Researchers
Further information regarding researchers, eligible eBay domains, report forms, and more.
Eligibility and Exclusions
Eligible eBay Domains
This section shows eBay domains that are eligible for this Responsible Disclosure program.
- ebay.com
- ebay.co.uk
- ebay.com.au
- ebay.de
- ebay.ca
- ebay.fr
- ebay.it
- ebay.es
- ebay.at
- ebay.ch
- ebay.com.hk
- ebay.com.sg
- ebay.com.my
- ebay.in
- ebay.ph
- ebay.ie
- ebay.pl
- ebay.be
- ebay.nl
- ebay.cn
- ebay.com.tw
- ebay.co.jp
- ebaythailand.co.th
- seapass.ebay.com
- cpass.ebay.com
- partner.ebay.com
- partnerhelp.ebay.com
- nexpart.com
- shopping.com
- whisolutions.com
- ebayinc.com
- knownorigin.io
- portal.knownorigin.io
- tcgplayer.com
- binderpos.com
- rocarobotics.com
- strategy.channelfireball.com
Eligible Vulnerabilities
We encourage the coordinated disclosure of the following eligible web application vulnerabilities.
- Authentication/Authorization
- Cross-site scripting (XSS)
- Cryptography
- Cross-site request forgery (CSRF) in a privileged context
- Server-side code execution/remote code execution
- XML attacks
- Directory traversal
- Significant security misconfiguration
- HTTP response splitting
- Injection vulnerabilities
- Information leakage
- URL redirector abuse
Exclusions
While we welcome information about any potential issue that can affect the security of eBay or our customers, we exclude the following issues from this program unless you demonstrate that the issue can be exploited.
- SSL vulnerabilities related to configuration or version
- Denial of Service (DoS)
- User enumeration/Brute forcing (for example Login and Forgot Password page)
- Issues present only in older versions of browsers, plugins or any other software
- HTTP Trace method is enabled. These qualify if you are able to execute an attack.
- Clickjacking on pages without any authentication and/or sensitive state changes
- Social Engineering/Phishing
- Content spoofing
- Self-XSS. Cross-site scripting issues should be exploitable in reflected, stored or DOM-based types.
- Logout and other instances of low-severity CSRF
- Missing HTTP headers
- Missing cookie flags on cookies
- Password complexity and reset password flow complexity
- Invalid or missing SPF (Sender Policy Framework) records
- Software banner/version disclosure. These qualify if you are able to provide an exploitable POC.
- Results of automated tools or scanners
- Autocomplete attribute on web forms
- Vulnerabilities which require a jailbroken device