Responsible Vulnerability Disclosure Program

Overview

Skroutz, as a company, remains committed to offer our customers and partners top-quality services while ensuring their data and personal information remain secure and protected throughout their interactions with our services.

To that end Skroutz is running a best-in-class Responsible Vulnerability Disclosure Program, in cooperation with BugCrowd (https://bugcrowd.com), aiming to enable our community of technically-minded individuals and security researchers to provide information on potentially identified security vulnerabilities on any of our main services.

To guarantee that any disclosure of such weaknesses can be reported responsibly please ensure you are following the following general guidelines :

  • All relevant submissions should be made through the vulnerability disclosure form located at the bottom of this page
  • Make sure to report any identified vulnerabilities in a timely fashion to ensure quick triage and mitigation from our team of security experts. That way you also get your reward as soon as possible!
  • This disclosure program, as well as all vulnerability associated rewards, are solely managed & operated by BugCrowd in accordance with their terms & conditions.
  • We ask that any identified vulnerabilities remain strictly confidential to safeguard our community of customers and partners and reduce their exposure. All submissions should be made in a confidential fashion through this program submission page and no public disclosure or other form of publication should be made. We reserve our right for withholding rewards or initiating legal action if those conditions are not met
  • Any personal data or other confidential information & data coming into your possession or otherwise processed by you, as a result of an identified vulnerability, should promptly be destroyed, immediately after vulnerability submission to ensure the protection of our community’s privacy.
  • Finally ensure that any research for vulnerability identification has been performed through lawful means only, refraining from illegally accessing computer systems, user accounts and sensitive information that do not belong to you or that you do not have explicit permission to access by Skroutz
  • Attempts to use malware or other malicious software, directly contact customers and partners of Skroutz or send spam and/or fraudulent email or electronic messages is strictly forbidden under the rules of this program

Scope

You asked to report on all identified security vulnerabilities, unless they fall under one or more of the categories explained below, which are considered out-of-scope and will not be accepted as legitimate vulnerability submissions by Skroutz’s cybersecurity team. Vulnerability types we do not care about include the following:

  • HTTP security headers
  • Browser cookie security flags
  • SSL/TLS & certificate related issues (ex. ciphers, certificate strength etc.)
  • Password policy (ex. password complexity, expiration, password reset timeout etc.)
  • Session expiration time interval
  • Self-XSS
  • Error messages - Unless they lead to sensitive data exposure
  • Clickjacking issues
  • Account lockout policies
  • Security control recommendations (firewalls, WAFs etc.)
  • Vulnerabilities only relevant to users of legacy/obsolete/out-of-date browsers
  • Email server issues - Unless directly exploitable through the web application/API
  • Email/Username enumeration (other enumerations are in scope)
  • Out-of-date vulnerable third-party libraries (Unless you can demonstrate exploitability of the vulnerability on the web application)

Forbidden activities

The following activities are strictly prohibited, will not be eligible for any rewards and may even result in accounts/IP addresses/clients getting banned from our services altogether:

  • Phishing/Social Engineering attacks
  • Malware & Malicious software usage
  • Denial of Service & Distributed Denial of Service attacks
  • IP/port scanning
  • Attacking the load-balancers that serve the applications and API endpoints directly
  • Attacking the network and/or hosts of the applications and API endpoints directly - unless possible through an application/API vulnerability
  • Post-exploitation activities (lateral movement, backdoors, rootkits, scheduled tasks etc.)
  • Excessive aggression on automated scanning tools:
    • Always pace your scanning tools to a reasonable amount of concurrent requests against the environment
    • Do not create huge amounts of new database entries via automated means (ex. New accounts) - Only create what is necessary for your testing in a manual or semi-automated manner
    • Do not attempt to bruteforce credentials

Rewards

Rewards are awarded by BugCrowd, after successful validation of your submission, in accordance to their terms & conditions described here: https://researcherdocs.bugcrowd.com/docs/getting-rewarded

Submissions should be acknowledged within 72 hours by our cybersecurity team, at which point the team will start working to validate your submission. This process will usually take no more than 5 business days but is subject to security team availability and other priorities.

For any further questions about the program and its guidelines please reach out to BugCrowd at support@bugcrowd.com

Responsible Vulnerability Disclosure Form