otto-de-bug-bounty

RawAI Enhanced

In Scope

Out of Scope

In-Scope Assets (10)

Asset	Category	Bounty	Quick Links
https://apps.apple.com/de/app/otto-shopping-m%C3%B6bel/id404844644	IOS	Yes	-
https://mmp.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://orbidder.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://play.google.com/store/apps/details?id=de.cellular.ottohybrid&hl=de	ANDROID	Yes	Play Store APKPure APKMirror
https://retail-api.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://supplier-connect.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://teleoptiprd.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://www.lascana.de/	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://www.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://www.otto.de/jobs	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa

Out-of-Scope Assets (17)

Asset	Category	Bounty
/apps-messenger (the chatbot in general is out of scope)	OTHER	Yes
/tracking	OTHER	Yes
All domains not listed In-Scope	OTHER	Yes
Out-Of-Scope are also other applications hosted under the www.otto.de domain but have a different path, that is not part of our core online shop itself (you will notice, since the design of the page is completely different)	OTHER	Yes
Please let us know if you have any questions regarding the scope.	OTHER	Yes
Those include but are not limited to (if unsure, contact us before executing the tests):	OTHER	Yes
https://keycloak.apps.otto.de	OTHER	Yes
https://www.otto.de/clara	OTHER	Yes
https://www.otto.de/kundenchat	OTHER	Yes
https://www.otto.de/newsroom	OTHER	Yes
https://www.otto.de/reblog	OTHER	Yes
https://www.otto.de/roombeez	OTHER	Yes
https://www.otto.de/soulfully	OTHER	Yes
https://www.otto.de/twoforfashion	OTHER	Yes
https://www.otto.de/updated	OTHER	Yes
https://www.otto.de/user/contactFormSubmit	OTHER	Yes
https://www.otto.de/user/sendcallbackrequest	OTHER	Yes

Scope Changes (98)

Feb 25, 2026

Change	Asset	Category	Scope	Time
Added	https://retail-api.otto.de	URL	In Scope	19:09
Added	https://www.otto.de/newsroom	URL	Out of Scope	19:09
Added	https://www.otto.de/user/sendcallbackrequest	URL	Out of Scope	19:09
Added	https://www.otto.de/user/contactFormSubmit	URL	Out of Scope	19:09
Added	all domains not listed in-scope	OTHER	Out of Scope	19:09
Added	/apps-messenger (the chatbot in general is out of scope)	OTHER	Out of Scope	19:09
Added	please let us know if you have any questions regarding the scope	OTHER	Out of Scope	19:09
Added	https://www.lascana.de/	URL	In Scope	19:09
Added	https://orbidder.otto.de	URL	In Scope	19:09
Added	https://keycloak.apps.otto.de	URL	Out of Scope	19:09
Added	/tracking	OTHER	Out of Scope	19:09
Added	https://www.otto.de	URL	In Scope	19:09
Added	https://apps.apple.com/de/app/otto-shopping-m%C3%B6bel/id404844644	IOS	In Scope	19:09
Added	https://teleoptiprd.otto.de	URL	In Scope	19:09
Added	https://mmp.otto.de	URL	In Scope	19:09
Added	https://www.otto.de/reblog	URL	Out of Scope	19:09
Added	https://www.otto.de/twoforfashion	URL	Out of Scope	19:09
Added	https://www.otto.de/soulfully	URL	Out of Scope	19:09
Added	https://www.otto.de/updated	URL	Out of Scope	19:09
Added	https://www.otto.de/jobs	URL	In Scope	19:09
Added	https://play.google.com/store/apps/details?id=de.cellular.ottohybrid&hl=de	ANDROID	In Scope	19:09
Added	https://supplier-connect.otto.de	URL	In Scope	19:09
Added	out-of-scope are also other applications hosted under the www.otto.de domain but have a different path, that is not part of our core online shop itself (you will notice, since the design of the page is completely different)	OTHER	Out of Scope	19:09
Added	those include but are not limited to (if unsure, contact us before executing the tests):	OTHER	Out of Scope	19:09
Added	https://www.otto.de/roombeez	URL	Out of Scope	19:09
Added	https://www.otto.de/kundenchat	URL	Out of Scope	19:09
Added	https://www.otto.de/clara	URL	Out of Scope	19:09

Feb 22, 2026

Change	Asset	Category	Scope	Time
Added	https://teleoptiprd.otto.de	URL	In Scope	00:52
Added	/apps-messenger (the chatbot in general is out of scope)	OTHER	Out of Scope	00:52
Added	/tracking	OTHER	Out of Scope	00:52
Added	please let us know if you have any questions regarding the scope	OTHER	Out of Scope	00:52
Added	https://www.otto.de/reblog	URL	Out of Scope	00:52
Added	https://www.otto.de	URL	In Scope	00:52
Added	https://www.otto.de/updated	URL	Out of Scope	00:52
Added	https://www.otto.de/kundenchat	URL	Out of Scope	00:52
Added	https://www.otto.de/clara	URL	Out of Scope	00:52
Added	https://www.otto.de/roombeez	URL	Out of Scope	00:52
Added	https://www.otto.de/user/contactFormSubmit	URL	Out of Scope	00:52
Added	https://keycloak.apps.otto.de	URL	Out of Scope	00:52
Added	all domains not listed in-scope	OTHER	Out of Scope	00:52
Added	https://retail-api.otto.de	URL	In Scope	00:52
Added	https://www.otto.de/jobs	URL	In Scope	00:52
Added	https://play.google.com/store/apps/details?id=de.cellular.ottohybrid&hl=de	ANDROID	In Scope	00:52
Added	https://apps.apple.com/de/app/otto-shopping-m%C3%B6bel/id404844644	IOS	In Scope	00:52
Added	https://www.lascana.de/	URL	In Scope	00:52
Added	https://www.otto.de/soulfully	URL	Out of Scope	00:52
Added	https://supplier-connect.otto.de	URL	In Scope	00:52
Added	https://mmp.otto.de	URL	In Scope	00:52
Added	https://www.otto.de/user/sendcallbackrequest	URL	Out of Scope	00:52
Added	https://orbidder.otto.de	URL	In Scope	00:52
Added	out-of-scope are also other applications hosted under the www.otto.de domain but have a different path, that is not part of our core online shop itself (you will notice, since the design of the page is completely different)	OTHER	Out of Scope	00:52
Added	those include but are not limited to (if unsure, contact us before executing the tests):	OTHER	Out of Scope	00:52
Added	https://www.otto.de/twoforfashion	URL	Out of Scope	00:52
Added	https://www.otto.de/newsroom	URL	Out of Scope	00:52

Feb 21, 2026

Change	Asset	Category	Scope	Time
Removed	https://teleoptiprd.otto.de	URL	In Scope	21:40
Removed	https://www.otto.de	URL	In Scope	21:40
Removed	https://www.otto.de/jobs	URL	In Scope	21:40
Removed	https://play.google.com/store/apps/details?id=de.cellular.ottohybrid&hl=de	ANDROID	In Scope	21:40
Removed	https://apps.apple.com/de/app/otto-shopping-m%C3%B6bel/id404844644	IOS	In Scope	21:40
Removed	https://mmp.otto.de	URL	In Scope	21:40
Removed	https://orbidder.otto.de	URL	In Scope	21:40
Removed	https://supplier-connect.otto.de	URL	In Scope	21:40
Removed	https://retail-api.otto.de	URL	In Scope	21:40
Removed	out-of-scope are also other applications hosted under the www.otto.de domain but have a different path, that is not part of our core online shop itself (you will notice, since the design of the page is completely different)	OTHER	Out of Scope	21:40
Removed	those include but are not limited to (if unsure, contact us before executing the tests):	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/reblog	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/roombeez	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/twoforfashion	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/soulfully	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/updated	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/newsroom	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/kundenchat	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/clara	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/user/sendcallbackrequest	OTHER	Out of Scope	21:40
Removed	https://www.otto.de/user/contactFormSubmit	OTHER	Out of Scope	21:40
Removed	https://keycloak.apps.otto.de	OTHER	Out of Scope	21:40
Removed	all domains not listed in-scope	OTHER	Out of Scope	21:40
Removed	/apps-messenger (the chatbot in general is out of scope)	OTHER	Out of Scope	21:40
Removed	/tracking	OTHER	Out of Scope	21:40
Removed	please let us know if you have any questions regarding the scope	OTHER	Out of Scope	21:40
Removed	https://www.lascana.de/	URL	In Scope	21:40
Added	those include but are not limited to (if unsure, contact us before executing the tests):	OTHER	Out of Scope	00:33
Added	https://www.otto.de/reblog	OTHER	Out of Scope	00:33
Added	https://www.otto.de/roombeez	OTHER	Out of Scope	00:33
Added	https://www.otto.de/twoforfashion	OTHER	Out of Scope	00:33
Added	https://www.otto.de/soulfully	OTHER	Out of Scope	00:33
Added	https://www.otto.de/updated	OTHER	Out of Scope	00:33
Added	https://www.otto.de/newsroom	OTHER	Out of Scope	00:33
Added	https://www.otto.de/kundenchat	OTHER	Out of Scope	00:33
Added	https://www.otto.de/clara	OTHER	Out of Scope	00:33
Added	https://www.otto.de/user/sendcallbackrequest	OTHER	Out of Scope	00:33
Added	https://www.otto.de/user/contactFormSubmit	OTHER	Out of Scope	00:33
Added	https://keycloak.apps.otto.de	OTHER	Out of Scope	00:33
Added	all domains not listed in-scope	OTHER	Out of Scope	00:33
Added	/apps-messenger (the chatbot in general is out of scope)	OTHER	Out of Scope	00:33
Added	/tracking	OTHER	Out of Scope	00:33
Added	please let us know if you have any questions regarding the scope	OTHER	Out of Scope	00:33
Added	out-of-scope are also other applications hosted under the www.otto.de domain but have a different path, that is not part of our core online shop itself (you will notice, since the design of the page is completely different)	OTHER	Out of Scope	00:33