[IMPORTANT] Participation

By joining the program, you agree that you have read, understood the provisions set forth here, and agree to observe them - in addition to any other terms and conditions that may effect you in relation to participation in Intigriti platform and related cooperation.

In this program you can only test our staging environment on .allegro.pl.allegrosandbox.pl and .allegro.cz.allegrosandbox.pl

Do not test our production environments on *.allegro.pl, *.allegro.cz or *.allegrogroup.com. Attacking our production platform can end in banning your account in this program and in other legal consequences.

If the same vulnerability is present both on .cz and .pl domain, the bounty will be awarded only for the first report and only for one domain.

Please familiarize yourself also with the section "Test environment - Terms of Use" - https://developer.allegro.pl/tutorials/basic-information-VL6YelvVKTn - which are also binding you while participating in this program.

Program Rules

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with sandbox accounts you own or with explicit permission of the sandbox account holder.
• You must be the first reporter of a vulnerability associated with a participating service and we must be unaware of the vulnerability (there will also be no reward for a known vulnerability which we are actively fixing)
• You must have personally discovered the vulnerability and you may not report a vulnerability that was discovered by another person (including, in particular, someone who does not qualify to participate in the Bug Bounty Program)
• You must not be employed by Allegro or its subsidiaries (companies, for which Allegro is a dominating company) or related entities within the meaning of the Polish trade companies law, currently or in the last 12 months preceding the participation in the program
• You must comply with these rules when discovering the vulnerability and submitting the vulnerability report
• All user data gathered in the attack phase has to be anonymised in report and deleted from your machine as soon as possible
• Allegro is not legally obliged to pay the bounty

By participating in this program, you agree to:

• Not discuss or disclose vulnerability information with anyone not authorized by Allegro without prior written consent from Allegro
• Inform us as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
• Follow Intigriti Community Code of Conduct.
• Follow the Intigriti Terms and Conditions Community Code of Conduct.
• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, the bounty is awarded only for the first report that was received (provided that it can be fully reproduced). Multiple vulnerabilities caused by one underlying issue will be awarded with only one bounty – for the first report that was received related to the underlying issue..

Confidential Obligation

• Please keep any and all information obtained as a result of participation in the program in strict confidence and not disclose it; moreover, you shall take necessary precautions while storing this information notwithstanding the form in which it was provided (“Confidential Information”);
• You shall use the Confidential Information obtained as a result of participation in the program only within the scope required for such participation and shall take appropriate measures in order to keep this Confidential Information secret and prevent it from being disclosed to third parties;
• You shall be held liable for any direct and indirect damage that Allegro will incur as a result of disclosure of Confidential Information, including without limitation for any actual damage, lost profits, and any other costs incurred to enforce claims that the Allegro may have for the violation of these rules

Personal Data

• By Personal Data we understand information that directly or indirectly lead to identification of data subjects,
• In case of acquiring Personal Data as a result of the participation in the program you become the processor, whereas we remain the controller of those data,
• You must not engage any other processors,
• You are obliged to follow the following instruction: once you acquire Personal Data for which we are the controller, you have to delete them as soon as possible taking into account the intention of the program,
• You guarantee you are able to fulfill obligations imposed on you, as the processor, according to the Article 28 of GDPR.

Check our fix

Up to €50 bonus is available for a verification of a resolved issue (when requested).
This remains at the discretion of Allegro to award.

The Fine Print

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to this program terms retroactively.

If you have any other questions about the Sandbox environment or about our API, you can ask them on our forum:
https://github.com/allegro/allegro-api

Thank you for helping keep Allegro and our users safe!

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and should not be used for submission or support queries.

What is forbidden:

• Huge scans using automated tools are strictly prohibited. If your tests have a negative impact on an element of our platform, we can take action to block your IP address without further notice. If you still do prohibited actions on our platform, we will ban you from this program. In extreme cases we will take legal action on you.
• Disclosing any vulnerabilities or suspected vulnerabilities you discover to any other person without explicit authorization from Allegro
• Disclosing the contents of any submission to our program without explicit authorization from Allegro
• Accessing private information of any person stored on a product of Allegro or service – you must use test (sandbox) accounts for any purpose related to obtaining any kind of data
• Accessing sensitive information (e.g. credentials)
• Performing actions that may negatively affect Allegro or its customers (e.g. Spam, Brute force, Denial of Service)if you see that your test has impact on Allegro you must stop it and inform us about that
• Conducting any kind of physical attack on Allegro’s personnel, property or data centers
• Social engineering (e.g. phishing, vishing, smishing) any Allegro’s help desk, employee or contractor or user
• Exfiltrating data. Please test only the minimum necessary to validate a vulnerability (we can verify if the vulnerability would enable data exfiltration, and will reward respectively)
• Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities

Out of scope vulnerabilities

• API key disclosure without proven business impact
• Bugs in content/services that are not owned/operated by Allegro
• Vulnerabilities affecting users of outdated or unsupported browsers or platforms
• Vulnerabilities that require an unlikely amount of user interaction
• CSRF on forms available to anonymous users
• Missing CAPTCHA
• Password complexity or account recovery policies
• Username / email enumeration
• HTTPS Mixed Content
• Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages, cookie flags, lack of CSP
• SSL Forward Secrecy
• Invalid or missing SPF (Sender Policy Framework) records
• Weak SSL/TLS Cipher Suites
• Sending vulnerability reports using automated tools without validation
• Use of a known-vulnerable library without evidence of exploitability
• Attacks requiring physical access to a user's unlocked device
• Reports of spam, phishing or security best practices
• Vulnerabilities that only work on software that no longer receive security updates
• Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
• Self-XSS that can't be used to exploit other users
• DoS/DDoS attacks
• Email bombing

We use our contextual CVSS standard, using CVSSv3 as a scoring system and applying a business impact modifier if needed.
You can find more details about it here.

Where can I find information about Allegro API and Sandbox

Please visit our developer website for all necessary technical information.