Details

Adevinta Vulnerability Disclosure Program

Introduction

Adevinta looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Program Highlights

Open Scope
Accepts reports for all owned assets based on impact, even if not listed in scope.

Gold Standard Safe Harbor
Adheres to Gold Standard Safe Harbor.

Top Response Efficiency
This program's response efficiency is above 90%.

Response Targets

Average time to first response: 11 hours
Average time to triage: 1 day, 21 hours
Average time to resolution: 2 months, 3 weeks

Scope Exclusions

Core Ineligible Findings are out of scope.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Some of the assets in scope may be mirror sites for the most part; duplicated vulnerabilities will be grouped.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
No DoS/DDoS testing.
Submitting contact forms in which the researcher is not in control of both the sender and the recipient of the contact form is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.
If you need to create public content, for example ads or public profile, please don't draw attention with the content.
Please do not interact with other users. If you need to test user interactions please use test accounts under your control.
Moving beyond "proof of concept" report steps (for example: proving that account takeover vulnerability with a dummy test account is acceptable, but not exploiting or accessing customer accounts).
We've got the automated vulnerability scanners under control, thanks! Right now, what we really need is your brainpower, not just raw processing power. While automated tools are handy, we're looking for a bit more depth in the analysis. So, if you come across vulnerabilities, it would be awesome if you could provide some additional insights into why they're a concern.

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

"X-HackerOne-Research: [H1 username]"

Thank you for helping keep Adevinta and our users safe!

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Some of the assets in scope may be mirror sites for the most part; duplicated vulnerabilities will be grouped.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

No DoS/DDoS testing.

Submitting contact forms in which the researcher is not in control of both the sender and the recipient of the contact form is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Only interact with accounts you own or with explicit permission of the account holder.

If you need to create public content, for example ads or public profile, please don't draw attention with the content.

Please do not interact with other users. If you need to test user interactions please use test accounts under your control.

Moving beyond "proof of concept" report steps (for example: proving that account takeover vulnerability with a dummy test account is acceptable, but not exploiting or accessing customer accounts).

We've got the automated vulnerability scanners under control, thanks! Right now, what we really need is your brainpower, not just raw processing power. While automated tools are handy, we're looking for a bit more depth in the analysis. So, if you come across vulnerabilities, it would be awesome if you could provide some additional insights into why they're a concern.