prebid-server-java icon indicating copy to clipboard operation
prebid-server-java copied to clipboard
verified publisher icon prebid

The JAVA server makes some RTB fields visible to bidders that shouldn't be visible

Open YuriyVelichkoPI opened this issue 3 months ago • 1 comments

Background

The bidder requests on PBS JAVA contains the following RTB fields

  • ext.prebid.aliasgvlids
  • ext.prebid.returnallbidstatus
  • ext.prebid.floors
  • ext.prebid.targeting

However, according to this doc they shouldn't be in the bidder requests: https://docs.prebid.org/prebid-server/endpoints/openrtb2/pbs-endpoint-auction.html#prebid-server-ortb2-extension-summary

The bidder requests on PBS GO doesn't contain these fields.

I'm not sure if PBS JAVA expose other fields that it shouldn't expose to the bidders, but at least we see these fields.

Objectives

  1. Decide whether it is an issue or not
    • Decide what to fix - documentation or code
  2. If it is an issue of PBS JAVA feel free to assign this issue to @zxPhoenix . And he will provide the patch on behalf of Raptive.
    • Advice if we should review the visibility of other fields marked as invisible for the adapters in the spec

YuriyVelichkoPI avatar Oct 09 '25 10:10 YuriyVelichkoPI

Hi @YuriyVelichkoPI, thank you for reporting that.

It looks like an issue to me. And the fix might lead to significant changes in the PBS core.

Some of the fields like aliasgvlids and returnallbidstatus are not needed for sure. Other fields like floors and targeting (and I believe the list is not exhaustive) might be needed for decision-making inside the adapters - and the only source of truth of this is a BidRequest which is kept those fields till the bidder call. I don't say it's correct I just try to explain why the fields are exposed to bidders historically.

If we'd like to align that with the documentation we have to clean up the corresponding fields in the core of PBS, but at the same time keep the values of those fields in some other way accessible within adapters - sounds like a big change to make it work for all the existing and future bidders.

Let me discuss it with the team. FYI @Net-burst

AntoxaAntoxic avatar Oct 16 '25 10:10 AntoxaAntoxic

Discussed in the committee. The only real issue is the fields that would allow bidders to infer which other bidders are taking part in the auction. Such fields should not be exposed to bidders. This will be fixed on one of the PBS-Java releases.

Net-burst avatar Nov 19 '25 15:11 Net-burst