Vulnerability Disclosure Policy

For Customers, Sellers, or Manufacturers (“Users”)

If you’re a registered User who’d like to report fraud-related activity,
account disputes, or spam,
please contact the Administrator.

For Professional Security Researchers

Our team works diligently to protect our customers and
their information. We recognize the vital role that security researchers and
our user community play in keeping and our Sellers and Customers
secure. Please review the guidelines below, and if you discover a site or
product vulnerability please notify us.

Bug Bounty does NOT offer a formal compensation
program for vulnerabilities that are disclosed. Any monetary rewards are at our
discretion for distinct vulnerabilities or severe bugs. 

We will thank you for new and interesting reports in
our “Thanks” section of this page, however, providing a report does not
guarantee a credit will be published.   If
you do submit a report, please be sure to include a phone number and/or an
email address where we can reach you in case we need more information. 

We take security issues seriously and will respond
swiftly to fix verifiable security issues. Some aspects of our website and
services are complex and may take time to update if an issue is identified. If
we are properly notified of legitimate issues, we’ll do our best to acknowledge
your report and assign appropriate resources to investigate the issue, and fix
potential problems as quickly as possible.

We will evaluate each bounty report as they come in. Keep
in mind that we may receive redundant reports for issues that are pending resolution.  The main steps we follow are:

1.     Determine if the issue has already been reported.

2.     If the report is not a duplicate report, or
immediately disqualified, testing will be performed to see if the issue can be
recreated. If we can’t recreate the issue, we may contact you for more information.

3.     Our testing will seek to determine an actual security
issue that needs to be resolved, vs. a functionality bug.

4.     If your report is properly verified, we will contact you
to let you know that we’ve validated the report, and advise you whether a
formal Thanks or any monetary reward will be issued.

5.     We’ll start working on a resolution for the issue.


Properly identifying a
valid bug or vulnerability

Certain vulnerabilities are considered valid bugs. Any
identified bug or vulnerability must be in the main

Systems we do not control, including links or redirects
to third-party sites, or CDNs, are excluded from the scope of any bounty. In
order for us to respond to your report:

1.     You must be the first person to responsibly disclose
the bug to us

2.     You must have found the vulnerability yourself

3.     You must follow responsible disclosure principles of
giving us a reasonable time to address the issue before you make any
information public.

What’s not a valid bug?

We will review each issue submitted on a case-by-case
basis, the following are some of the issues that typically do not meet the
requirements of our bounty program:

  • Best practices. We don’t
    accept configuration or policy suggestions.
  • Outputs from automated tools without a proof of concept. Output that is copied from vulnerability
    scanners without a proof-of-concept may contain false positives.
  • Out of date browsers/plug-in flaws.
  • Username enumeration through login or password reset. Username enumeration can be a
    vulnerability. is
    a public e-commerce marketplace and as such usernames can be enumerated by
    design through a number of ways.

Do not engage in
security research that involves 

  • Potential
    or actual denial of service of site and systems.
  • Use
    of an exploit to view data without authorization, or corruption of data.
  • Requests
    for direct compensation for the reporting of security issues either to,
    or through any external marketplace for vulnerabilities, whether
    black-market or otherwise.
  • Testing
    for spam.
  • The
    use of automated scanners without a narrow scoping. We may employ
    automated blocking mechanisms to identify and catch scanners.
  • Interfering
    with our members’ use of the marketplace, or messaging legitimate members
    of the site.
  • Improper testing of product listing processes.  If using an account(s) for testing,
    please limit your test transactions to small monetary amounts (less than
    $1).  All test listings must be
    removed immediately after testing.
  • We
    reserve the right ban test accounts, or other activity, if your activity
    violates our guidelines.

We fully encourage responsible disclosure and strongly
encourage anyone who is interested in researching and reporting security issues
to observe the simple courtesies and protocols of responsible disclosure below. 

Guidelines for
responsible disclosure 

  • Please
    share any identified security issue with us before making it public to peers,
    on message boards, mailing lists, and other forums.
  • We
    would appreciate reasonable time to respond to the issue before disclosing
    it publicly.
  • To
    be fair, please provide full details of any security or vulnerability
    issue.  Please describe fully how
    you found an issue so we may reproduce the conditions.
  • It
    is important to realize that certain services we use are not under our
    control. Reporting vulnerabilities in related sites will be forwarded to
    the corresponding partner companies. 

Taxes and restrictions

This program is not open to minors, individuals or
companies which are identified on sanctions lists, or located in countries on
sanctions lists. You are responsible for any tax implications or
liabilities.  You must not violate any
law, and you are responsible for any restrictions related to your country and
local jurisdictional laws. You must not disrupt any service(s) or compromise
anyone’s personal information or data.
We reserve the right to cancel parts of, or this
entire program, at any time and the decision to pay a reward is entirely at our


We sincerely appreciate the efforts of users and security
researchers to keep secure and safe. We appreciate your efforts!  The list of people who have responsibly
disclosed vulnerabilities to us in the past can be found below (in alphabetical

  • Jonathan
  • Shivam Kamboj
  • Shubham Pathak


If you have any questions or need some help, we would
be happy to assist.

Report a
vulnerability or contact us

Please contact us using the tools provided in the Support Center.  

Leave a Reply

Your email address will not be published. Required fields are marked *