Prozorro
Prozorro is a public electronic procurement system where state and municipal customers announce tenders to purchase goods, works and services, and business representatives compete for the opportunity to become a state supplier.
Program Scope (EN)
Prozorro Bug Bounty is a safe space for ethical (“white hat”) hackers. You can legally explore our systems, help uncover vulnerabilities, and receive rewards. We provide a dedicated staging environment; all research is performed strictly within the legal framework and the Program rules.
In focus: web portals and related APIs. Any intervention in production is strictly prohibited.
- 2019 — we held one of Ukraine’s first offline bug bounty marathons (news (UA)).
- 2020 — launched a continuous online program.
- 2022 — suspended the online program due to the full-scale invasion.
- 2023 — resumed vulnerability research on staging.
| # | Username | Critical | High | Medium | Low | Info | Points |
|---|---|---|---|---|---|---|---|
| 1 | Jarvis ( Twitter ) | 9 | 8 | 15 | 19 | 3 | 1906 |
| 2 | Saraychikov Sergey | 5 | 3 | 12 | 2 | 0 | 974 |
| 3 | Spachynskyi Vasyl (stopvvar) | 5 | 2 | 5 | 0 | 0 | 725 |
| 4 | Сhinskiy | 3 | 1 | 8 | 9 | 0 | 658 |
| 5 | SoloAdmiral | 3 | 2 | 7 | 3 | 0 | 611 |
| 6 | 0xj3st3r | 0 | 2 | 8 | 2 | 0 | 299 |
| 7 | KOMPOT | 1 | 1 | 2 | 8 | 0 | 296 |
| 8 | w2w | 1 | 2 | 0 | 0 | 0 | 200 |
| 9 | Taras | 1 | 1 | 1 | 0 | 0 | 175 |
| 10 | kazan71p ( Twitter ) | 1 | 0 | 2 | 0 | 0 | 175 |
| 11 | sh.root | 0 | 1 | 1 | 3 | 0 | 111 |
| 12 | Яноші Михайло | 1 | 0 | 0 | 0 | 0 | 100 |
| 13 | Raju Basak | 0 | 0 | 3 | 1 | 0 | 92 |
| 14 | CactusDiego | 0 | 1 | 0 | 0 | 0 | 50 |
| 15 | dante | 0 | 0 | 1 | 0 | 0 | 25 |
| 16 | Abdalla Waseem | 0 | 0 | 1 | 0 | 0 | 25 |
| 17 | Gaurav | 0 | 0 | 0 | 1 | 0 | 12 |
As of 16.04.2025 (since 17.09.2020: P4 vulnerabilities are not rewarded but earn points; P5 are not accepted and not rewarded).
| Category | Examples of vulnerabilities* | Reward, UAH** | Points | Points (duplicate) |
|---|---|---|---|---|
| Critical (P1) | File Inclusion, RCE, SQL Injection, XXE, Authentication Bypass, Sensitive Data Exposure, Command Injection, Hardcoded Password… | 28 000 | 100 | 25 |
| High (P2) | XSS (P2 specific), SSRF, CSRF (application-wide), App-level DoS (not DDoS), Weak Password Reset… | 14 000 | 50 | 12 |
| Medium (P3) | HTTP Response Manipulation, Content Spoofing, Session Fixation, XSS/SSRF (P3 specific)… | 8 400 | 25 | 5 |
| Low (P4) | Non-sensitive info disclosure, Open Redirect, Debug Info, HTML Injection in own email… | 0 | 12 | 2 |
| Info (P5) | Self-XSS, Insecure Transport, Missing security headers, Spam, Reflected File Download (RFD)… | 0 | 0 | 0 |
* Categories follow the Bugcrowd VRT and may change depending on real-world impact (details).
** Payments are made subject to taxes and fees under Ukrainian law (details in the offer agreement).
We recommend using this report template. Please include:
- Domain/resource where the vulnerability was found;
- PoC exploit(s), if available;
- HTTP requests demonstrating the issue;
- Screenshots of the reproduction steps;
- Your severity assessment and rationale;
- Video demonstration (if possible).
Send reports to disclosure@prozorro.ua with subject: “ProzorroBB: Bug Name”. One report = one vulnerability.
Research applies only to the domains and IPs listed below in the staging environment.
| Host | IP | Additional Info |
|---|---|---|
| staging.prozorro.gov.ua | 195.178.150.103 | |
| auction-staging.prozorro.gov.ua | 195.178.157.50, 195.178.157.60 | |
| audit-api-staging.prozorro.gov.ua | 195.178.157.50, 195.178.157.60 | |
| public-api-staging.prozorro.gov.ua | 195.178.157.50, 195.178.157.60 | |
| public-docs-staging.prozorro.gov.ua | 195.178.157.50, 195.178.157.60 | |
| swift-staging.prozorro.gov.ua | 195.178.157.50, 195.178.157.60 | |
| sas-staging.prozorro.gov.ua | 195.178.150.103 | key and password: 123456 “Test CSC of JSC “IIT” |
| amcu-staging.prozorro.gov.ua | 195.178.150.103 | key and password: 123456 “Test CSC of JSC “IIT” |
| infobox.prozorro.org | 195.178.150.108, 195.178.150.106 | |
| risks-staging.prozorro.gov.ua | 195.178.150.82, 195.178.150.81 | |
| exam-staging.prozorro.gov.ua | 195.178.150.105 | key and password: 123456 “Test CSC of JSC “IIT” |
| exam-back-staging.prozorro.gov.ua | 195.178.150.105 |
| Host | IP | Additional Info |
|---|---|---|
| zakupivli.today | 193.200.64.61 | |
| my.zakupivli.today | 193.200.64.61 |
| Host | IP | Additional Info |
|---|---|---|
test.smarttender.bizapi-test.smarttender.bizcontent-test.smarttender.bizsmartid-test.smarttender.biz |
91.200.74.11 |
| Host | IP | Additional Info |
|---|---|---|
| stage.e-tender.ua | 94.131.241.154 |
| Host | IP | Additional Info |
|---|---|---|
| bbt.uub.com.ua | 77.123.141.132 |
All resources not listed in “In Scope” are out of scope. Any interference with production systems is subject to Article 361 of the Criminal Code of Ukraine.
| Host | Additional Info |
|---|---|
| *.prozorro.gov.ua | |
| *.prozorro.org | |
| *.prozorro.ua | |
| *.openprocurement.org | |
| *.s3.zakupivli.today | |
| *.e-tender.ua | |
| *gov.e-tender.ua | |
| *auction.e-tender.ua | |
| *biz.e-tender.ua | |
| *smarttender.biz | |
| *api.smarttender.biz | |
| *content.smarttender.biz | |
| *smartid.smarttender.biz | |
| *uub.com.ua |
- prozorro.gov.ua/openprocurement
- github.com/ProzorroUKR/openprocurement.api
- prozorro-api-docs.readthedocs.io
- /api/2.5/spore
A public API for access to open data by unauthenticated users.
Access to files attached to procurement entities. Controls access and reads from storage. Example.
OpenStack Swift-based storage. Accessed via the Document Service with temporary links. Example.
Service for auction participants and observers.
Office of the Antimonopoly Committee of Ukraine for reviewing complaints.
Office of the State Audit Service of Ukraine.
Automated detection of suspicious procurements and transfer to SASU for monitoring.
API for accessing risk indicator data.
- Not disclose vulnerability details without the Organizer’s consent;
- Refrain from illegal actions and sending spam;
- Not share inappropriate content;
- Not engage in harmful activities (e.g., malware distribution);
- Not infringe others’ rights or privacy;
- Not conduct DDoS attacks;
- Comply with applicable laws and the Offer Agreement.
- Receive remuneration in the prescribed manner;
- Rely on legal protection, provided the Program rules are followed;
- Receive responses and actions on submitted reports;
- Other rights as defined in the Offer Agreement.
Email bugbounty@prozorro.ua — we’ll reply and/or get in touch via a convenient channel.
- Offer agreement — link