Vulnerability Disclosure Policy
Shopup's vulnerability disclosure policy
ShopUp is Bangladesh's leading full-stack B2B commerce platform for small businesses (online
and offline). We provide easy access to B2B sourcing, last-mile logistics, digital credit and
business management solutions to small businesses.
How to report an issue?
Did you as a security researcher discover a vulnerability in our system? Please help us by
reporting these to us, so that we can improve the safety and reliability of our systems together. If
you would like to report a vulnerability or have a security concern regarding the website of
shopup.com.bd or its services, please email <<security@shopup.org>>
Our support team and a team of security experts will investigate the submitted finding(s) To
make it easier for us to reproduce the finding , please also include your steps to reproduce or
your proof of concept. We will confirm the received submission via e-mail within five working
days. We will treat a submitted report as confidential and will not share (your) personal data with
third parties without (your) permission. We will keep the submitter informed about the progress
of solving the problem.
Thank you for keeping Shopup and our customers safe.
Please note: not to disclose findings without prior written notice by us.
Applicable Rules
- Don't abuse any vulnerabilities. Please make sure that you do not cause any damage
with the vulnerability you have discovered. Under no circumstances may your actions
lead to a deliberate interruption of the services or to the disclosure of client data.
- Please refrain from using social engineering to gain access to a system and/or do not
use automated scanners to detect vulnerabilities.
- Limit the use of a vulnerability to an absolute minimum. Do only what is necessary to
establish the vulnerability.
- Do not make any system changes or remove/copy any data from the system.
- You shall not post or share any information about a potential vulnerability in any public
setting until we have researched, responded to, and addressed the reported
vulnerability.
Out-of-Scope vulnerabilities
- Must demonstrate security impact for the report to be considered - general software
bugs(like SSL, older versions etc.) are not in scope for this program.
- Username Enumeration via signup and account recovery forms
- Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing
to a major mail client
- Best practice concerns like cookie is not marked secure and http only, missing HSTS,
SSL/TLS configuration, missing security headers, etc.
- Vulnerabilities reported by automated tools and scanners without additional proof of
concept
- Vulnerabilities that only affect outdated app versions or browsers - we consider
vulnerabilities only in the versions of our applications that are currently in the app store
and exploits only in the latest browser versions
- Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks
- Exploits that need MITM or physical access to the victim’s device
- Clickjacking on pages with no sensitive actions.
- Unauthenticated/logout/login CSRF
- Previously known vulnerable libraries without a working Proof of Concept
- Content spoofing and text injection issues without showing an attack vector/without
being able to modify HTML/CSS
- Most of the open redirect vulnerabilities have low security impact. In case, the impact is
high, do let us know.
- Stack traces, directory listings or path disclosures
- Self XSS
- Social engineering attacks, both against users or Shopup employees
Recognition – Hall of Fame Page
- By helping Shopup continuously keep our data secure, once the security vulnerability is
verified and fixed as a result of the report, we would like to put your name on our Hall of
Fame page.
- Of course, we will need to know if you want the recognition, in which case you will be
required to give us your name and Twitter handle, LinkedIn Profile as you wish it to be
displayed on our Hall of Fame page
We currently do not offer any monetary compensation. However, we may send out Shopup
swag in some cases.
Requests or demands for monetary compensation in connection with any identified or alleged
vulnerability are non-compliant with this Vulnerability Disclosure Policy.
Public Disclosure Policy
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
“THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE
THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC,
FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”