SHEIN
SHEIN looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
SHEIN will make a best effort to meet the following response targets for hackers participating in our program:
| Type of Response | SLA in business days |
| ------------- | ------------- |
| First Response | 2 days |
| Time to Triage | 2 days |
| Time to Bounty | 5 days |
We’ll try to keep you informed about our progress throughout the process.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
Researchers are free to set up accounts for testing but please note that testing should be limited to the accounts you own. We also highly encourage you to register an account with your HackerOne Email alias [H1username@wearehackerone.com].
Please note that .shein.com_ and _.romwe.com , (inclusive of each domain’s localised sites stated in the scope section) have overlapping backend development. This simply means that the same vulnerability occurring on .shein.com_ endpoint may also appear on a similar _.romwe.com endpoint . In such cases, the second report/asset to be submitted and is the same vulnerability will be eligible for 25% of the original bounty.
This guideline is also applicable to the SHEIN and ROMWE Mobile apps (inclusive of both the iOS and Android Apps). Ie: SHEIN iOS app has overlapping backend development with the ROMWE iOS app, while the SHEIN Android app has overlapping backend development with the ROMWE Android App. We will only apply this guideline if the reports are of the same exact issue.
Please read below for some example scenarios and how we will determine if 2 reports are cross-host vulnerabilities.
Example Scenario:
Report A submitted for .shein.com with Vulnerability X receives $400 in bounty.
Subsequently, Report B submitted for .romwe.com also with Vulnerability X is submitted to the program. Report B will be awarded $100 (25% of the original bounty for Vulnerability X).
Conditions and other terms:
Both reports do not have to come from the same researcher.
Both reports will be marked as triaged
When the same vulnerability occurs on both hosts, the first valid report submitted (for either host) will receive the original bounty amount
If the program receives a report on the other host, it will then be escalated to the SHEIN Team for internal validation, in the event that it is the same exact vulnerability.
In the case that the 2 reports are distinct unique vulnerabilities, the second report will be treated as a separate report and awarded accordingly.
Duplicate reports received thereafter will be treated as such.
Reflected Cross-site Scripting (XSS)
DOM Cross-site Scripting (XSS)
Domain names belonging to SHEIN, however the DNS resolution was not deleted in time, thus resolving to other services.
Domain names belonging to SHEIN, but resolves to third-party hosted services.
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
HTML Injection.
Rate limiting or bruteforce issues, unless it is for brute-forcing of a pass token with insufficient entropy (e.g. 6 digit passcode without invalidation and rate-limiting)
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep SHEIN and our users safe!
| Scope Type | Scope Name |
|---|---|
| android_application | com.zzkko |
| android_application | com.romwe |
| ios_application | 878577184 |
| ios_application | 1080248000 |
| web_application | *.shein.com |
| web_application | *.romwe.com |
This program crawled on the 2022-04-01 is sorted as bounty.
FireBounty © 2015-2025
