Reporting a Security Vulnerability

Reporting a Security Vulnerability

At Adevinta, protecting our customers’ data is extremely important to us. We greatly value the role security researchers play in helping keep our systems and information secure. To encourage responsible vulnerability disclosure, Adevinta’s security team is committed to working closely with the research community. We will carefully investigate all legitimate vulnerability reports, recreate any confirmed issues, and work quickly to properly address them.

If you discover a potential security vulnerability in any Adevinta products or services, please report it to us right away. We will look into every credible report received and do our best to quickly resolve any validated vulnerabilities.

We ask that you do not publicly disclose your findings until we’ve had a chance to review and address the reported issues with you first. While we will consider reasonable public disclosure requests, Adevinta reserves the right to deny them. Your help in maintaining Adevinta’s security is truly appreciated.

Responsible Disclosure Guidelines

To encourage responsible disclosure, Adevinta will not initiate legal action against security researchers for assessing vulnerabilities as long as they adhere to this policy, including:

  • Notify Adevinta and provide all details through the HackerOne Vulnerability Disclosure Program form below.
  • Only test accounts you own or have explicit permission for
  • Do not access, modify or delete data that does not belong to you
  • Do not engage with other users or employees, any action must be taken within test accounts under your control.
  • Do not exploit vulnerabilities beyond what is needed to identify and report them
  • Do not conduct denial of service, phishing, social engineering or physical attacks
  • Do not conduct any testing on physical security of Adevinta premises, personnel, equipment, etc.
  • Do not test third-party services that integrate with Adevinta
  • Do not violate laws or disrupt services
  • ​​In submitting a security vulnerability report, you grant Adevinta permission to utilise the information contained in your report as we deem appropriate.

Public Acknowledgments Policy

Currently, Adevinta does NOT publicly disclose or maintain a list of security vulnerabilities reported by external parties or the individuals who reported them.

Privacy

For information on how Adevinta processes and safeguards personal data, please refer to our Privacy Policy available here.

Policy Changes

Adevinta reserves the right to terminate or modify this vulnerability disclosure program and policy at any time. Before conducting any security testing or taking actions based on this policy, please review the latest version here.

Please fill out this form to report a vulnerability: