employees or contractors.
Compromise of a OLX users or employees account.
Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
Out of Scope/Non-qualifying vulnerabilities
This vulnerabilities are out of scope since we're currently aware of these vulnerabilities in some of our products and actively working on them.
WordPress/CPanel vulnerabilities
Software version disclosure
HttpOnly and Secure cookie flags
SSL/TLS scan reports (this means output from sites such as SSL Labs)
Password strength policies
Session timeout
Session Hijacking (cookie reuse)
Missing security headers
Autocomplete
Account enumeration
Rate-limiting (for none authentication flow)
Self XSS attacks
Self-exploitation (i.e. password reset links or cookie reuse)
Tabnabbing with partner links
Use of a known-vulnerable library (without proof of exploitability)
Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
Directory listing
Open redirects
Content Spoofing
Missing SPF/DKIM/DMARC records
Rewards
At this time, we are not awarding bounties or cash rewards for reported vulnerabilities.
At OLX, we take security issues seriously. If you believe you've detected a vulnerability within our products we'd like to hear about it. We'll investigate all reports and do our best to fix these issues as soon as possible.
