| ProZorro

Bug Bounty & Prozorro

White hacking is recognized as one of the most popular and effective ways to find vulnerabilities in IT systems. IT giants або major IT companies (Google, Facebook, Amazon, etc.) have long and successfully used bug bounty programs that are not typical for government agencies, especially in Ukraine. We were one of the first state-owned enterprises to implement a bug bounty in Ukraine.

Our story:

In 2019, we held an offline bug bounty.
In 2020, we launched an online bug bounty on a permanent basis.
With the start of the full-scale invasion, we had to suspend the online bug bounty.
In 2023, we are resuming vulnerability scanning.

All activities are carried out within the legal framework, as bug hunters have access to the staging area. Participants have access to a copy of the central database, a copy of the official portal, a copy of the office of the Antimonopoly Committee of Ukraine, a copy of the office of the State Audit Service, and copies of the platforms that are also involved in the vulnerability search program. We also guarantee legal security for all participants, provided they follow the rules of participation and have unlimited time for research.

Researcher Leaderboard

№	Username	Critical	High	Medium	Low	Info	Points
1	Jarvis ( Twitter )	9	8	15	19	3	1906
2	Saraychikov Sergey	5	3	12	2	0	974
3	Spachynskyi Vasyl (stopvvar)	5	2	5	0	0	725
4	Сhinskiy	3	1	8	9	0	658
5	SoloAdmiral	3	2	7	3	0	611
6	0xj3st3r	0	2	8	2	0	299
7	KOMPOT	1	1	2	8	0	296
8	w2w	1	2	0	0	0	200
9	Taras	1	1	1	0	0	175
10	kazan71p ( Twitter )	1	0	2	0	0	175
11	sh.root	0	1	1	3	0	111
12	Яноші Михайло	1	0	0	0	0	100
13	Raju Basak	0	0	3	1	0	92
14	CactusDiego	0	1	0	0	0	50
15	dante	0	0	1	0	0	25
16	Abdalla Waseem	0	0	1	0	0	25
17	Gaurav	0	0	0	1	0	12

As of 04/16/2025 (starting from 09/17/2020, P4 vulnerabilities are not rewarded, but points are awarded, P5 vulnerabilities are not accepted and not rewarded)

Rewards

Category	Examples of vulnerabilities*	Cost, UAH**	Points	Points (duplicate)
Critical (P1)	File Inclusion, RCE, SQL Injection, XXE, Authentication Bypass, Critically Sensitive Data, Command Injection, Hardcoded Password, ...	28 000	100	25
High (P2)	XSS (P2 specific), SSRF, CSRF (Application-Wide), Application-Level DOS (NOT DDOS), Hardcoded Password, Weak Password Reset Implementation, ...	14 000	50	12
Medium (P3)	HTTP Response Manipulation, Content Spoofing, Session Fixation, XSS and SSRF (P3 specific), ...	8 400	25	5
Low (P4)	Not sensitive Information disclosure, Open Redirect, Debug Info, HTML Injection in own email, ...	0	12	2
Info (P5)	Cross-Site Scripting (Self), Insecure Data Transport, Secure headers, Spam, Reflected File Download (RFD), ...	0	0	0

* The categories are recommended by the Bugcrowd Rating Taxonomy and may vary depending on the level of consequences of its practical, not potential, use (more details).

**Payments are made subject to taxes and fees in accordance with the requirements of the tax legislation of Ukraine (from an individual on the amount of remuneration: a single social contribution - 22%, military duty - 1.5%, personal income tax - 18%. If the hunter is registered as an individual entrepreneur (single tax payer), he or she pays the following fees: a single social contribution - 22% of the minimum wage once a month; military duty - 1 %, a single tax - 5% if a VAT non-payer).

Reporting procedure

We recommend using a template to generate a report. Be sure to add to the report:

Domain/resource where the vulnerability was found;
PoC exploits, if any;
HTTP requests that demonstrate the vulnerability;
Screenshots with the stages of vulnerability exploitation;
Subjective assessment of the vulnerability risk level;
Explanation of the risk level;
Video demonstration of the vulnerability being exploited.

Reports on the identified vulnerabilities are accepted at disclosure@prozorro.ua with the subject line “Vulnerabilities”: “ProzorroBB: Bug Name”. Each report must contain a description of one vulnerability. For each subsequent vulnerability found, a separate report is drawn up and sent via a separate e-mail.

Oбласть тестування (In Scope)

Vulnerability research applies exclusively to the specified domains with the specified IP addresses. These resources are staging areas, copies of existing working systems. You are allowed to test only those resources that have been copied from already working working systems.

Prozorro Platform

Host	IP	Additional Info
staging.prozorro.gov.ua	195.178.150.103
auction-staging.prozorro.gov.ua	195.178.157.50, 195.178.157.60
audit-api-staging.prozorro.gov.ua	195.178.157.50, 195.178.157.60
public-api-staging.prozorro.gov.ua	195.178.157.50, 195.178.157.60
public-docs-staging.prozorro.gov.ua	195.178.157.50, 195.178.157.60
swift-staging.prozorro.gov.ua	195.178.157.50, 195.178.157.60
sas-staging.prozorro.gov.ua	195.178.150.103	key and password: 123456 “Test CSC of JSC “IIT”
amcu-staging.prozorro.gov.ua	195.178.150.103	key and password: 123456 “Test CSC of JSC “IIT”
infobox.prozorro.org	195.178.150.108, 195.178.150.106
risks-staging.prozorro.gov.ua	195.178.150.82 195.178.150.81
exam-staging.prozorro.gov.ua	195.178.150.105	key and password: 123456 “Test CSC of JSC “IIT”
exam-back-staging.prozorro.gov.ua	195.178.150.105

Майданчик: Zakupivli.Pro

Host	IP	Additional Info
zakupivli.today	193.200.64.61
my.zakupivli.today	193.200.64.61

The site: Smart Tender

Host

Additional Info

test.smarttender.biz
api-test.smarttender.biz
content-test.smarttender.biz
smartid-test.smarttender.biz

91.200.74.11

The site: E-tender

Host	IP	Additional Info
stage.e-tender.ua	94.131.241.154

The site: Ukrainian Universal Exchange (suspended participation and temporarily suspended acceptance of vulnerabilities from 11.06.2024)

Host	IP	Additional Info
bbt.uub.com.ua	77.123.141.132

Testing is prohibited

Testing all other resources of the Prozorro Platform and platforms that are not included in the “In scope” is prohibited. Interference in the work of the ITS (production servers) is Article 361 of the Criminal Code: Unauthorized interference with the operation of an information technology system.

Host	Additional Info
*.prozorro.gov.ua
*.prozorro.org
*.prozorro.ua
*.openprocurement.org
*.s3.zakupivli.today
*.e-tender.ua
*gov.e-tender.ua
*auction.e-tender.ua
*biz.e-tender.ua
*smarttender.biz
*api.smarttender.biz
*content.smarttender.biz
*smartid.smarttender.biz
*uub.com.ua

Documentation on the Prozorro Platform

API Docs

System module: Public API

A public API for data scraping, for access to public information by unauthorized users. Displays information from the public API database. Only information that is allowed for publication in accordance with the law is displayed.

System module: Public DS

Service for accessing files attached to procurement notices/offers/complaints. It controls access to files and reads files from the storage. An example of an uploaded document.

System module: Swift

The file storage is based on openstack swift. Access is through the DS module. When downloading documents, the request is first redirected to public ds via a static link, and then a temporary link to swift is generated to download the documents. An example of an uploaded document.

System module: Auction

The service is designed to serve auction participants and visitors. It displays the participant's page, receives the current auction status from the server and the auction database. The participant receives a private link to participate in the auction in his account, which is stored in the database and is available only to this participant. Observers enter through a public link and can only observe the auction.

System module: Cabinet of the AMCU

Office of the controlling authority. When conducting procurement, any user registered on the platform can file a Complaint. Complaints are submitted to the official appeal body, the Antimonopoly Committee of Ukraine, whose employees consider them in their office.

System module:Cabinet of the SASU

Cabinet of the State Audit Service of Ukraine (SASU).

System module: Risk indicators

Prozorro has a system that automatically searches for suspicious procurements and sends them for monitoring to the State Audit Service of Ukraine (hereinafter referred to as the State Audit Service). This allows auditors to detect unscrupulous public customers at the early stages of procurement and fight tender violations based on data from risk indicators The State Audit Service of Ukraine decides on monitoring

System module: Audit API

API for accessing risk indicators:

Terms, rights and obligations:

The Participant undertakes to:

Not to disclose information about the vulnerability without the consent of the Organizers;
Not to do anything illegal or send spam;
Not to share inappropriate content or materials (e.g., related to criminal activity, etc.)
Do not engage in harmful activities (e.g., transmission of viruses);
Do not infringe on the rights of others or engage in activities that violate the privacy of others;
Not to carry out distributed denial of service (DDoS) attacks;
Comply with the requirements of the law and the offer agreement.

The participant has the right to:

Receive remuneration in the manner prescribed;
To legal protection in relation to participation in the Program, subject to compliance with the requirements;
To receive the Organizer's response and reaction to the report(s);
Other rights provided for in the offer agreement.

Participation in the Bug Bounty program is voluntary. The Hunter receives a monetary reward for vulnerabilities confirmed by the Administrator of the electronic system and the Platforms that are part of the electronic procurement system and participate in the Bug Bounty program.

The following vulnerabilities are not accepted:

Vulnerability scanners and another automated tools reports
Best practices concerns
Recently (less than 30 days) disclosed 0day vulnerabilities
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering, phishing, physical, or other fraud activities
Publicly accessible login panels without proof of exploitation
Reports that state that software is out of date/vulnerable without a proof of concept
Vulnerabilities involving active content such as web browser add-ons
Most brute-forcing issues
Distributed Denial of Service (not Application logic DoS)
Theoretical issues
Spam (SMS, emails, etc.)
Missing HTTP security headers
Certificates/TLS/SSL and Broken Cryptography related issues
DNS issues (i.e. MX records, SPF records, DKIM records, DMARC records, etc.)
Server configuration issues (i.e., open ports, TLS, etc.)
Session fixation (change password, logout)
Sensitive Token in URL
User account enumeration and Geolocation Data issues
Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
Descriptive error messages (not full path file disclosure)
Self-XSS that cannot be used to exploit other users
Login & Logout CSRF
CSRF in forms that are available to anonymous users (e.g. the contact form)
OPTIONS/TRACE HTTP method enabled
Host header issues without proof-of-concept demonstrating the vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Content Spoofing (not spoofing HTML\CSS)
Reflected File Download (RFD)
Missing Secure or HTTPOnly Cookie Flag
Mixed Content
MitM and local attacks
All other P4 and P5 severity

Questions, answers and contacts

If you are looking for an answer to a question about the Electronic Procurement System Bug Bounty Program or have something to offer us, please send us an email to bugbounty@prozorro.ua and we will respond as soon as possible and/or contact you in a way that is convenient for you.

Legal documents:

Link to the offer text here