ShopBack Responsible Disclosure Policy

Introduction

At ShopBack, safeguarding customer data and maintaining system integrity are at the heart of our mission. Despite rigorous controls, vulnerabilities may arise. We therefore welcome responsible reports from the security research community.

This policy defines how researchers can disclose findings safely, and how ShopBack will engage to ensure issues are resolved quickly and responsibly.

Policy Overview

Purpose

We provide a confidential vulnerability-disclosure channel that minimizes risk to customers and operations while fostering collaboration with researchers.

Safe Harbor

Actions performed in good faith and within this policy’s rules will not trigger civil or criminal actions under the CFAA, DMCA, or similar laws. ShopBack waives any contractual or legal claims related to such testing.

Acknowledgement & Rewards

Qualifying reports may receive bounty payments for high-impact findings, at ShopBack's discretion. Rewards do not entitle the reporter to any public attribution or disclosure.

Response

When you report a security issue to us, you can expect :

  • A reply within 3 business days
    You’ll receive a confirmation email and tracking ID from our team.
  • The issue to be reviewed within 7 days
    Our team will assess severity and may reach out for additional information.
  • Confidential handling
    Reports are handled confidentially. You agree not to disclose the report, the vulnerability, or the fact a report was made, to any third party, except with ShopBack's prior written consent.

Eligibility Criteria

  • Open to anyone not employed by ShopBack (or immediate family).
  • Testing must comply with our Rules of Engagement (see below).
  • Reports in breach of law or this policy are ineligible.

Scope

In-Scope Assets

  • ShopBack Android & iOS apps
  • *.shopback.com domains & sub-domains
  • Documented API endpoints
  • Cloud resources supporting the above

Out-of-Scope / Low Severity Issues

  • Asset not expressly listed
  • Vulnerabilities needing root / jailbreak or physical access
  • Rate-limiting / brute-force results without proven impact
  • Self-XSS, clickjacking on non-sensitive pages
  • DoS att­­acks or volumetric traffic tests

Rules of Engagement

Prohibited Activities

  • Accessing, exfiltrating, or modifying customer / employee data
  • Service disruption (e.g. DDoS, spam)
  • Social engineering, phishing, or physical security attacks
  • Using automated scanners without rate-limit controls
  • Disclosing the report, the vulnerability details, or the fact a report was made, to any third party without ShopBack's prior written consent

Testing Guidelines

  • Use your own test accounts (not live customer accounts)
  • Add header X-ShopBack-BugBounty: <handle> in HTTP requests
  • Limit test data volume; avoid destructive payloads
  • Preferred PoC formats : cURL, Burp request file, or reproducible script

Reporting Process

Send concise reports to security@shopback.com including :

  1. Affected asset & feature
  2. Impact analysis and explanation
  3. Reproduction steps with PoC (screenshots /video)
  4. Suggested remediation (optional)
  5. Any out-of-policy actions (must be declared)

Sensitive data must be purged within 30 days or upon request.

Agreement to Terms

By submitting a report to ShopBack, or otherwise communicating a report regarding vulnerabilities or errors, you agree that:

  • Supplying your contact information with your report is voluntary and at your discretion. ShopBack will use any personal data you provide solely to assess, clarify, and respond to your report, and will retain it only as long as necessary for that purpose.
  • ShopBack may use your report for any purpose it deems relevant, including correcting any vulnerabilities or errors it deems to require correction. You warrant that your report and any attachments do not violate the intellectual property rights of any third party, and you grant ShopBack a perpetual, irrevocable, worldwide, royalty-free licence to use, reproduce, and adapt the report and attachments for any purpose related to securing its products and services.
  • You agree not to disclose to any third party any information related to your report, the vulnerabilities or errors reported, or the fact that a report has been made to ShopBack, except with ShopBack's prior written consent.

PGP Support

Reports may optionally be encrypted with the ShopBack Security Team's PGP key :

  • Fingerprint : 9F0C 7A31 D248 9D44 B8F5 D093 4D1E FC2A E85D 6214

Legal

  • This policy authorizes researchers to test in-scope assets.
  • Reports are handled under the confidentiality terms set out in this policy.
  • If any policy clause is unenforceable, remaining terms remain valid.

Questions & Feedback

We continuously improve this program.

For clarifications or suggestions, contact security@shopback.com.