The Bug Bounty Program

We value everyone who wants to help us maintain high safety standards. On this page you will find the procedure and conditions for reporting any suspected security flaw in our systems.

Program rules

  • We pay the reward to anyone who finds a vulnerability in our systems that is not publicly known.
  • You must be the first to report such a vulnerability. If someone was faster than you, the right to reward is void.
  • Describe the vulnerability in detail in your email, including a video Proof of Concept in MP4 format demonstrating how to exploit the vulnerability.
  • We do not pay rewards for vulnerabilities found using automated scanning tools.
  • PoC has to include steps to reproduce the issue. Video proof, curl exampl, or script is required.
  • If you report a vulnerability on the site of one language version, you cannot report the same vulnerability on the site of another version. In this case, the vulnerability is counted as one and the others are treated as duplicates.
  • When testing, make every effort not to limit the operation of our services.
  • Send each report to: bugbounty@notino.com
  • Every participant of the Bug Bounty Program is bound by confidentiality - an NDA.
  • If we confirm the vulnerability you have found, we will sign a contract with you.
  • We have 15 days for the evaluation.

Rewards

We pay the rewards through a bank transfer against the issued invoice. The amount of the reward depends on the severity of the reported vulnerability. Level of severity is divided into three categories and assessed individually:

When evaluating vulnerabilities, we respect Bugcrowd's Vulnerability Rating Taxonomy

  • P4-P5: no remuneration
  • P2-P3: we will pay a reward of EUR 200
  • P1: we will pay a reward of EUR 400

Exceptions

  • not-validating an e-mail during registration
  • P4
    • Broken Authentication and Session Management > Failure to Invalidate Session > On Password Reset and/or Change


If you have further questions, please do not hesitate to contact us at bugbounty@notino.com We look forward to working with you and thank you for your efforts.

NOTINO Last update 12.6.2023

Contact info About us 2021
We guarantee 90-day returns
83,000 products
from 1,500 brands in our portfolio
Stores with e-shop prices in 8 countries