line line line line line line

Report Bugs to Divar!

If you believe you have found a security vulnerability on Divar, we encourage you to let us know right away and get a reward!

Before reporting a vulnerability, please read the entire content of this page and the policies

Reported vulnerabilities

300+

The rewards so far:

30,000$

Bug Hunters

30+

Rewards

The amount of the reward is determined based on the severity of your report and according to the table below.

Critical

Up to 5,500$

High

Up to 1,750$

Medium

Up to 500$

Scope

The severity of reports is determined based on the following domains and assets.
Reports that fall outside this scope will not be eligible for a reward.

Importance: Critical

grpc-api.divar.ir

Subdomains of Divar

Importance: Critical

Divar Mobile App - iOS Version

Last iOS version of Divar App

Importance: Critical

api.divar.ir

Subdomains of Divar

Importance: Critical

mail.divar.ir

Subdomains of Divar

Show all scopes

Importance: Critical

divar.ir

Divar Website

Importance: Critical

Divar Mobile App - Android Version

Last Android version of Divar App

Importance: High

git.divar.cloud

Subdomains of Divar

Importance: High

registry.divar.cloud

Subdomains of Divar

Importance: High

api.*.divar.cloud

Subdomains of Divar

Importance: High

agahpardazan.ir.*

Subdomains of Divar

Importance: Medium

divar.dev.*

Subdomains of Divar

Importance: Medium

divar.cloud.*

All subdomains of this domain except git.divar.cloud, registry.divar.cloud and api.*.divar.cloud

Importance: Medium

divar.io.*

Subdomains of Divar

Importance: Low

Business Panels

These panels are considered assets with low importance

Importance: Low

m.divar.ir.*

Subdomains of Divar

Importance: None

divar.news

This domain and all of its subdomains are out of scope

Table of Impact Severity

The impact severity of damages is determined based on the following table.

Impact Severity: Vital

  • RCE on vital servers
  • Mass Defacement

Impact Severity: Critical

  • Remote Command Execution
  • SQL/NoSQL/Command Injection
  • XML External Entity Injection
  • Mass Account Takeover (without User Interaction)
  • Sensitive Data Exposure for publicly accessible Services
  • Unauthorized Access to Read and Write Sensitive Data of All Users
  • Sensitive Data Exposure (All users) includes chat data

Impact Severity: High

  • Subdomain Takeover
  • Unauthorized Access to Read and Write Sensitive Data of a User
  • Unauthorized Access to Read and Write Part of Sensitive Data of all User
  • Local File Inclusion
  • Complete Source Code Disclosure of one of private products
  • SSRF (Internal High Impact)
  • Authentication Bypass
  • Mass delete users accounts
  • Vertical/Horizontal Privilege Escalation
  • Sensitive Data Exposure (All users) except chat data
  • Stored XSS (Non-Privileged User to Priviledge user)

Impact Severity: Medium

  • Account Takeover by User Interaction
  • Stored XSS without privieldge escalation
  • Reflected XSS
  • DOM based XSS
  • Insecure Direct Object Reference
  • Source Code Disclosure of divar's websites
  • Partial Source Code Disclosure of one of private divar's products
  • State Changing CSRF (Server Side Request Forgery) leads to higher impact like accessing files
  • Mass User Enumeration
  • Authorization Bypass
  • Unauthorized Access to Read and Write Part of Sensitive Data of a User
  • Server Side Request Forgery (without high impact)
  • CRLF Injection
  • Default credentials
  • iframe Injection
  • OAuth misusable misconfiguration
  • Second Factor Authentication (2FA) Bypass
  • Misusable misconfiguration of CAPTCHA implementation
  • Session Fixation (Remote Attack Vector)
  • DoS (High Impact and/or Medium Difficulty)
  • Unauthorized Access to Services (API / Endpoints)
  • Excessively Privileged User / DBA
  • Delete a user Account
  • Sensitive Data Exposure (Some users)

Impact Severity: Low

  • Clickjacking(Sensitive Click-Based Action)
  • Open Redirect(GET-Based)
  • Clear-Text Password Submission (in HTTP)
  • Non-State Changing Cross-Site Request Forgery
  • SSRF (External)
  • Information Disclosure through Errors
  • Clickjacking(non-Sensitive Click-Based Action)
  • Weak Registration Implementation(Over HTTP)
  • SMS Bombar

Impact Severity: Out-Of-Scope

  • Open Redirect (POST-Based)
  • Self *
  • Directory Listing Enabled(Non-Sensitive Data Exposure)
  • Same-Site Scripting
  • Missing Certification Authority Authorization (CAA) Record
  • Unsafe File Upload
  • Clickjacking (Non-Sensitive Action)
  • Clickjacking (Form Input)
  • Captcha brute force
  • Exposed Admin Portal To Internet
  • Missing DNSSEC
  • Fingerprinting/Banner Disclosure
  • Reflected File Download (RFD)
  • Lack of Security Headers
  • Http Parameter Pollution
  • Session Fixation (Local Attack Vector)
  • Concurrent Logins
  • Token Leakage via Referer
  • Crowdsourcing/OCR Captcha Bypass
  • Lack of Verification/Notification Email
  • Allows Disposable Email Addresses for Registration
  • SSL Attack
  • Public Admin Login Page
  • Out of date libraries
  • SSRF (DNS Query Only)

Pricing Table

The judging team, utilizing the table below, determines the vulnerability level of assets and specifies the reward amount.

Asset Priority

Critical

High

Medium

Low

Critical Vulnerability Severity

5500$

3700$

2750$

Not in scope

High Vulnerability Severity

1600$

1100$

750$

Not in scope

Medium Vulnerability Severity

500$

250$

125$

Not in scope

Low Vulnerability Severity

Not in scope

Not in scope

Not in scope

Not in scope

The final reward amount is determined by the judges based on the severity of the bug (CVSS3) and the target being assessed.

Notes

Please consider the following points before submitting a vulnerability report.

Explanation and Important Notes About the Divar Bug Bounty Program At Divar, we recognize and welcome contributions from security researchers who, by discovering and reporting vulnerabilities, help enhance the security of our products and users. If you have identified a security flaw or vulnerability in Divar, you can report it through this program to receive a reward.

    Important Notes
  • Monetary rewards are only applicable to the defined scope, and items outside the scope are not eligible for any monetary reward.
  • Vulnerabilities without exploit code and attack scenarios are not eligible for rewards.
  • Only one reward is granted for a similar vulnerability across two or more different domains.
  • Judgment regarding the severity of the risk and the sensitivity of leaked information is handled by relevant experts.
  • Please note that the publication of reports regarding vulnerabilities is only possible with coordination and approval.
  • Subdomains hosted by other services or instances solely used for debugging and similar purposes are not included in the scope of this program.
  • CSRF Injections
  • Internal Open Redirect Vulnerabilities
  • Social Engineering and Phishing Attacks, Physical Attacks, Spamming
  • DoS and DDoS Attacks
  • Brute Forcing Accounts
  • Homographs or Similar Attacks
  • Failure to Apply Security Considerations on Cookies
  • Lack of or Weak Captcha
  • Clickjacking with No Sensitive Actions
  • Failure to Follow Security Best Practices Without Exploit
  • Vulnerabilities Requiring Highly Specific User Interaction
  • Vulnerabilities Related to Outdated Browsers
  • Self XSS
  • Third-party Software and Systems, If Access and Bug Patchability Are Not Possible, Are Considered Out of Scope
  • Vulnerabilities Reported by Scanners and Other Automated Tools Without Exploit
  • Reports of Low Versions of Libraries and Software Used Without Exploit
  • Vulnerabilities Related to Server Information Leaks and Incorrect Configurations Without Exploit
  • Vulnerabilities Related to Rate Limit and User Enumeration, Unless Leading to a Higher Severity
  • Reflected File Download
  • Clickjacking
  • Failure to Implement Security Headers
  • Describe only one vulnerability per report and avoid submitting multiple vulnerabilities in a single report.
  • Describe the vulnerability accurately and in detail so that judges can quickly identify and address the bug.
  • Provide precise steps to reproduce the vulnerability in your report.
  • Include a scenario for the attack in your report to clarify the importance and usage of the bug.
  • Provide a proof of concept (PoC) and details about how to exploit the vulnerability in your report, and if possible, include a video demonstration.
  • If you used a specific payload tool or custom code in your attack, attach it to your report.
  • Specify the browser version and operating system used in the report if its needed.
  • This guide has been created to familiarize users with the scoring system in the bounty platform. Each user starts with a score of 100 upon registration. The number of reports a user can submit within specific intervals is determined by their score. For example, a user with a score of 100 can submit 2 reports every 2 days. If a user's score drops to 20, they will be unable to submit any reports for 1 month, after which they can submit 1 report every 30 days.
  • Please note that these numbers are subject to change. In the event of any changes, previous scores will also be updated accordingly.

The following factors can affect a user's score:

Event

Change in Score

Detection of Report as Spam

10-

Detection of Report as Duplicate

5-

Detection of Report as Resolved

7+

Receipt of Reward from Report

Minimum 1+ and Maximum 50+

line line line line line line