Ozon

target_in_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
www.ozon.ru URL high high high critical
**What it does:** e-commerce! Our main site. **What security issues best to look for:** Critical server-side application security flaws from OWASP Top 10 **What it runs on:** * HTML, NodeJS, JavaScript with Vue.js * Go, C#

target_out_of_scope

asset_identifier asset_type availability requirement confidentiality requirement eligible for bounty eligible for submission integrity requirement max_severity
*.ozon.ru URL none
All other subdomains are **currently** out of scope
*.ozon.travel URL none
Other OZON services are currently out of scope
*.ozone.ru URL none
Because it is domain for CDN
1451809471 APPLE_STORE_APP_ID none
OZON Card mobile application https://itunes.apple.com/app/id1451809471 Mobile applications are **currently** out of scope. Stay tuned.
407804998 APPLE_STORE_APP_ID none
OZON mobile application https://apps.apple.com/us/app/id407804998. Mobile applications are **currently** out of scope. Stay tuned.
959592459 APPLE_STORE_APP_ID none
OZON Travel mobile application https://apps.apple.com/app/id959592459 Mobile applications are **currently** out of scope. Stay tuned.
api.ozon.ru URL none
You can look for vulnerabilities in: `https://www.ozon.ru/api/*`. It is alias for `api.ozon.ru`
ru.ozon.app.android GOOGLE_PLAY_APP_ID none
OZON mobile application Mobile applications are **currently** out of scope. Stay tuned.
ru.ozon.card GOOGLE_PLAY_APP_ID none
OZON Card mobile application Mobile applications are **currently** out of scope. Stay tuned.
travel.ozon.mobile GOOGLE_PLAY_APP_ID none
OZON Travel mobile application Mobile applications are **currently** out of scope. Stay tuned.
id.ozon.ru URL none
You can look for vulnerabilities in: `https://www.ozon.ru/webapi/*` and `https://www.ozon.ru/ozonid`, including authentication API endpoints.