otto-de-bug-bounty

RawAI Enhanced

In Scope

Out of Scope

In-Scope Assets (10)

Asset	Category	Bounty	Quick Links
https://apps.apple.com/de/app/otto-shopping-m%C3%B6bel/id404844644	IOS	Yes	-
https://mmp.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://orbidder.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://play.google.com/store/apps/details?id=de.cellular.ottohybrid&hl=de	ANDROID	Yes	Play Store APKPure APKMirror
https://retail-api.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://supplier-connect.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://teleoptiprd.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://www.lascana.de/	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://www.otto.de	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa
https://www.otto.de/jobs	URL	Yes	crt.sh Google Shodan SecurityTrails Wayback DNSdumpster VirusTotal AlienVault OTX GitHub Fofa

Out-of-Scope Assets (17)

Asset	Category	Bounty
/apps-messenger (the chatbot in general is out of scope)	OTHER	Yes
/tracking	OTHER	Yes
All domains not listed In-Scope	OTHER	Yes
Out-Of-Scope are also other applications hosted under the www.otto.de domain but have a different path, that is not part of our core online shop itself (you will notice, since the design of the page is completely different)	OTHER	Yes
Please let us know if you have any questions regarding the scope.	OTHER	Yes
Those include but are not limited to (if unsure, contact us before executing the tests):	OTHER	Yes
https://keycloak.apps.otto.de	OTHER	Yes
https://www.otto.de/clara	OTHER	Yes
https://www.otto.de/kundenchat	OTHER	Yes
https://www.otto.de/newsroom	OTHER	Yes
https://www.otto.de/reblog	OTHER	Yes
https://www.otto.de/roombeez	OTHER	Yes
https://www.otto.de/soulfully	OTHER	Yes
https://www.otto.de/twoforfashion	OTHER	Yes
https://www.otto.de/updated	OTHER	Yes
https://www.otto.de/user/contactFormSubmit	OTHER	Yes
https://www.otto.de/user/sendcallbackrequest	OTHER	Yes

Scope Changes (27)

Apr 16, 2026

Change	Asset	Category	Scope	Time
Added	https://www.otto.de	URL	In Scope	18:33
Added	https://www.otto.de/jobs	URL	In Scope	18:33
Added	https://play.google.com/store/apps/details?id=de.cellular.ottohybrid&hl=de	ANDROID	In Scope	18:33
Added	https://apps.apple.com/de/app/otto-shopping-m%C3%B6bel/id404844644	IOS	In Scope	18:33
Added	https://www.lascana.de/	URL	In Scope	18:33
Added	https://teleoptiprd.otto.de	URL	In Scope	18:33
Added	https://mmp.otto.de	URL	In Scope	18:33
Added	https://orbidder.otto.de	URL	In Scope	18:33
Added	https://supplier-connect.otto.de	URL	In Scope	18:33
Added	https://retail-api.otto.de	URL	In Scope	18:33
Added	out-of-scope are also other applications hosted under the www.otto.de domain but have a different path, that is not part of our core online shop itself (you will notice, since the design of the page is completely different)	OTHER	Out of Scope	18:33
Added	those include but are not limited to (if unsure, contact us before executing the tests):	OTHER	Out of Scope	18:33
Added	https://www.otto.de/reblog	OTHER	Out of Scope	18:33
Added	https://www.otto.de/roombeez	OTHER	Out of Scope	18:33
Added	https://www.otto.de/twoforfashion	OTHER	Out of Scope	18:33
Added	https://www.otto.de/soulfully	OTHER	Out of Scope	18:33
Added	https://www.otto.de/updated	OTHER	Out of Scope	18:33
Added	https://www.otto.de/newsroom	OTHER	Out of Scope	18:33
Added	https://www.otto.de/kundenchat	OTHER	Out of Scope	18:33
Added	https://www.otto.de/clara	OTHER	Out of Scope	18:33
Added	https://www.otto.de/user/sendcallbackrequest	OTHER	Out of Scope	18:33
Added	https://www.otto.de/user/contactFormSubmit	OTHER	Out of Scope	18:33
Added	https://keycloak.apps.otto.de	OTHER	Out of Scope	18:33
Added	all domains not listed in-scope	OTHER	Out of Scope	18:33
Added	/apps-messenger (the chatbot in general is out of scope)	OTHER	Out of Scope	18:33
Added	/tracking	OTHER	Out of Scope	18:33
Added	please let us know if you have any questions regarding the scope	OTHER	Out of Scope	18:33