Open Bug Bounty selected among the
Top 5 Bug Bounty programs to watch
in 2021 by The Hacker News

For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,139,634 coordinated disclosures
744,681 fixed vulnerabilities
1,503 bug bounty programs, 2,994 websites
26,330 researchers, 1,384 honor badges

Avito Bug Bounty Program

Avito runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Avito

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Avito and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

m.avito.ru
avito.ru

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

Out-of-scope vulnerabilities:
- Reports from automated scanners without appropriate analysis or demonstration of security impacts
- Reports about outdated/vulnerable software without exploitation examples
- Self-XSS affecting only current user
- Missing CSRF token in forms, where sensitive information like user data cannot be modified (e.g. logout form)
- Issues related to window.opener
- Session hijacking, session timeout
- Missing security HTTP headers (X-Frame-*, X-Content-*, CSP, HSTS, HPKP)
- Missing SPF, DKIM, DMARC records
- Missing "HttpOnly", "secure", "SameSite" flags for non-sensitive cookies
- Possibilities for exhaustive search by user/item identifiers

Testing Requirements:

Strictly prohibited:
- Searching for vulnerabilities in out-of-scope and 3rd-party services, including payment gateways
- DoS/DDoS/physical access/phishing/social engineering attacks
- Stealing regular users' accounts and performing any other actions affecting their security
- Publishing any sensitive information discovered during security testing

Possible Awards:

Currently only Kudos.

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

No comments so far.

  Latest Patched

 17.01.2022 garopaba.sc.gov.br
 17.01.2022 ortodoncia.ws
 17.01.2022 zamg.ac.at
 17.01.2022 khaama.com
 17.01.2022 kanbanize.com
 17.01.2022 revdl.com
 17.01.2022 pondiuni.edu.in
 17.01.2022 idcloudhost.com
 17.01.2022 qooah.com
 17.01.2022 html.com

  Latest Blog Posts

11.11.2021 by mistry4592
The Most used Chrome Extensions are Used For Penetration Testing.
08.10.2021 by NNeuchi
How I Found My First Bug Reflected Xss On PIA.GOV.PH(Philippine Information Agency)
26.08.2021 by PyaePhyoThu98
eG Manager v7.1.2: Improper Access Control lead to Remote Code Execution (CVE-2020-8591)
14.07.2021 by Open Bug Bounty
Interview With Open Bug Bounty
25.05.2021 by 0xrocky
Google XSS Game

  Recent Recommendations

@smiteworks     11 January, 2022
    Twitter smiteworks:
Rajesh provided additional information to further strengthen our site. He is an asset to the online community.
@NVAccess     5 January, 2022
    Twitter NVAccess:
Raviakp1004 found an XSS vulnerability on our website and acted ethically by reporting it to us. Information we needed to reproduce the issue was provided, allowing us to fix it promptly. Thank you for your report.
@TiagoGuedesEGo1     3 January, 2022
    Twitter TiagoGuedesEGo1:
Miguel Santareno made us aware of several security vulnerabilities across several sections of our platform needed to be rectified due to them being a security risk.

It was a pleasure working with him and I hope we can work again in the future, Thank you!
@everlats     3 January, 2022
    Twitter everlats:
Thanks a lot for your help to fix some bugs, your solutions were great.
I highly recommend Sajid!
@Web2Generators     3 January, 2022
    Twitter Web2Generators:
Thanks for your helpful report and for helping make the web safer!