Overstock's Vulnerability Disclosure Page!

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

82 vulnerabilities rewarded

Validation within about 18 hours
75% of submissions are accepted or rejected within about 18 hours

Latest hall of famers

Recently joined this program

787 total


Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Overstock.com encourages you to responsibly report any security issues you're able to identify on Overstock.com!


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.


In scope

Target name Type Tags
www.overstock.com Website Testing
  • Bootstrap
  • RequireJS
  • Modernizr
  • Handlebars
  • Akamai CDN
  • Website Testing
  • ReactJS
  • jQuery
http(s)://api.overstock.com API Testing
  • API Testing
  • HTTP
  • ReactJS
  • jQuery
Overstock Android Mobile App Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Overstock iOS Mobile App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
cars.overstock.com Website Testing
  • Website Testing
pets.overstock.com Website Testing
  • Website Testing
*.overstock.com Website Testing
  • ReactJS
  • jQuery
  • RequireJS
  • Modernizr
  • Handlebars
  • Akamai CDN
  • Website Testing
  • Recon
  • DNS
*.supplieroasis.com Website Testing

Out of scope

Target name Type
financehub.overstock.com Website Testing
investors.overstock.com Website Testing
blog.overstock.com Website Testing
help.overstock.com Website Testing
miq.overstock.com Other
snow.overstock.com Website Testing
hotels.overstock.com Website Testing
*.handmade.com Website Testing

Any domain/property of Overstock not listed in the targets section is out of scope. This includes any/all subdomains not listed above.

Target info:


Please note this is a production environment.

  • Do not conduct tests against customer accounts (e.g. accounts you do not expressly own)
  • Do not conduct tests that will impact the performance of the environment
  • If you feel you have found a security issue, but testing will impact the environment, please submit the issue and contact support@bugcrowd.com
  • This is a production site, so please avoid copious amounts of scanner activity
  • If your IP address gets banned for excessive scanning, please wait 4 hours to be unbanned, if you still experience issues please email support@bugcrowd.com (which is one more reason to be judicious with the amount of total requests you're sending while testing on ALL targets)

Mobile Downloads:

Android: https://play.google.com/store/apps/details?id=com.overstock
iOS: https://itunes.apple.com/us/app/overstock.com-mobile-shopping/id339883869?mt=8

  • Please note, https://www.overstock.com/api, https://www.overstock.com/api2, and https://api.overstock.com are used frequently with both mobile apps.


This webapp allows users to search for pets to adopt with other related functionality.

The Contact Seller form is sent to 3rd parties and is out of scope.


This is a webapp that allows users to search for cars, among other functionalities, but doesn't have any authenticated components.

Of note, the "contact dealer" and "get quote" functionality are off domain, and thusly out of scope.

Focus Areas:

  • Application logic issues
  • Remote Code Execution
  • Significant Authentication Bypass
  • Cross Site Request Forgery on Critical Actions
  • Cross Site Scripting (excluding self-XSS)
  • SQL Injection
  • Directory Traversal
  • Information Disclosure
  • API abuse, especially against the following URIs:
    • www.overstock.com/api
    • www.overstock.com/api2
    • api.overstock.com/checkouts
    • api.overstock.com/oauth
    • api.overstock.com/emails
    • api.overstock.com/bronze
    • api.overstock.com/customers
    • api.overstock.com/storecard
    • api.overstock.com/wishlists
    • edge.supplieroasis.com/gateway

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Overstock.com not listed in the targets section is out of scope. This includes any/all subdomains not listed above. IF you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Overstock.com org, it may be reported to this program, and is appreciated - but will ultimately be marked as 'not applicable' and will not be eligible for monetary or points-based compensation.

Program rules

This program follows Bugcrowd’s standard disclosure terms.