Vulnerability Disclosure Policy

 

Shopup's vulnerability disclosure policy 

ShopUp is Bangladesh's leading full-stack B2B commerce platform for small businesses (online and offline). We provide easy access to B2B sourcing, last-mile logistics, digital credit and business management solutions to small businesses.  

 

How to report an issue? 

Did you as a security researcher discover a vulnerability in our system? Please help us by reporting these to us, so that we can improve the safety and reliability of our systems together. If you would like to report a vulnerability or have a security concern regarding the website of shopup.com.bd or its services, please email <<security@shopup.org>> 

 

Our support team and a team of security experts will investigate the submitted finding(s) To make it easier for us to reproduce the finding , please also include your steps to reproduce or your proof of concept. We will confirm the received submission via e-mail within five working days. We will treat a submitted report as confidential and will not share (your) personal data with third parties without (your) permission. We will keep the submitter informed about the progress of solving the problem. 

Thank you for keeping Shopup and our customers safe. 

Please note: not to disclose findings without prior written notice by us. 

 

Applicable Rules 

  1. Don't abuse any vulnerabilities. Please make sure that you do not cause any damage with the vulnerability you have discovered. Under no circumstances may your actions lead to a deliberate interruption of the services or to the disclosure of client data.
  2. Please refrain from using social engineering to gain access to a system and/or do not use automated scanners to detect vulnerabilities.
  3. Limit the use of a vulnerability to an absolute minimum. Do only what is necessary to establish the vulnerability.
  4. Do not make any system changes or remove/copy any data from the system. 
  5. You shall not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability. 

 

Out-of-Scope vulnerabilities 

  1. Must demonstrate security impact for the report to be considered - general software bugs(like SSL, older versions etc.) are not in scope for this program.
  2. Username Enumeration via signup and account recovery forms
  3. Vulnerabilities regarding SPF/DMARC/DKIM records without verifiable proof of spoofing to a major mail client
  4. Best practice concerns like cookie is not marked secure and http only, missing HSTS, SSL/TLS configuration, missing security headers, etc. 
  5. Vulnerabilities reported by automated tools and scanners without additional proof of concept 
  6. Vulnerabilities that only affect outdated app versions or browsers - we consider vulnerabilities only in the versions of our applications that are currently in the app store and exploits only in the latest browser versions 
  7. Denial of Service(DoS) and Distributed Denial of Service(DDoS) attacks 
  8. Exploits that need MITM or physical access to the victim’s device 
  9. Clickjacking on pages with no sensitive actions. 
  10. Unauthenticated/logout/login CSRF 
  11. Previously known vulnerable libraries without a working Proof of Concept 
  12. Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS 
  13. Most of the open redirect vulnerabilities have low security impact. In case, the impact is high, do let us know. 
  14. Stack traces, directory listings or path disclosures 
  15. Self XSS 
  16. Social engineering attacks, both against users or Shopup employees 

 

Recognition – Hall of Fame Page 

  1. By helping Shopup continuously keep our data secure, once the security vulnerability is verified and fixed as a result of the report, we would like to put your name on our Hall of Fame page.
  2. Of course, we will need to know if you want the recognition, in which case you will be required to give us your name and Twitter handle, LinkedIn Profile as you wish it to be displayed on our Hall of Fame page

We currently do not offer any monetary compensation. However, we may send out Shopup swag in some cases. 

Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Vulnerability Disclosure Policy. 

 

Public Disclosure Policy 

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means: 

 

THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”