[{"id":3764575,"new_policy":"As DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“DSM”), we highly value security and privacy and look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nDSM will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from DSM\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n\nThe program rules for the Bug Bounty program are listed below. In the event of any violation of these rules, we would like to emphasize that performing these actions may result in legal and/or criminal liability for you.\n\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any DSM facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test DSM accounts that are not your own.\n- Do not threaten the DSM and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of DSM services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop DSM's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n- www.trendyol-milla.com (Called from web and mobile apps API will be accepted in scope)\n- www.tgoyemek.com (Called from web and mobile apps API will be accepted in scope)\n\n#In-Scope Vulnerability\n| Vulnerability | Severity Range\n|---------- |----------\n|Remote Code Execution |Critical\n|SQL Injection |High - Critical\n|NoSQL Injection |Medium - Critical\n|XXE |Low - Critical\n|XSS |Low - Critical\n|Server-Side Request Forgery |Low - Critical\n|Insecure Deserialization |High - Critical\n|Directory Traversal - Local File Inclusion |Medium - High\n|Authentication/Authorization Bypass (Broken Access Control) |Medium - High\n|Privilege Escalation |Medium - High\n|Insecure Direct Object Reference |Low - Critical\n|Misconfiguration |Low - High\n|Web Cache Deception |Low - High\n|CRLF Injection |Low - Medium\n|Cross Site Request Forgery |Low - Critical\n|Open Redirect |Low\n|Information Disclosure |Low - Critical\n|Request smuggling |Low - High\n|Dependency Confusion |Low - High\n|Mixed Content |Low\n|Server Side Template Injection |Low - High\n|Client Side Template Injection |Low - Medium\n\n\n#Test Plan\nWeb traffic to and from DSM properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in DSM bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n**Note:** 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Any non-DSM Applications\n- OTP Rate Limit\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect DSM or its’ customers\n- Conducting any kind of physical attack on DSM’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n- Confidential Information Leakage\n- Missing cookie flags\n- Physical attacks\n- Results of automated scanners\n- Autocomplete attribute on web forms\n- \"Self\" exploitation\n- Flash-based XSS\n- Verbose error pages (without proof of exploitability)\n- Missing Security HTTP Headers (without proof of exploitability)\n- \"Self\" XSS\n- Social Engineering attacks\n- Issues related to networking protocols\n- Reports on outdated version/builds of in-scope Mobile Apps\n- Banner Grabbing\n- Scanner Outputs\n- Password Complexity\n- User Enumeration\n- Host header Injection without a demonstrable impact\n- Stack Traces, Path Disclosure, Directory Listings\n- X-XSS-Protection Header\n- Software Version Disclosure\n- Internal pivoting, scanning, exploiting, or exfiltrating data\n- All Flash-related bugs\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by DSM to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, DSM does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n# Legal\nIf reports/notifications falling within the scope of this Policy are conveyed through a different channel, your report/notification will not be taken into consideration by our company. Instead, you will be directed to the BugBounty Program to submit your report. According to our company policies and procedures, reviews of reports and notifications are carried out by our technical teams only when they are transmitted within the scope of the BugBounty program. Therefore, it is necessary to submit your reports through this program.\n\nDSM reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping DSM and our users safe! \n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-14T12:22:50.687Z"},{"id":3762156,"new_policy":"As DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“DSM”), we highly value security and privacy and look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nDSM will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from DSM\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n\nThe program rules for the Bug Bounty program are listed below. In the event of any violation of these rules, we would like to emphasize that performing these actions may result in legal and/or criminal liability for you.\n\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any DSM facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test DSM accounts that are not your own.\n- Do not threaten the DSM and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of DSM services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop DSM's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n- www.trendyol-milla.com (Called from web and mobile apps API will be accepted in scope)\n- www.tgoyemek.com (Called from web and mobile apps API will be accepted in scope)\n\n#In-Scope Vulnerability\n| Vulnerability | Severity Range\n|---------- |----------\n|Remote Code Execution |Critical\n|SQL Injection |High - Critical\n|NoSQL Injection |Medium - Critical\n|XXE |Low - Critical\n|XSS |Low - Critical\n|Server-Side Request Forgery |Low - Critical\n|Insecure Deserialization |High - Critical\n|Directory Traversal - Local File Inclusion |Medium - High\n|Authentication/Authorization Bypass (Broken Access Control) |Medium - High\n|Privilege Escalation |Medium - High\n|Insecure Direct Object Reference |Low - Critical\n|Misconfiguration |Low - High\n|Web Cache Deception |Low - High\n|CRLF Injection |Low - Medium\n|Cross Site Request Forgery |Low - Critical\n|Open Redirect |Low\n|Information Disclosure |Low - Critical\n|Request smuggling |Low - High\n|Dependency Confusion |Low - High\n|Mixed Content |Low\n|Server Side Template Injection |Low - High\n|Client Side Template Injection |Low - Medium\n|Subdomain Takeover |Low - High\n\n#Test Plan\nWeb traffic to and from DSM properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in DSM bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n**Note:** 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Any non-DSM Applications\n- OTP Rate Limit\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect DSM or its’ customers\n- Conducting any kind of physical attack on DSM’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n- Confidential Information Leakage\n- Missing cookie flags\n- Physical attacks\n- Results of automated scanners\n- Autocomplete attribute on web forms\n- \"Self\" exploitation\n- Flash-based XSS\n- Verbose error pages (without proof of exploitability)\n- Missing Security HTTP Headers (without proof of exploitability)\n- \"Self\" XSS\n- Social Engineering attacks\n- Issues related to networking protocols\n- Reports on outdated version/builds of in-scope Mobile Apps\n- Banner Grabbing\n- Scanner Outputs\n- Password Complexity\n- User Enumeration\n- Host header Injection without a demonstrable impact\n- Stack Traces, Path Disclosure, Directory Listings\n- X-XSS-Protection Header\n- Software Version Disclosure\n- Internal pivoting, scanning, exploiting, or exfiltrating data\n- All Flash-related bugs\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by DSM to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, DSM does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n# Legal\nIf reports/notifications falling within the scope of this Policy are conveyed through a different channel, your report/notification will not be taken into consideration by our company. Instead, you will be directed to the BugBounty Program to submit your report. According to our company policies and procedures, reviews of reports and notifications are carried out by our technical teams only when they are transmitted within the scope of the BugBounty program. Therefore, it is necessary to submit your reports through this program.\n\nDSM reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping DSM and our users safe! \n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-09-01T10:54:39.204Z"},{"id":3762023,"new_policy":"As DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“DSM”), we highly value security and privacy and look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nDSM will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from DSM\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n\nThe program rules for the Bug Bounty program are listed below. In the event of any violation of these rules, we would like to emphasize that performing these actions may result in legal and/or criminal liability for you.\n\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any DSM facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test DSM accounts that are not your own.\n- Do not threaten the DSM and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of DSM services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop DSM's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n- www.trendyol-milla.com (Called from web and mobile apps API will be accepted in scope)\n\n#In-Scope Vulnerability\n| Vulnerability | Severity Range\n|---------- |----------\n|Remote Code Execution |Critical\n|SQL Injection |High - Critical\n|NoSQL Injection |Medium - Critical\n|XXE |Low - Critical\n|XSS |Low - Critical\n|Server-Side Request Forgery |Low - Critical\n|Insecure Deserialization |High - Critical\n|Directory Traversal - Local File Inclusion |Medium - High\n|Authentication/Authorization Bypass (Broken Access Control) |Medium - High\n|Privilege Escalation |Medium - High\n|Insecure Direct Object Reference |Low - Critical\n|Misconfiguration |Low - High\n|Web Cache Deception |Low - High\n|CRLF Injection |Low - Medium\n|Cross Site Request Forgery |Low - Critical\n|Open Redirect |Low\n|Information Disclosure |Low - Critical\n|Request smuggling |Low - High\n|Dependency Confusion |Low - High\n|Mixed Content |Low\n|Server Side Template Injection |Low - High\n|Client Side Template Injection |Low - Medium\n|Subdomain Takeover |Low - High\n\n#Test Plan\nWeb traffic to and from DSM properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in DSM bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n**Note:** 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Any non-DSM Applications\n- OTP Rate Limit\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect DSM or its’ customers\n- Conducting any kind of physical attack on DSM’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n- Confidential Information Leakage\n- Missing cookie flags\n- Physical attacks\n- Results of automated scanners\n- Autocomplete attribute on web forms\n- \"Self\" exploitation\n- Flash-based XSS\n- Verbose error pages (without proof of exploitability)\n- Missing Security HTTP Headers (without proof of exploitability)\n- \"Self\" XSS\n- Social Engineering attacks\n- Issues related to networking protocols\n- Reports on outdated version/builds of in-scope Mobile Apps\n- Banner Grabbing\n- Scanner Outputs\n- Password Complexity\n- User Enumeration\n- Host header Injection without a demonstrable impact\n- Stack Traces, Path Disclosure, Directory Listings\n- X-XSS-Protection Header\n- Software Version Disclosure\n- Internal pivoting, scanning, exploiting, or exfiltrating data\n- All Flash-related bugs\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by DSM to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, DSM does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n# Legal\nIf reports/notifications falling within the scope of this Policy are conveyed through a different channel, your report/notification will not be taken into consideration by our company. Instead, you will be directed to the BugBounty Program to submit your report. According to our company policies and procedures, reviews of reports and notifications are carried out by our technical teams only when they are transmitted within the scope of the BugBounty program. Therefore, it is necessary to submit your reports through this program.\n\nDSM reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping DSM and our users safe! \n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-28T14:29:18.593Z"},{"id":3713615,"new_policy":"As DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“DSM”), we highly value security and privacy and look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nDSM will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from DSM\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n\nThe program rules for the Bug Bounty program are listed below. In the event of any violation of these rules, we would like to emphasize that performing these actions may result in legal and/or criminal liability for you.\n\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any DSM facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test DSM accounts that are not your own.\n- Do not threaten the DSM and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of DSM services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop DSM's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n- www.trendyol-milla.com (Called from web and mobile apps API will be accepted in scope)\n\n#In-Scope Vulnerability\n| Vulnerability | Severity Range\n|---------- |----------\n|Remote Code Execution |Critical\n|SQL Injection |High - Critical\n|NoSQL Injection |Medium - Critical\n|XXE |Low - Critical\n|XSS |Low - Critical\n|Server-Side Request Forgery |Low - Critical\n|Insecure Deserialization |High - Critical\n|Directory Traversal - Local File Inclusion |Medium - High\n|Authentication/Authorization Bypass (Broken Access Control) |Medium - High\n|Privilege Escalation |Medium - High\n|Insecure Direct Object Reference |Low - Critical\n|Misconfiguration |Low - High\n|Web Cache Deception |Low - High\n|CRLF Injection |Low - Medium\n|Cross Site Request Forgery |Low - Critical\n|Open Redirect |Low\n|Information Disclosure |Low - Critical\n|Request smuggling |Low - High\n|Dependency Confusion |Low - High\n|Mixed Content |Low\n|Server Side Template Injection |Low - High\n|Client Side Template Injection |Low - Medium\n|Subdomain Takeover |Low - High\n\n#Test Plan\nWeb traffic to and from DSM properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in DSM bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n**Note:** 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Any non-DSM Applications\n- OTP Rate Limit\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect DSM or its’ customers\n- Conducting any kind of physical attack on DSM’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n- Confidential Information Leakage\n- Missing cookie flags\n- Physical attacks\n- Results of automated scanners\n- Autocomplete attribute on web forms\n- \"Self\" exploitation\n- Flash-based XSS\n- Verbose error pages (without proof of exploitability)\n- Missing Security HTTP Headers (without proof of exploitability)\n- \"Self\" XSS\n- Social Engineering attacks\n- Issues related to networking protocols\n- Reports on outdated version/builds of in-scope Mobile Apps\n- Banner Grabbing\n- Scanner Outputs\n- Password Complexity\n- User Enumeration\n- Host header Injection without a demonstrable impact\n- Stack Traces, Path Disclosure, Directory Listings\n- X-XSS-Protection Header\n- Software Version Disclosure\n- Internal pivoting, scanning, exploiting, or exfiltrating data\n- All Flash-related bugs\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by DSM to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, DSM does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n# Legal\nIf reports/notifications falling within the scope of this Policy are conveyed through a different channel, your report/notification will not be taken into consideration by our company. Instead, you will be directed to the BugBounty Program to submit your report. According to our company policies and procedures, reviews of reports and notifications are carried out by our technical teams only when they are transmitted within the scope of the BugBounty program. Therefore, it is necessary to submit your reports through this program.\n\nDSM reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping DSM and our users safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-05T11:13:14.535Z"},{"id":3709934,"new_policy":"As DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“DSM”), we highly value security and privacy and look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nDSM will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from DSM\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n\nThe program rules for the Bug Bounty program are listed below. In the event of any violation of these rules, we would like to emphasize that performing these actions may result in legal and/or criminal liability for you.\n\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any DSM facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test DSM accounts that are not your own.\n- Do not threaten the DSM and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of DSM services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop DSM's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n\n#In-Scope Vulnerability\n| Vulnerability | Severity Range\n|---------- |----------\n|Remote Code Execution |Critical\n|SQL Injection |High - Critical\n|NoSQL Injection |Medium - Critical\n|XXE |Low - Critical\n|XSS |Low - Critical\n|Server-Side Request Forgery |Low - Critical\n|Insecure Deserialization |High - Critical\n|Directory Traversal - Local File Inclusion |Medium - High\n|Authentication/Authorization Bypass (Broken Access Control) |Medium - High\n|Privilege Escalation |Medium - High\n|Insecure Direct Object Reference |Low - Critical\n|Misconfiguration |Low - High\n|Web Cache Deception |Low - High\n|CRLF Injection |Low - Medium\n|Cross Site Request Forgery |Low - Critical\n|Open Redirect |Low\n|Information Disclosure |Low - Critical\n|Request smuggling |Low - High\n|Dependency Confusion |Low - High\n|Mixed Content |Low\n|Server Side Template Injection |Low - High\n|Client Side Template Injection |Low - Medium\n|Subdomain Takeover |Low - High\n\n#Test Plan\nWeb traffic to and from DSM properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in DSM bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n**Note:** 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Any non-DSM Applications\n- OTP Rate Limit\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect DSM or its’ customers\n- Conducting any kind of physical attack on DSM’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n- Confidential Information Leakage\n- Missing cookie flags\n- Physical attacks\n- Results of automated scanners\n- Autocomplete attribute on web forms\n- \"Self\" exploitation\n- Flash-based XSS\n- Verbose error pages (without proof of exploitability)\n- Missing Security HTTP Headers (without proof of exploitability)\n- \"Self\" XSS\n- Social Engineering attacks\n- Issues related to networking protocols\n- Reports on outdated version/builds of in-scope Mobile Apps\n- Banner Grabbing\n- Scanner Outputs\n- Password Complexity\n- User Enumeration\n- Host header Injection without a demonstrable impact\n- Stack Traces, Path Disclosure, Directory Listings\n- X-XSS-Protection Header\n- Software Version Disclosure\n- Internal pivoting, scanning, exploiting, or exfiltrating data\n- All Flash-related bugs\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by DSM to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, DSM does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n# Legal\nIf reports/notifications falling within the scope of this Policy are conveyed through a different channel, your report/notification will not be taken into consideration by our company. Instead, you will be directed to the BugBounty Program to submit your report. According to our company policies and procedures, reviews of reports and notifications are carried out by our technical teams only when they are transmitted within the scope of the BugBounty program. Therefore, it is necessary to submit your reports through this program.\n\nDSM reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping DSM and our users safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-27T12:39:44.662Z"},{"id":3708590,"new_policy":"As DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“DSM”), we highly value security and privacy and look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nDSM will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from DSM\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n\nThe program rules for the Bug Bounty program are listed below. In the event of any violation of these rules, we would like to emphasize that performing these actions may result in legal and/or criminal liability for you.\n\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any DSM facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test DSM accounts that are not your own.\n- Do not threaten the DSM and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of DSM services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop DSM's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n- www.trendyol-milla.com (Called from web apps API will be accepted in scope)\n\n#In-Scope Vulnerability\n| Vulnerability | Severity Range\n|---------- |----------\n|Remote Code Execution |Critical\n|SQL Injection |High - Critical\n|NoSQL Injection |Medium - Critical\n|XXE |Low - Critical\n|XSS |Low - Critical\n|Server-Side Request Forgery |Low - Critical\n|Insecure Deserialization |High - Critical\n|Directory Traversal - Local File Inclusion |Medium - High\n|Authentication/Authorization Bypass (Broken Access Control) |Medium - High\n|Privilege Escalation |Medium - High\n|Insecure Direct Object Reference |Low - Critical\n|Misconfiguration |Low - High\n|Web Cache Deception |Low - High\n|CRLF Injection |Low - Medium\n|Cross Site Request Forgery |Low - Critical\n|Open Redirect |Low\n|Information Disclosure |Low - Critical\n|Request smuggling |Low - High\n|Dependency Confusion |Low - High\n|Mixed Content |Low\n|Server Side Template Injection |Low - High\n|Client Side Template Injection |Low - Medium\n|Subdomain Takeover |Low - High\n\n#Test Plan\nWeb traffic to and from DSM properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in DSM bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n**Note:** 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Any non-DSM Applications\n- OTP Rate Limit\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect DSM or its’ customers\n- Conducting any kind of physical attack on DSM’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n- Confidential Information Leakage\n- Missing cookie flags\n- Physical attacks\n- Results of automated scanners\n- Autocomplete attribute on web forms\n- \"Self\" exploitation\n- Flash-based XSS\n- Verbose error pages (without proof of exploitability)\n- Missing Security HTTP Headers (without proof of exploitability)\n- \"Self\" XSS\n- Social Engineering attacks\n- Issues related to networking protocols\n- Reports on outdated version/builds of in-scope Mobile Apps\n- Banner Grabbing\n- Scanner Outputs\n- Password Complexity\n- User Enumeration\n- Host header Injection without a demonstrable impact\n- Stack Traces, Path Disclosure, Directory Listings\n- X-XSS-Protection Header\n- Software Version Disclosure\n- Internal pivoting, scanning, exploiting, or exfiltrating data\n- All Flash-related bugs\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by DSM to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, DSM does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n# Legal\nIf reports/notifications falling within the scope of this Policy are conveyed through a different channel, your report/notification will not be taken into consideration by our company. Instead, you will be directed to the BugBounty Program to submit your report. According to our company policies and procedures, reviews of reports and notifications are carried out by our technical teams only when they are transmitted within the scope of the BugBounty program. Therefore, it is necessary to submit your reports through this program.\n\nDSM reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping DSM and our users safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-05T06:04:42.417Z"},{"id":3683817,"new_policy":"DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“Trendyol Group” or “Trendyol”) is the largest e-commerce platform in Turkey, and looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nTrendyol Group will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Trendyol Group\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any Trendyol facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test Trendyol Group accounts that are not your own.\n- Do not threaten the Trendyol Group and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Trendyol Group services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop Trendyol Group's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n\n#In-Scope Vulnerability\n| Vulnerability | Severity Range\n|---------- |----------\n|Remote Code Execution |Critical\n|SQL Injection |High - Critical\n|NoSQL Injection |Medium - Critical\n|XXE |Low - Critical\n|XSS |Low - Critical\n|Server-Side Request Forgery |Low - Critical\n|Insecure Deserialization |High - Critical\n|Directory Traversal - Local File Inclusion |Medium - High\n|Authentication/Authorization Bypass (Broken Access Control) |Medium - High\n|Privilege Escalation |Medium - High\n|Insecure Direct Object Reference |Low - Critical\n|Misconfiguration |Low - High\n|Web Cache Deception |Low - High\n|CRLF Injection |Low - Medium\n|Cross Site Request Forgery |Low - Critical\n|Open Redirect |Low\n|Information Disclosure |Low - Critical\n|Request smuggling |Low - High\n|Dependency Confusion |Low - High\n|Mixed Content |Low\n|Server Side Template Injection |Low - High\n|Client Side Template Injection |Low - Medium\n|Subdomain Takeover |Low - High\n\n#Test Plan\nWeb traffic to and from Trendyol properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Trendyol bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n**Note:** 0-day and other CVE vulnerabilities may be reported 45 days after initial publication. We have a team dedicated to tracking CVEs as they are released; hosts identified by this team and internally ticketed will not be eligible for bounty.\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Any non-Trendyol Applications\n- OTP Rate Limit\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect Trendyol or its’ customers\n- Conducting any kind of physical attack on Trendyol’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n- Confidential Information Leakage\n- Missing cookie flags\n- Physical attacks\n- Results of automated scanners\n- Autocomplete attribute on web forms\n- \"Self\" exploitation\n- Flash-based XSS\n- Verbose error pages (without proof of exploitability)\n- Missing Security HTTP Headers (without proof of exploitability)\n- \"Self\" XSS\n- Social Engineering attacks\n- Issues related to networking protocols\n- Reports on outdated version/builds of in-scope Mobile Apps\n- Banner Grabbing\n- Scanner Outputs\n- Password Complexity\n- User Enumeration\n- Host header Injection without a demonstrable impact\n- Stack Traces, Path Disclosure, Directory Listings\n- X-XSS-Protection Header\n- Software Version Disclosure\n- Internal pivoting, scanning, exploiting, or exfiltrating data\n- All Flash-related bugs\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by Trendyol Group to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, Trendyol Group does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n# Legal\nTrendyol reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping Trendyol Group and our users safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-02-19T19:03:35.636Z"},{"id":3679662,"new_policy":"DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“Trendyol Group” or “Trendyol”) is the largest e-commerce platform in Turkey, and looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nTrendyol Group will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Trendyol Group\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any Trendyol facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test Trendyol Group accounts that are not your own.\n- Do not threaten the Trendyol Group and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Trendyol Group services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop Trendyol Group's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n\n#Test Plan\nWeb traffic to and from Trendyol properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Trendyol bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect Trendyol or its’ customers\n- Conducting any kind of physical attack on Trendyol’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by Trendyol Group to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, Trendyol Group does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n# Legal\nTrendyol reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping Trendyol Group and our users safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-08T10:11:50.637Z"},{"id":3679661,"new_policy":"DSM GRUP DANIŞMANLIK İLETİŞİM VE TİCARET A.Ş. (“Trendyol Group” or “Trendyol”) is the largest e-commerce platform in Turkey, and looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nTrendyol Group will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Trendyol Group\n* Thank you for joining us in supporting ethical and responsible disclosure. By participating in this program, you agree not to share publicly or privately any details or descriptions of your findings with any party.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Do not perform physical attacks against any Trendyol facility.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test Trendyol Group accounts that are not your own.\n- Do not threaten the Trendyol Group and do not try to extort them. Do not act with malicious intent and do not ask for ransom. If you violate this rule, we will exclude you from all current and future programs and none of your reports will be considered. \n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Trendyol Group services.\n- Do not perform brute force attacks, denial of service attacks or other attacks that are likely to disrupt, delay or stop Trendyol Group's business operations. \n- Reports on outdated versions/builds of in-scope Mobile Apps.\n- It is strictly forbidden for employees, contractors, and members of their immediate families to participate in the public bounty program or to provide information with an external security researcher to bypass this prohibition. (in which case all parties are ineligible under this program)\n\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n\n#Test Plan\nWeb traffic to and from Trendyol properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Trendyol bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect Trendyol or its’ customers\n- Conducting any kind of physical attack on Trendyol’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n\n# Confidentiality and Protection of Personal Data\nThe “Confidential Information” shall include, any information provided by Trendyol Group to the Hacker (Bug Bounty Program Participants) but not be limited to any information, whether in written, oral, electronic, or other tangible forms including, without limitation, the forms currently available and those made available by new technologies in future, regarding the financial, commercial, technical, professional, market and product-related and all kinds of personal information to be disclosed.\n\nIn principle, Trendyol Group does not share personal data with Hacker, and only the Hacker can access personal data based on the legal reason that it is compulsory for the performance of the Articles of Association, limited to the performance of the services provided in the Articles of Association.\n\nIf the Hacker accesses personal data that is not necessary for the performance of the Agreement, it will immediately destroy that information and any copies.\n\nIf you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.\n\n\n# Safe Harbor\nPlease note that we can only consider your activities to be lawful if they are proportionate and the purpose of your actions is consistent with the purpose of this Policy. We explicitly do not exclude that any attempt to intentionally or grossly negligently attack our systems with the intent to harm us and/or compromise the confidentiality, integrity or availability of our data may be pursued with legal action.\n\n#Legal\nTrendyol reserves the right to modify the terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this website regularly as we update our program terms and conditions of participation periodically. We reserve the right to terminate this program at any time.\n\nThank you for keeping Trendyol Group and our users safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-11-08T10:11:18.012Z"},{"id":3676134,"new_policy":"Trendyol Group is the largest e-commerce platform in Turkey, and looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Off the back of a successful HackerOne Challenge, we are excited to continue leveraging Hacker Powered Security with HackerOne's diverse talent pool.\n\n# Response Targets\nTrendyol Group will make its best effort to meet the following SLAs for hackers participating in our program:\n\n| Type of Response | SLA in business days |\n| ------------- | ------------- |\n| First Response | 2 days |\n| Time to Triage | 2 days |\n| Time to Bounty | 14 days |\n| Time to Resolution | depends on severity and complexity |\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n# Disclosure Policy\n* As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n#Program Rules\n- Social engineering (e.g. phishing, vishing, smishing) is prohibited.\n- Follow HackerOne's disclosure guidelines.\n- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n- Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.\n- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).\n- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n- Do not compromise or test Trendyol accounts that are not your own.\n- Do not attempt to conduct post-exploitation, including modification or destruction of data, and interruption or degradation of Trendyol services.\n- Reports on outdated versions/builds of in-scope Mobile Apps.\n\n#Scope\nOur scopes are listed in the assets section below.\n\n- www.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- m.trendyol.com (Called from web and mobile apps API will be accepted in scope)\n- www.dolap.com (Called from web and mobile apps API will be accepted in scope)\n\n#Test Plan\nWeb traffic to and from Trendyol properties produces petabytes of data every day. When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Trendyol bug bounty programs:\n\n- Please create accounts using a HackerOne email to help us track security research activity. Where possible, register accounts using your username@wearehackerone.com addresses. Some of our properties will require this to be eligible for a bounty.\n \n- Include a custom HTTP header in all your traffic. Report to us what header you set so we can identify it easily. Our SOC Team is constantly analyzing the traffic so if you don't set this header you might be blocked.\n\n**Format** -\u003e X-Bug-Bounty: hackerone-{username}\n\n# Out-of-scope vulnerabilities\n\nWhen reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:\n\n- Issues About Deeplink \n- XSS due to Swagger-UI \n- Clickjacking on pages with no sensitive actions\n- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive - actions or non-impactful business impact\n- Attacks requiring MITM or physical access to a user's device.\n- Previously known vulnerable libraries without a working Proof of Concept.\n- Comma Separated Values (CSV) injection without demonstrating a vulnerability.\n- Missing best practices in SSL/TLS configuration.\n- Any activity that could lead to the disruption of our service (DoS)\n- Content spoofing and text injection issues without showing a significant attack - vector/without being able to modify HTML/CSS\n- CORS without exploitation\n- Missing security-related HTTP headers which do not lead directly to a vulnerability\n- Rate limiting or brute force issues relying on Cloudflare\n- Missing best practices in Content Security Policy\n- Missing HttpOnly or Secure flags on cookies\n- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)\n- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)\n- Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis\n- Tabnabbing\n- Open redirect - unless an additional security impact can be demonstrated\n- Host header Injection without a demonstrable impact\n- Issues that require unlikely user interaction\n- Vulnerabilities relating to root detection and cert pinning\n- Vulnerabilities relating to outdated versions of Android\n- Cloudflare public IP leaks\n- Any issues relating to chat features\n- Automated scans and vulnerabilities found by it\n- Performing actions that may negatively affect Trendyol or its’ customers\n- Conducting any kind of physical attack on Trendyol’s personnel, property or data centers\n- Exfiltrating data. Please test only the minimum necessary to validate a vulnerability\n- Violating any applicable laws or breaching any applicable agreements in order to discover vulnerabilities\n- Any form of brute force attacks\n- As we have a known issue of missing HTTPOnly flags on session cookies, any vulnerability that leads to Account Take Over under this basis may be capped at a CVSS Medium\n- We'll accept notifications of domain takeover, but they're not eligible for bounty. **Please note that performing the takeover is strictly prohibited.** \n- XML-RPC Vulnerabilities\n\n# Safe Harbor\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n\nThank you for keeping Trendyol Group and our users safe! \n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-08-16T07:46:50.610Z"}]