The reward for each bug found will depend on the degree of its impact on the service, the potential damage that the vulnerability can cause, the quality of the report and other factors
Ozon, one of the largest online stores in Russia, has launched its own program to search for vulnerabilities on the well-known site HackerOne. Since this is the first Russian e-Commerce company, it is hoped that it will set the right path for other projects.
To launch the bug bounty program, Ozon first plans to invest $41,800 in working with researchers searching for vulnerabilities in systems.
At the same time, not only Russian cybersecurity experts but also experts from abroad can participate in the online store program.
According to the company, the launch of the program will provide round-the-clock security monitoring, but it will not cancel the work of the Ozon IT laboratory team in ensuring the security of Ozon services but will complement it. Currently, more than 1,000 engineers work in the Ozon IT lab, and 3.5 million users visit the Ozon website and app every day.
"Now the company has the necessary resources not only to develop its own security services but also to work with the hacker community," said Ozon.
Today, not many Russian companies resort to an organized search for vulnerabilities. Among these, it is possible to allocate giants like Yandex, Mail.ru and Qiwi. Ozon became the next major project, as the company had resources not only to develop its own security services but also to interact with the community of ethical hackers.
Like programs of other companies, the bug bounty from Ozon involves a cash reward, the amount of which depends on the severity of the bug found. For example, a company can pay about $240 for an XSS hole.
But something more dangerous, such as an RCE vulnerability that leads to remote code execution, can bring the researcher up to 1,600 dollars.
In May, HackerOne representatives said that the platform had paid researchers a total of $100 million over the entire lifetime of the project. And in early July, the list of the most generous HackerOne participating companies became known.