Vulnerability Disclosure Policy

For Customers, Sellers, or Manufacturers (“Users”)

If you're a registered User who'd like to report fraud-related activity, account disputes, or spam, please contact the Administrator.

For Professional Security Researchers

Our team works diligently to protect our customers and their information. We recognize the vital role that security researchers and our user community play in keeping and our Sellers and Customers secure. Please review the guidelines below, and if you discover a site or product vulnerability please notify us.

Bug Bounty does NOT offer a formal compensation program for vulnerabilities that are disclosed. Any monetary rewards are at our discretion for distinct vulnerabilities or severe bugs. 

We will thank you for new and interesting reports in our “Thanks” section of this page, however, providing a report does not guarantee a credit will be published.   If you do submit a report, please be sure to include a phone number and/or an email address where we can reach you in case we need more information. 

We take security issues seriously and will respond swiftly to fix verifiable security issues. Some aspects of our website and services are complex and may take time to update if an issue is identified. If we are properly notified of legitimate issues, we’ll do our best to acknowledge your report and assign appropriate resources to investigate the issue, and fix potential problems as quickly as possible.

We will evaluate each bounty report as they come in. Keep in mind that we may receive redundant reports for issues that are pending resolution.  The main steps we follow are:

1.     Determine if the issue has already been reported.

2.     If the report is not a duplicate report, or immediately disqualified, testing will be performed to see if the issue can be recreated. If we can't recreate the issue, we may contact you for more information.

3.     Our testing will seek to determine an actual security issue that needs to be resolved, vs. a functionality bug.

4.     If your report is properly verified, we will contact you to let you know that we've validated the report, and advise you whether a formal Thanks or any monetary reward will be issued.

5.     We'll start working on a resolution for the issue.


Properly identifying a valid bug or vulnerability

Certain vulnerabilities are considered valid bugs. Any identified bug or vulnerability must be in the main site.

Systems we do not control, including links or redirects to third-party sites, or CDNs, are excluded from the scope of any bounty. In order for us to respond to your report:

1.     You must be the first person to responsibly disclose the bug to us

2.     You must have found the vulnerability yourself

3.     You must follow responsible disclosure principles of giving us a reasonable time to address the issue before you make any information public.

What's not a valid bug?

We will review each issue submitted on a case-by-case basis, the following are some of the issues that typically do not meet the requirements of our bounty program:

  • Best practices. We don't accept configuration or policy suggestions.
  • Outputs from automated tools without a proof of concept. Output that is copied from vulnerability scanners without a proof-of-concept may contain false positives.
  • Out of date browsers/plug-in flaws.
  • Username enumeration through login or password reset. Username enumeration can be a vulnerability. is a public e-commerce marketplace and as such usernames can be enumerated by design through a number of ways.

Do not engage in security research that involves 

  • Potential or actual denial of service of site and systems.
  • Use of an exploit to view data without authorization, or corruption of data.
  • Requests for direct compensation for the reporting of security issues either to, or through any external marketplace for vulnerabilities, whether black-market or otherwise.
  • Testing for spam.
  • The use of automated scanners without a narrow scoping. We may employ automated blocking mechanisms to identify and catch scanners.
  • Interfering with our members' use of the marketplace, or messaging legitimate members of the site.
  • Improper testing of product listing processes.  If using an account(s) for testing, please limit your test transactions to small monetary amounts (less than $1).  All test listings must be removed immediately after testing.
  • We reserve the right ban test accounts, or other activity, if your activity violates our guidelines.

We fully encourage responsible disclosure and strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure below. 

Guidelines for responsible disclosure 

  • Please share any identified security issue with us before making it public to peers, on message boards, mailing lists, and other forums.
  • We would appreciate reasonable time to respond to the issue before disclosing it publicly.
  • To be fair, please provide full details of any security or vulnerability issue.  Please describe fully how you found an issue so we may reproduce the conditions.
  • It is important to realize that certain services we use are not under our control. Reporting vulnerabilities in related sites will be forwarded to the corresponding partner companies. 

Taxes and restrictions

This program is not open to minors, individuals or companies which are identified on sanctions lists, or located in countries on sanctions lists. You are responsible for any tax implications or liabilities.  You must not violate any law, and you are responsible for any restrictions related to your country and local jurisdictional laws. You must not disrupt any service(s) or compromise anyone’s personal information or data.
We reserve the right to cancel parts of, or this entire program, at any time and the decision to pay a reward is entirely at our discretion.


We sincerely appreciate the efforts of users and security researchers to keep secure and safe. We appreciate your efforts!  The list of people who have responsibly disclosed vulnerabilities to us in the past can be found below (in alphabetical order):

  • Jonathan Suldo
  • Shivam Kamboj
  • Shubham Pathak


If you have any questions or need some help, we would be happy to assist.

Report a vulnerability or contact us

Please contact us using the tools provided in the Support Center.