At Boozt we take security seriously, we want our customers not to only have great shopping experience but also feel and know they are safe.
But nobody's perfect and top-notch security online is possible only with everyone's help.

If you think you found a security vulnerability within our systems we ask you to give us reasonable amount of time to fix before publicly disclosing it. Also please follow the guidelines below on scope and (non-)qualifying vulnerabilities.

Scope

• www.boozt.com __
• m.boozt.com
• *.booztx.com
• www.booztlet.com __
• Boozt iOS App
• Boozt Android APP

!! If the same vulnerability can be found over different domains - www.boozt.com __/ www.booztlet.com __- it's counted as one. It's one system with only UI & Domain that is different so most of the time vulnerabilities are shared and we will attribute it to original report even though domain does not match.

Rules

• Follow the HackerOne Vulnerability Disclosure Guidelines
• Do not access or modify other users' private data
• Do not DDoS
• Do not use automated tools or scanners
• Do not move beyond "proof of concept" repro steps for server-side execution issues.

Qualifying vulnerabilities

Focus is on vulnerability that could expose private user data or in any other way affect user or Boozt data security. Very good and severe vulnerability examples are SQL injection, server-side code exection, XSS.

Non-qualifying vulnerabilities
These are vulnerabilities that we are aware of and are accepted risk or are already on the roadmap to being fixed.

• Missing CSRF tokens on forms (we are reviewing this internally and addressing all known cases.)
• Any reports on CSRF issues regarding adding/remove cart items, favorites, recent items, etc will be marked as Not Applicable. Also any reports on login/logout CSRF issues. We are aware of these cases and there is no need to report them.
• Sessions not being invalidated when a best practice says so
• Sessions being hijacked because of HTTP
• Reports from automated tools or scans
• Rate limitations (e.g. reset password, login, etc). Also includes BruteForce / DDoS reports.
• Phishing
• Clickjacking (or any other security issue achieved through using Clickjacking)
• Non-secure FTP connections
• Missing http security headers
• Full-Path Disclosure
• Non-usage of HTTPS on specific parts of the site (we have a plan for the fixes in the roadmap already) - this includes links to other sites/domains
• HTTPS Caching issues
• Reports of insecure SSL/TLS ciphers
• BREACH, CRIME reports
• Version number information disclosure
• User enumeration
• HTTP Public-Key-Pins (HPKP)
• Reports of insecure crossdomain.xml configuration
• Social engineering of Boozt staff
• Issues on services not under Boozt control
• Spam techniques, including SPF and DKIM issues
• Code Obfuscation in Mobile Apps
• Issues relating to Password Policy
• Best practices concerns (evidence of a security issue required)
• Race conditions that don't compromise the security of Boozt or our customers

Thanks
We will act as fast as possible to all responsible disclosures to fix them. In addition we will determine on our discretion if the report qualifies for bounty and amount depending on the severity of the report.
Our security bug bounty reward budget is between 50$ and 500$, lowest being minor security issues and highest being severe bugs like SQL injection or remote code execution.
Please consider that we are trying bug bounty program first time and it is in very early stages. Because of this we currently do not agree to publicly disclose any reports.