Ferrero Vulnerability Disclosure Program

Program Overview

Ferrero runs a vulnerability disclosure program on HackerOne. The program has 316 in-scope assets and is managed by HackerOne's triage team.

316

In-Scope Assets

23h

Avg Response

84%

Efficiency

56d

Avg Resolve

In-Scope Assets

Asset	Type	Max Severity	Eligible
*.babyruth.com	WILDCARD	Critical	No Bounty
*.butterfinger.com	WILDCARD	Critical	No Bounty
*.crunchbar.com	WILDCARD	Critical	No Bounty
*.duplo.de	WILDCARD	Critical	No Bounty
*.eatnatural.com	WILDCARD	Critical	No Bounty
*.estathe.it	WILDCARD	Critical	No Bounty
*.famousamos.com	WILDCARD	Critical	No Bounty
*.fanniemay.com	WILDCARD	Critical	No Bounty
*.ferrero-kuesschen.de	WILDCARD	Critical	No Bounty
*.ferrero.com	WILDCARD	Critical	No Bounty
*.ferreropromo.it	WILDCARD	Critical	No Bounty
*.ferrerorocher.com	WILDCARD	Critical	No Bounty
*.fiestaferrero.it	WILDCARD	Critical	No Bounty
*.fulfilnutrition.com	WILDCARD	Critical	No Bounty
*.giotto.de	WILDCARD	Critical	No Bounty
*.hanuta.de	WILDCARD	Critical	No Bounty
*.keebler.com	WILDCARD	Critical	No Bounty
*.kinder.com	WILDCARD	Critical	No Bounty
*.littlebrowniebakers.com	WILDCARD	Critical	No Bounty
*.moncheri.it	WILDCARD	Critical	No Bounty
*.motherscookies.com	WILDCARD	Critical	No Bounty
*.murraysugarfree.com	WILDCARD	Critical	No Bounty
*.nutella.com	WILDCARD	Critical	No Bounty
*.pocketcoffee.it	WILDCARD	Critical	No Bounty
*.raffaello.com	WILDCARD	Critical	No Bounty
*.thorntons.com	WILDCARD	Critical	No Bounty
*.tictac.com	WILDCARD	Critical	No Bounty
*.yogurette.de	WILDCARD	Critical	No Bounty
backtoschool2024.ferreropromo.it	URL	Critical	No Bounty
caraffa2024.ferreropromo.it	URL	Critical	No Bounty
figurine2024.ferreropromo.it	URL	Critical	No Bounty
fulfil-promo.de	URL	Critical	No Bounty
ge63-ferreropp.web.oxv.fr	URL	Critical	No Bounty
http://backtoschool25.ru	URL	Critical	No Bounty
http://duplo-chocnut.de/gratistesten	URL	Critical	No Bounty
http://estathe.it/	URL	Critical	No Bounty
http://fandom.kinder.com/strangerthings	URL	Critical	No Bounty
http://kinder.com/de/de/xp/magische-bescherung	URL	Critical	No Bounty
http://kinderbuenotaiwan.com/tw/zh/xp/kbkpop/	URL	Critical	No Bounty
http://kinderkarnawal.pl/admin_bn5cz9k4/login	URL	Critical	No Bounty
http://testy.kinderdziendziecka.pl	URL	Critical	No Bounty
http://testy.kinderdziendziecka.pl/admin_dakr82swp	URL	Critical	No Bounty
http://www.eatnatural.com/de/de/xp/gratistesten/	URL	Critical	No Bounty
http://www.ferrero-cashback.de	URL	Critical	No Bounty
http://www.k-joy.de/strangerthings	URL	Critical	No Bounty
http://www.kindercreamypromo.com/in/en/xp/freegiftwitheverypack	URL	Critical	No Bounty
http://www.kinderjoyindiapromo.com/in/en/xp/triptoaustralia	URL	Critical	No Bounty
http://www.kinderschokobons.de/strangerthings	URL	Critical	No Bounty
https://5cc1659edaa8.hosting.myjino.ru/	URL	Critical	No Bounty
https://accendilefesteestatheedamici.estathe.it	URL	Critical	No Bounty

Showing 50 of 316 in-scope assets. View all on HackerOne.

Tips for Hacking Ferrero

Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking Ferrero?

Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does Ferrero pay bounties?

No, Ferrero runs a Vulnerability Disclosure Program (VDP) without monetary rewards. You may receive recognition or swag.

What types of vulnerabilities does Ferrero accept?

Ferrero accepts reports for vulnerabilities found in their 316 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.

Program Overview

In-Scope Assets

Tips for Hacking Ferrero

Frequently Asked Questions

Similar Programs on HackerOne

Spotify

Adobe

GoodRx