# Rozetka VDP (Vulnerability Disclosure Policy) A vulnerability is a technical issue with the Rozetka's asset which attackers or hackers could use to exploit the asset and its users. The company reserves the right to make the final decision on any reward and its amount, for reported vulnerabilities. ## Scope This policy applies to all internet facing systems from Rozetka - to any asset owned or operated by Rozetka. ### In scope The entire Rozetka's web and mobile presence, including: #### Domains and subdomains - *.rozetka.ua - *.rozetka.com.ua - *.rozetka.pl - *.rozetka.com.pl - *.rozetka.cloud - *.rozetka.company - *.rozetka.delivery - *.rozetka.md - *.rozetka.ro - *.rozetka.uz - *.rozetca.md - *.rozetca.ro - *.rozetka.report - *.rozetka.travel - *.greenapi.com.ua - *.europlus.report #### IP Ranges - 45.128.216.0/24 - 45.128.217.0/24 #### Mobile applications Android: - ua.com.rozetka.shop - pl.rozetka.shop - ua.com.rozetka.delivery - ua.com.rozetka.marketplacesellersapp - chat.rocket.android.rozetka iOS: - com.owox.rozetka.ua - ua.com.rozetka.marketplace - pl.rozetka ### Out of scope #### IP Ranges These IP Ranges are not operated by Rozetka: - 45.128.218.0/24 - 45.128.219.0/24 #### Test methods The following test methods are not authorized: - Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data - Physical testing (e.g. office access, open doors, tailgating) - Social engineering (e.g. phishing, vishing) - Any other non-technical vulnerability testing ## Testing requirements You must use the `X-Hacker: ` header for all HTTP/HTTPS traffic. Automated web scans should be limited to a maximum of 10 requests per second for each asset. ## Guidelines for reporting a vulnerability You should only interact with accounts you own or with the explicit permission of the account holder. When you are investigating and reporting the vulnerability, you must not: - break the law - access unnecessary or excessive amounts of data - modify data - use high-intensity invasive or destructive scanning tools to find vulnerabilities - try a denial of service - for example overwhelming a service with a high volume of requests - disrupt Rozetka's services or systems - share any information about the vulnerability with the third parties, until we have disclosed it responsibly - social engineer, phish or physically attack our staff or infrastructure - demand money to disclose a vulnerability - sell the information about the vulnerability in any shape or form Under this policy, "research" means activities in which you: - Notify us as soon as possible after you discover a real or potential security issue. - Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data. - Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems. - Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. - Do not submit a high volume of low-quality reports. - Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else. You must follow data protection rules when reporting a vulnerability. This means you cannot share any data you might retrieve from Rozetka when researching the vulnerability. You must keep the data secure until you delete it. You must delete the data as soon as we no longer need it or no later than 1 month after the vulnerability has been resolved - whichever comes first. ## How to report a vulnerability For the contact information, please refer to the page "https://rozetka.com.ua/.well-known/security.txt". Include in your report: - the IP address and/or URL of the asset where you found the vulnerability - a description of the type of vulnerability - for example, XSS vulnerability - details of the steps we need to take to reproduce the vulnerability - screenshots or logs if you have them When reporting a vulnerability, please consider: 1. Attack scenario/exploitability 2. Security impact of the bug Please, suggest mitigation or remediation actions, if appropriate. ## After you've reported the vulnerability You'll get confirmation that we have received your report within 2 working days. We'll try to assess your report within 5 working days. We prioritise fixes by impact, severity and exploit complexity. You'll get updates on the progress fixing the vulnerability. Once the vulnerability has been fixed, we can work with you to disclose and publish the report.