Reporting a Security vulnerability

At OLX Autos, we take security issues seriously. If you believe you've detected a vulnerability within our products, we'd like to hear about it. Our team is continuously working on improving the security of your account. We'll investigate any reports and do our best to fix these issues as soon as possible. If you found an issue that affects only your account, please fill in the contact form of your country's OLX site

How to Report

If you would like to report a vulnerability in one of the in-scope targets listed below, please email us at security-olxautos@olx.com. To enable us to verify the vulnerability, add details on how to reproduce, e.g. screenshots, code or video. We kindly ask you to not disclose the vulnerability until you receive a notification from us that the issue has been solved. You will receive a non-automated response to your initial communication within 72 hours, confirming that we have received the vulnerability report, and we will send progress updates on frequent basis.

In-scope targets

  • *.olx.in
  • *.letgo.com
  • *.olx.id
  • *.otoplus.com
  • *.olxautos.cl
  • *.olxautos.com.mx
  • *.olxautos.in
  • *.olx-autos.com.ar
  • *.olxautos.com.co
  • *.olxautos.co.id

Testing is only authorised on the targets listed as In-Scope. Any domain/property of OLX Autos not listed in the targets section is out of scope. This includes any/all subdomains not listed above.Android and iOS apps related to these sites are also in scope for these targets. Any reports will need to be fully documented and reproducible.

Focus Areas

  • Cross-Site Scripting (XSS)
  • Cross-site Request Forgery
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • Remote Code Execution (RCE)
  • XML External Entity Injection (XXE) with significant impact
  • Access Control Issues
  • Authentication Bypass Issues
  • Authorisation Flaws
  • Privilege Escalation
  • Directory Traversal Issues
  • Sensitive Information Disclosure
  • Data Exposure
  • Business Logic Vulnerabilities

Out of Scope

The following submission types are considered out of scope:

  • Denial of service (DoS) attacks
  • Findings as reported by automated tools without additional analysis as to how and what is vulnerable
  • Vulnerabilities only affecting users of outdated or unpatched browsers
  • Spam reports

Reward & Hall of Fame

At the moment, OLX Autos recognises the efforts of the security researchers by putting their names in the Hall of Fame page. Monetary rewards are currently not offered in this programme.