For Customers, Sellers, or Manufacturers (“Users”)
If you’re a registered User who’d like to report fraud-related activity,
account disputes, or spam,
please contact the Administrator.
For Professional Security Researchers
Our team works diligently to protect our customers and
their information. We recognize the vital role that security researchers and
our user community play in keeping Springcontacts.com and our Sellers and Customers
secure. Please review the guidelines below, and if you discover a site or
product vulnerability please notify us.
Springcontacts.com does NOT offer a formal compensation
program for vulnerabilities that are disclosed. Any monetary rewards are at our
discretion for distinct vulnerabilities or severe bugs.
We will thank you for new and interesting reports in
our “Thanks” section of this page, however, providing a report does not
guarantee a credit will be published. If
you do submit a report, please be sure to include a phone number and/or an
email address where we can reach you in case we need more information.
We take security issues seriously and will respond
swiftly to fix verifiable security issues. Some aspects of our website and
services are complex and may take time to update if an issue is identified. If
we are properly notified of legitimate issues, we’ll do our best to acknowledge
your report and assign appropriate resources to investigate the issue, and fix
potential problems as quickly as possible.
We will evaluate each bounty report as they come in. Keep
in mind that we may receive redundant reports for issues that are pending resolution. The main steps we follow are:
1. Determine if the issue has already been reported.
2. If the report is not a duplicate report, or
immediately disqualified, testing will be performed to see if the issue can be
recreated. If we can’t recreate the issue, we may contact you for more information.
3. Our testing will seek to determine an actual security
issue that needs to be resolved, vs. a functionality bug.
4. If your report is properly verified, we will contact you
to let you know that we’ve validated the report, and advise you whether a
formal Thanks or any monetary reward will be issued.
5. We’ll start working on a resolution for the issue.
Properly identifying a
valid bug or vulnerability
Certain vulnerabilities are considered valid bugs. Any
identified bug or vulnerability must be in the main www.springcontacts.com
Systems we do not control, including links or redirects
to third-party sites, or CDNs, are excluded from the scope of any bounty. In
order for us to respond to your report:
1. You must be the first person to responsibly disclose
the bug to us
2. You must have found the vulnerability yourself
3. You must follow responsible disclosure principles of
giving us a reasonable time to address the issue before you make any
What’s not a valid bug?
We will review each issue submitted on a case-by-case
basis, the following are some of the issues that typically do not meet the
requirements of our bounty program:
- Best practices. We don’t
accept configuration or policy suggestions.
- Outputs from automated tools without a proof of concept. Output that is copied from vulnerability
scanners without a proof-of-concept may contain false positives.
- Out of date browsers/plug-in flaws.
- Username enumeration through login or password reset. Username enumeration can be a
vulnerability. Springcontacts.com is
a public e-commerce marketplace and as such usernames can be enumerated by
design through a number of ways.
Do not engage in
security research that involves
or actual denial of service of Springcontacts.com site and systems.
of an exploit to view data without authorization, or corruption of data.
for direct compensation for the reporting of security issues either to Springcontacts.com,
or through any external marketplace for vulnerabilities, whether
black-market or otherwise.
use of automated scanners without a narrow scoping. We may employ
automated blocking mechanisms to identify and catch scanners.
with our members’ use of the marketplace, or messaging legitimate members
of the site.
- Improper testing of product listing processes. If using an account(s) for testing,
please limit your test transactions to small monetary amounts (less than
$1). All test listings must be
removed immediately after testing.
reserve the right ban test accounts, or other activity, if your activity
violates our guidelines.
We fully encourage responsible disclosure and strongly
encourage anyone who is interested in researching and reporting security issues
to observe the simple courtesies and protocols of responsible disclosure below.
share any identified security issue with us before making it public to peers,
on message boards, mailing lists, and other forums.
would appreciate reasonable time to respond to the issue before disclosing
be fair, please provide full details of any security or vulnerability
issue. Please describe fully how
you found an issue so we may reproduce the conditions.
is important to realize that certain services we use are not under our
control. Reporting vulnerabilities in related sites will be forwarded to
the corresponding partner companies.
Taxes and restrictions
This program is not open to minors, individuals or
companies which are identified on sanctions lists, or located in countries on
sanctions lists. You are responsible for any tax implications or
liabilities. You must not violate any
law, and you are responsible for any restrictions related to your country and
local jurisdictional laws. You must not disrupt any service(s) or compromise
anyone’s personal information or data.
We reserve the right to cancel parts of, or this
entire program, at any time and the decision to pay a reward is entirely at our
We sincerely appreciate the efforts of users and security
researchers to keep Springcontacts.com secure and safe. We appreciate your efforts! The list of people who have responsibly
disclosed vulnerabilities to us in the past can be found below (in alphabetical
- Shivam Kamboj
- Shubham Pathak
If you have any questions or need some help, we would
be happy to assist.
vulnerability or contact us
Please contact us using the tools provided in the Support Center.