Shopee is participating in the Google Play Security Rewards
Program. While we do not have a full
disclosure program in place at this time, we are willing to accept reports
that qualify for the Google Play Security Rewards Program, specifically what’s
listed in our scope below.
- Automated testing is not permitted.
- Please follow the Disclosure Guidelines found on HackerOne..
- Do kindly confine your testing to your own team during the bug investigation process and please do not interact with other accounts without the consent of the account owners.
- Unless there is good reason i.e. additional information provided on the bug previously rewarded, we will only reward the first person who reported the bug to us.
- We will endeavour to complete the review your bug report within 30 days from the date of reporting.
- The bug must work on Android 4.4 or later.
We won't provide a monetary bounty this time.
While researching, we'd like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of Shopee staff or contractors
- Any physical attempts against Shopee property or data centers
- Low severity or missing best practice issues
- Issues found through automated testing
- Vulnerabilities requiring physical access to the victim's unlocked device
- Spam or Social Engineering techniques, including SPF and DKIM issues
- Version number information disclosure
- Clickjacking on pre-authenticated pages, or the non-existence of X-Frame-Options, or other non-exploitable clickjacking issues (An exploitable clickjacking vulnerability requires a) a frame-able page that is b) used by an authenticated user and c) which has a critical state-changing action on it vulnerable to clickjacking/frame re-dressing)
- Security bugs in software related to an acquisition for a period of 90 days following any public announcement.
- SSL issues about HttpOnly and secure flag.
- Login/logout CSRF
- Issues related to networking protocols or industry standards not controlled by Shopee.
- Any non-Shopee applications, such as a Webserver, Java, etc., unless it is a Shopee modified or branded version of this software. Any non-Shopee owned partner sites or mobile game websites and apps.
- Any vulnerability found through automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic. This also includes submitted automated reports as they may be closed without being triaged.
Of course, your testing must not violate any law, or disrupt or compromise any
data that is not your own and needless to say, please do not violate any laws
when conducting your tests.
We reserve all rights to modify the rules and regulation of this program,
including the cancellation of this program, at any time. Our decision will be