Trendyol
External Program
Submit bugs directly to this organization
Trendyol
As DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“DSM”), we highly value security and privacy and look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.
DSM will make its best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|---|
| First Response | 2 days |
| Time to Triage | 2 days |
| Time to Bounty | 14 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
#Program Rules
The program rules for the Bug Bounty program are listed below. In the event of any violation of these rules, we would like to emphasize that performing these actions may result in legal and/or criminal liability for you.
#Scope Our scopes are listed in the assets section below.
#In-Scope Vulnerability
| Vulnerability | Severity Range |
|---|---|
| Remote Code Execution | Critical |
| SQL Injection | High - Critical |
| NoSQL Injection | Medium - Critical |
| XXE | Low - Critical |
| XSS | Low - Critical |
| Server-Side Request Forgery | Low - Critical |
| Insecure Deserialization | High - Critical |
| Directory Traversal - Local File Inclusion | Medium - High |
| Authentication/Authorization Bypass (Broken Access Control) | Medium - High |
| Privilege Escalation | Medium - High |
| Insecure Direct Object Reference | Low - Critical |
| Misconfiguration | Low - High |
| Web Cache Deception | Low - High |
| CRLF Injection | Low - Medium |
| Cross Site Request Forgery | Low - Critical |
| Open Redirect | Low |
| Information Disclosure | Low - Critical |
| Request smuggling | Low - High |
| Dependency Confusion | Low - High |
| Mixed Content | Low |
| Server Side Template Injection | Low - High |
| Client Side Template Injection | Low - Medium |
#Test Plan Web traffic to and from DSM properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in DSM bug bounty programs:
Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your [email protected] addresses. Some of our properties will require this to be eligible for a bounty.
Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.
Format -> X-Bug-Bounty: hackerone-{username}
Note: 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.
When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:
The “Confidential Information” shall include, any information provided by DSM to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.
In principle, DSM does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.
If the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.
If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.
Please note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.
If reports/notifications falling within the scope of this Policy are conveyed through a different channel, your report/notification will not be taken into consideration by our company. Instead, you will be directed to the BugBounty Program to submit your report. According to our company policies and procedures, reviews of reports and notifications are carried out by our technical teams only when they are transmitted within the scope of the BugBounty program. Therefore, it is necessary to submit your reports through this program.
DSM reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.
Thank you for keeping DSM and our users safe!