At Boozt we take security seriously, we want our customers not to only have
great shopping experience but also feel and know they are safe.
But nobody's perfect and top-notch security online is possible only with everyone's help.
If you think you found a security vulnerability within our systems we ask you to give us reasonable amount of time to fix before publicly disclosing it. Also please follow the guidelines below on scope and (non-)qualifying vulnerabilities.
!! If the same vulnerability can be found over different domains - www.boozt.com __/ www.booztlet.com __- it's counted as one. It's one system with only UI & Domain that is different so most of the time vulnerabilities are shared and we will attribute it to original report even though domain does not match.
Focus is on vulnerability that could expose private user data or in any other way affect user or Boozt data security. Very good and severe vulnerability examples are SQL injection, server-side code exection, XSS.
These are vulnerabilities that we are aware of and are accepted risk or are already on the roadmap to being fixed.
We will act as fast as possible to all responsible disclosures to fix them. In addition we will determine on our discretion if the report qualifies for bounty and amount depending on the severity of the report.
Our security bug bounty reward budget is between 50$ and 500$, lowest being minor security issues and highest being severe bugs like SQL injection or remote code execution.
Please consider that we are trying bug bounty program first time and it is in very early stages. Because of this we currently do not agree to publicly disclose any reports.