Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
Security Contact | logo
Hall of Fame

Security Contact |

Security Contact

We are intensely focused on keeping our customers’ data safe and secure here at FoxyCart. Any input that helps us better serve and protect our customers is welcome.

Reporting a security concern

We maintain a security & bug disclosure program through HackerOne. Please click here to go to our HackerOne page. (Note that at present, the program may require a HackerOne login or invitation. You may also view our BugCrowd program page to see some of our known issues.) To see the terms of the program and participate, go to HackerOne and sign up as a tester. You will need to accept the Foxy terms of service to engage in testing. If you have identified a vulnerability, please report it via HackerOne.

If you cannot submit via HackerOne, we also will accept email to (using our public key and encrypting with PGP/GPG if possible), but we prefer submissions via HackerOne, and do not provide bounties directly except for critical reports.

Please do not use automated scanners or aggressive scripts in your testing.

Known Issues

Please see our BugCrowd page for the complete list.

A Note about CSRF

If you report a CSRF vulnerability and your proof-of-concept includes the CSRF token , we will assume you don't understand CSRF, and we will not spend any time on your report. We respect your time and efforts, and we ask you respect ours as well by learning about CSRF before you report on it.

Out of Scope: Other * Domains

FoxyCart customer sites and applications are out of scope for this program.

Vulnerabilities found at the following subdomains will be passed along to the vendors/creators, and may be eligible for kudos (via BugCrowd), but no cash rewards. Please don't report issues with account login, SSL, CSRF, clickjacking, or any of the above noted known issues. For issues with the system and not our implementation, please report directly to the company responsible for it.

Tracking security issues

Have a security issue that you think affects FoxyCart stores? Please let us know. We track multiple security lists and watch for issues that affect our infrastructure. Once we are aware of an issue, here’s how we handle it:

  • We immediately patch and repair of any affected software or infrastructure.
  • We review our internal policies and procedures to understand how the issue arose.
  • We give full disclosure to our customers, crediting the person or team that discovered the issue and detailing our measures to resolve any impact and prevent any future recurrence.

Security is a major focus for us

We work with many security consultants in order to assure our continued compliance with PCI DSS, and most importantly, the continued security and integrity of all of our systems.

Thanks for working with us

We appreciate your time and skill in finding security vulnerabilities as well as the professional courtesy of taking the time to contact us.

*Occasionally we receive reports that are valid only in theory or for educational purposes. We cannot promise our full attention in situations like this. Thanks for understanding.

Hall of Fame

We appreciate the security professionals who have responsibly disclosed (via BugCrowd potential issues to us. For clarification, we split this list between vulnerabilities found in our own systems (, and vulnerabilities in 3rd party systems we use (,,,,,, etc.).

Our current and historical Hall of Fames are:

Prior to using BugCrowd, we maintained the below list, which is sorted from oldest (at the top) to newest (at the bottom). Please note that the below list will not be updated.

Archived Hall of Fame

FoxyCart Application Disclosures

3rd Party System Disclosures

This program crawled on the 2015-06-30 is sorted as bounty.

FireBounty © 2015-2019

Legal notices