Oda/Oda/Detail
Detail Updates Leaderboard
sort by
Last published
Extra bounties on login.prod.nube.tech
12/1/2025, 7:40:35 AM (7 days ago)

From today, 1st of December and to 18th of December 23:59 we will run have a special campaign for our authentication service.

In this period we've bumped the bounties (~25 %) on all severity levels for login.prod.nube.tech

The login portal is a critical service in our infrastructure handling user authentication and assigning access policies. It is built with Django.

To make it more interesting you can in this period also bypass the WAF by adding intigriti-bb to the end of your user-agent. Make sure you use lowercase.

Brute-force / password spraying attacks and such are not in scope. Please refrain from these attacks when testing the service.

Happy hacking!

iOS and Android apps
11/12/2025, 12:34:21 PM (26 days ago)

We have corrected a copy-paste error in the scope section for the mobile apps. The ids to Mathem iOS app and Oda Android app is now the correct ones. Sorry about the confusion!

Mathem.se domain moved to tier 2
2/19/2025, 12:02:58 PM (10 months ago)

The domain mathem.se and the android and iOS app has been moved to tier 2 and are eligible for higher bounties.

New iOS, Android and URL added to scope
4/4/2024, 1:10:50 PM (over 1 year ago)

The swedish brand Mathem is now part of the Oda group.

We've added the mathem app for both iOS and Android as well as the website mathem.se to the bug bounty program

Requests per second
12/5/2023, 9:56:09 AM (about 2 years ago)
12/5/2023, 9:56:25 AM

We remind you that be mindful of the requests per second (RPS) when testing our services, this is especially important when running automated tools such as fuzz faster u fool.

The current limit has been updated to 5 RPS. IP addresses that keeps violating this rule will get banned permanently.

We also encourage you to use the x-bounty header so that we can distinguish your traffic from malicious.

Thanks!
Security team in Oda

Scope updated
12/4/2023, 1:58:53 PM (about 2 years ago)

We have updated the scope for the program to include our domain *.prod.nube.tech. Most of the services are behind our authentication proxy and therefore not exposed.

However, you will find our new authentication service available on login.oda.com and login.prod.nube.tech. This is a new service built with Django.

Updates
10/26/2023, 9:22:35 AM (about 2 years ago)

Technology updates

We are introducing Fasty CDN and Fastly WAF on our main site, oda.com. We are especially interested in any misconfigurations that can lead to vulnerabilities.

General

Oda has temporarily shutdown its operations in Germany and Finland which also means that the shops are down. However, you can still test our shop in Norway but unfortunetly it is only available in norwegian.

Regards,
Security team in Oda

Minor update to rules of engagement
10/6/2022, 5:59:14 PM (about 3 years ago)

We now require the request header **X-bounty: <your Intigriti username> ** on all request when you participate in Oda's bug bounty program.

In Burp Suite you can simply add a rule under: Proxy > Options > Match and replace.

Regards,
Security in Oda

Bounties++
9/1/2022, 8:59:09 AM (over 3 years ago)

As of today, we have increased the bounties.

Regards,
Security in Oda

We've increased the scope
5/2/2022, 6:36:31 AM (over 3 years ago)

Hi!

We've now been running the bug bounty program for about a month. We've decided to increase the scope and added *.oda.com to the scope.

Regards,
Security in Oda