Large Russian online shop Ozon announced the launch of the platform HackerOne, the program of remuneration for the detection of errors and vulnerabilities in their online services. This program was the first among Russian companies in the field of electronic Commerce, and in the first stage, Ozon plans to invest in working with the hacking community of over 3 million rubles.
As noted by the court, to participate in the program vulnerability scanning can security professionals not only from Russia but also from other countries. Remuneration for every detected hole will depend on the degree of influence on the service, the potential of damage, report quality, and other factors. For example, for the found XSS (cross-site scripting), Ozon can pay about 17 000?, but for more serious (for example, injection, remote code execution) – up to 120 000?.
Ozon believe that the launch of the program will receive round the clock monitoring of security and complement the work of the team IT lab Ozon. Now in this Department employs more than 1,000 engineers, and site and applications ozone is used by about 3.5 million people.
“We are actively supporting cultural change with interaction of vendors with the security researchers in the direction of a more civilized dialogue. Bug bounty program is what is needed for modern Internet companies who care about information security, and, of course, in the coming months we plan to expand the list of services to participate in the program to better interact with the hacker community”, – said the chief information security officer at Ozon Alexander Bolotov.
A serious approach to the measures of increased security is a welcome step. By the way, in 2018 Ozon leaked more than 450 thousand e-mail addresses and user passwords. Program to search for vulnerabilities, there are many leading companies in the field of information technology, including Amazon, Google, Facebook and so on. In Russia, private programs are offered, for example, Yandex, Mail.ru and Qiwi.