ShopBack Responsible Disclosure Policy

Introduction

At ShopBack, safeguarding customer data and maintaining system integrity are at the heart of our mission. Despite rigorous controls, vulnerabilities may arise. We therefore welcome responsible reports from the security research community.

This policy defines how researchers can disclose findings safely, and how ShopBack will engage to ensure issues are resolved quickly and transparently.

Policy Overview

Purpose

We provide a coordinated vulnerability-disclosure (CVD) channel that minimizes risk to customers and operations while fostering collaboration with researchers.

Safe Harbor

Actions performed in good faith and within this policy’s rules will not trigger civil or criminal actions under the CFAA, DMCA, or similar laws. ShopBack waives any contractual or legal claims related to such testing.

Acknowledgement & Rewards

Qualifying reports may receive :

  • Listing in our Hall of Fame (with researcher consent)
  • Swag or equivalent non-monetary tokens
  • Potential bounty payments for high-impact findings
  • Severity scoring based on CVSS v3.1 (migrating to CVSS v4 upon ratification)

Response SLAs

When you report a security issue to us, you can expect :

  • A reply within 3 business days
    You’ll receive a confirmation email and tracking ID from our team.
  • The issue to be reviewed within 7 days
    Our team will assess severity and may reach out for additional information.
  • Fix or mitigation within 90 days
    Serious issues will be prioritized for faster resolution.
  • Coordinated disclosure
    Any public announcement will be aligned with you, typically within 90 days unless otherwise agreed.

Eligibility Criteria

  • Open to anyone not employed by ShopBack (or immediate family).
  • Testing must comply with our Rules of Engagement (see below).
  • Reports in breach of law or this policy are ineligible.

Scope

In-Scope Assets

  • ShopBack Android & iOS apps
  • *.shopback.com domains & sub-domains
  • Documented API endpoints
  • Cloud resources supporting the above

Out-of-Scope / Low Severity Issues

  • Asset not expressly listed
  • Vulnerabilities needing root / jailbreak or physical access
  • Rate-limiting / brute-force results without proven impact
  • Self-XSS, clickjacking on non-sensitive pages
  • DoS att­­acks or volumetric traffic tests

Rules of Engagement

Prohibited Activities

  • Accessing, exfiltrating, or modifying customer / employee data
  • Service disruption (e.g. DDoS, spam)
  • Social engineering, phishing, or physical security attacks
  • Using automated scanners without rate-limit controls
  • Disclosure vulnerability details to third parties before coordinated release

Testing Guidelines

  • Use your own test accounts (not live customer accounts)
  • Add header X-ShopBack-BugBounty: <handle> in HTTP requests
  • Limit test data volume; avoid destructive payloads
  • Preferred PoC formats : cURL, Burp request file, or reproducible script

Reporting Process

Send concise reports to security@shopback.com including :

  1. Affected asset & feature
  2. Impact analysis and explanation
  3. Reproduction steps with PoC (screenshots /video)
  4. Suggested remediation (optional)
  5. Any out-of-policy actions (must be declared)

Sensitive data must be purged within 30 days or upon request.

PGP Support

Reports may optionally be encrypted with the ShopBack Security Team's PGP key :

  • Fingerprint : 9F0C 7A31 D248 9D44 B8F5 D093 4D1E FC2A E85D 6214

Legal

  • This policy authorizes researchers to test in-scope assets.
  • No NDA is required; publication is allowed after the coordinated disclosure window.
  • If any policy clause is unenforceable, remaining terms remain valid.

Questions & Feedback

We continuously improve this program.

For clarifications or suggestions, contact security@shopback.com.