Log in
Log in
Log in
Traveling withEdadeal
Goal:
find critical vulnerabilities
Scope:
Edadeal services
Duration:
from 20.03.2025 to 30.04.2024
{ About service }
Edadeal helps users save money when purchasing at their favorite shops. Just upload a promo receipt with the app and get a cashback or a promo code.
The BugBounty goal is to find critical vulnerabilities that compromise the service or user data. We want to find more RCE, SQLi, and critical IDOR vulnerabilities to protect personal data and protect users from fraud.
Where to look:
- edadeal.ru — home page, separate mobile app client
- checks.edadeal.yandex.ru — e-cheque app
- cards.edadeal.yandex.ru — loyalty cards
- *.edadeal.ru
- *.edadeal.yandex.ru
- Mobile app
{ Rewards }
Edadeal’s rewards are doubled for the competition period.
The reward depends on the following:
- What exact data may be disclosed.
- Exploitation complexity.
- The scope of users who could potentially be affected by the bug.
- Vulnerability severity and impact on the business.
Vulnerability severity and impact on the business.
Category | Reward |
|---|---|
Remote Code Execution | 750 000 руб. — 1 500 000 руб. |
Инъекции (SQL/noSQL) | 375 000 руб. — 750 000 руб. |
Local files access (LFR, RFI, XXE и т. д. ) | 375 000 руб. — 500 000 руб. |
SSRF | 115 000 руб. — 450 000 руб. |
Client-side (XSS, CSRF, CORS и т. д. ) | 45 000 руб. — 150 000 руб. |
Business logic functionality:
Category | Reward |
|---|---|
Cashback-related business logic errors | 100 000 руб. — 350 000 руб. |
IDOR / Disclosure of sensitive information | 100 000 руб. — 300 000 руб. |
Other vulnerabilities | 10 000 руб. — 200 000 руб. |
Information leaks
We’re interested in detecting any technical means of disclosing private user data, especially cheques linked to the holder’s data. For example:
- Ways to access another user’s cheques,
- Ways to track promo codes activated by other users.
Cashback manipulations
Edadeal uses YooMoney for cashback accruals. We’re interested in any possible bypassing of the current cashback accrual and withdrawal rules. For instance:
- Getting cashback for the same cheque indefinitely.
- Ways to debit a cashback to your account multiple times.
Note: YooMoney is out of scope!
{ Rules and notes }
- SSRFs that allow reading responses are considered more critical than blind ones.
- RCEs in an isolated/test environment get reduced rewards as they have reduced business impact.
- CSP (Content Security Policy) bypassing is optional, but, in some cases, the reward can be reduced, for example, if the XSS requires a click and is blocked by CSP (href=javascript:alert).
- Mobile app vulnerabilities are considered "Other vulnerabilities".
- Yandex reserves the right to decide which reports suit the competition.
- Use only your test accounts. Attempting to exploit a bug on real users may result in exclusion from the competition.
- The report must specify the actions necessary to reproduce the bug.
- YooMoney is out of Yandex Bug Bounty's scope! If you find a vulnerability, check out the conditions here.
Good Luck!
Tue Oct 01 2024 10:10:51 GMT+0300 (Moscow Standard Time)