Customer Support| 30 Days return| Express Shipping

Report Security Issue

Security Issue Report

We urge you to inform us immediately if you discover a security hole on Shoptob. All valid vulnerability reports will be reviewed, and we'll try to remedy the issue rapidly. Please read over this document's foundations, bounty program, reward policies, and what should not be reported before reporting.


When you follow the guidelines below when reporting a security issue to Shoptob, we won't pursue legal action against you or open an enforcement investigation due to your report.

1. You give us a fair amount of time to review and correct a problem you report before releasing any information about it or disclosing it to others.

2. If the account owner has not authorized such actions, you must not interact with a personal account (including accessing or changing its data).

You sincerely attempt to prevent invasions of privacy and inconveniences for others, such as (but not limited to) data loss and halting or degrading our services.

4. You under no circumstances exploit a security flaw you find. (This includes outlining additional risks, such as attempting to compromise private company information or looking for more problems.)

5. You don't break any other applicable laws or rules.


Security researchers that alert us to flaws in our services help us keep people safe, and we compensate them for their efforts. Financial rewards for such reports are entirely up to the discretion of Shoptob and are based on risk, impact, and other considerations. You must initially fulfill the following conditions to be eligible for a bounty possibly:

1. Uphold our core principles (see above).

2. Report a security flaw, which is to say, locate a weakness in our infrastructure or services that pose a security or privacy risk. (Note that although many bugs aren't security concerns, Shoptob ultimately decides the danger of a haul.)

3. Use our security center to submit your report. Employees should not be contacted.

4. Disclose any privacy violations or disruptions you unintentionally cause when looking into a problem, such as accessing account data, service configurations, or other private information.

5. We look into and respond to all legitimate reports. However, due to the volume of messages we receive, we prioritize evaluations based on risk and other variables, so it may take some time before you hear back.

6. Reports may be published at our discretion.


Our rewards support the effect of vulnerability. Please provide comments on any area of the program that you believe we could improve upon as we update the software over time with your support.

1. Please offer thorough reports with replicable procedures. The matter will not be eligible for a bounty if the information is not exhaustive enough to breed the case.

2. When there are duplicate reports, we give the first one to reproduce the prize fully.

3. One bounty will be given out for multiple vulnerabilities brought by the same fundamental problem.

4. Several factors, including (but not limited to) effect, straightforward exploitation, and report quality, were taken into consideration for determining the bounty payout. We draw particular attention to the bounty rewards, which are detailed below.

5. The sums below represent the maximum we'll pay for each stage. All award amounts are up to our judgment; we try to be fair. Critical seriousness Deficiencies ($200): Vulnerabilities that allow remote code execution, money theft, and privilege escalation on the platform from unprivileged to admin.


Vertical Authentication Bypass, Remote Shell/Command Execution, SQL Injection that Discloses Targeted Data, Remote Code Execution

Obtain complete account access

High severity Vulnerabilities: For $100, these flaws compromise the platform's security and the processes it supports.

Examples include the following: 

"Lateral authentication bypass," "Disclosure of sensitive corporate information," "Stored XSS for an additional user," "Local file inclusion," and "Insecure processing of authentication cookies."

Moderate severity Multiple user vulnerabilities that need minimal or no user engagement are available for $50.

Examples include: 

Common logic design errors and operational issues Insecure object of the verb References

Low-intensity Vulnerabilities: Problems that only impact one user and need interaction or essential preconditions (MITM) to manifest.

Open redirect, reflective XSS, and low-sensitivity information leaks are a few examples.

Please feel free to contact us if you have any queries.

Contact us at

☎ Phone: +1 (781) 763-7542