If you discover a security vulnerability on MyHero WearsRed Store, we encourage you to contact us immediately. We will carefully review all legitimate vulnerability reports and make every effort to promptly address the issue. Before submitting a report, please familiarize yourself with the information provided in this document, which includes important details about our fundamentals, bounty program, reward guidelines, and what should not be reported.
By following the principles outlined below when reporting a security issue to MyHero WearsRed Store, we assure you that we will not initiate legal action or enforcement investigations against you in response to your report.
We kindly request that:
- Allow us a reasonable amount of time to review and fix any vulnerability you report before disclosing or sharing the information publicly.
- Do not interact with a private account, including accessing or modifying account data, unless the account owner has given explicit consent.
- Make a good faith effort to avoid privacy violations and disruptions to others, including avoiding the destruction of data and interruptions or degradation of our services.
- Do not exploit a security issue you discover for any purpose, such as attempting to compromise sensitive company data or seeking additional vulnerabilities.
- Do not violate any applicable laws or regulations.
We acknowledge and appreciate the contribution of security researchers who help us maintain the safety of our services. Monetary rewards for vulnerability reports are solely at the discretion of MyHero WearsRed Store and are based on factors such as risk and impact. To potentially qualify for a bounty, you must meet the following requirements:
- Adhere to our fundamentals (as mentioned above).
- Report a security bug by identifying a vulnerability in our services or infrastructure that poses a security or privacy risk. Please note that MyHero WearsRed Store has the final determination on the severity of an issue, and not all bugs may be classified as security issues.
- Submit your report through our security center and avoid contacting individual employees.
- If you accidentally cause a privacy violation or disruption while investigating a vulnerability (such as accessing account data or confidential information), please disclose this in your report.
- We thoroughly investigate and respond to all valid reports. However, due to the volume of reports we receive, the evaluation process may take some time before you receive a response.
- We reserve the right to publish reports.
Our rewards are based on the impact of the vulnerability. We continually update our program based on feedback, so we appreciate any suggestions for improvement.
Please keep the following in mind:
- Provide detailed reports with reproducible steps. Reports that lack sufficient detail to reproduce the issue may not be eligible for a bounty.
- In case of duplicate reports, we will reward the first report that we can fully reproduce.
- Multiple vulnerabilities caused by the same underlying issue will be eligible for a single bounty.
- Bounty rewards are determined based on various factors, including impact, ease of exploitation, and the quality of the report. The specific bounty reward amounts are listed below.
- The listed amounts represent the maximum reward per severity level. We strive to be fair, and all reward amounts are at our discretion.
- Critical severity vulnerabilities ($200): These include vulnerabilities that lead to privilege escalation, remote code execution, financial theft, etc.
- High-severity vulnerabilities ($100): These encompass vulnerabilities impacting the platform’s security and supporting processes.
- Medium severity vulnerabilities ($50): These are vulnerabilities that affect multiple users and require minimal or no user interaction to trigger.
- Low-severity vulnerabilities: These are issues that affect individual users and require specific interactions or significant prerequisites to trigger, such as MITM attacks.
For customer support, please contact us at firstname.lastname@example.org.