At OLX, we take security issues seriously. If you believe you’ve detected a vulnerability within our products we’d like to hear about it. Our team is continuously working in protecting the security of your account. We’ll investigate any reports and do our best to fix these issues as soon as possible.
If you found an issue that affects only your account, please fill the contact form of your country’s OLX site.
If you would like to report a vulnerability in one of our products listed in our vulnerability disclosure program (VDP) or their related mobile apps, you can submit it using our embeded Vulnerability Disclosure form with BugCrowd and we can track your submission.
To be enable us to verify the vulnerability, add details on how to reproduce, e.g. screen-shots, code or video. We kindly ask you to not disclose the vulnerability until you receive a notification from us that the issue has been solved. You will receive a non-automated response to your initial communication within 72 hours, confirming we received the vulnerability report and will send progress updates on frequent basis.
Please avoid from engaging in security research that involves:
- Physical attacks against offices and data centers.
- Compromise of a OLX users or employees account.
- Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.
- Denial of service (DoS) attacks.
- Findings as reported by automated tools without additional analysis as to how and what is vulnerable.
- Vulnerabilities only affecting users of outdated or unpatched browsers.
- Spam reports.
- Targeted attacks against social media or third party services that OLX use (LinkedIn, Twitter, etc).
- User enumeration.
- DNSSEC issues with minimal or no security implications.
- SSL / TLS issues.
- Content Security Policy (CSP) includes unsafe-inline (is not an issue in itself).
- Specific HTTP method enabled with minimal or no security implications.
- Cross-Site Request Forgery (CSRF) with minimal or no security implications.
- CSV injection with minimal or no security implications.
- IDN homograph attacks with minimal or no security implications.
- Application or JavaScript error(s) with minimal or no security implications.
- Clickjacking on static website/page.
- Cross-Site Tracing (XST).
- Disclosure of info in robots.txt file.
- Leaking of non-sensitive information on search engine results.
- Open redirects in the Host header.
- Host header spoofing with minimal or no security implications.
- Reverse Tabnabbing.
- Server type/version disclosure.
- Weak Password Policy.
- User Session management issues (ex: session duration, token reuse, session invalidation on password reset).
- Lack of Jailbreak/Root check/prevention on mobile applications.
- Lack of TLS/SSL Certificate Pinning on mobile applications.
- Blogs / Wordpress sites hosted on WordPress Engine (WPE).
- Outdated Library with minimal or no security implications.
We want to thank all security researchers for the contributions and for volunteering time to help us spotting potential issues. You can visit our Hall of Fame to see a list of all of them.