Alert Us to Security Issues

Security Vulnerability Reporting

If you have discovered a security vulnerability on The Pet Shop, we encourage you to contact us immediately. We carefully review all legitimate vulnerability reports and will work diligently to resolve the issue as quickly as possible. Please review this document before submitting your report, which includes important information on our principles, bounty program, reward guidelines, and details on what should not be reported.

Fundamentals

When reporting a security issue to The Pet Shop, please follow these principles to ensure we can address your concern effectively and safely:

  1. Give us adequate time to review and resolve the issue before sharing information about it publicly or with others.

  2. Do not interact with private accounts unless you have explicit consent from the account owner to do so.

  3. Make every effort to avoid privacy violations and disruptions to other users, including avoiding data destruction or service degradation.

  4. Do not exploit any security vulnerabilities you discover. This includes avoiding attempts to compromise sensitive company data or seeking additional vulnerabilities.

  5. Do not violate any applicable laws or regulations during your research.

Bounty Program

We recognize and reward security researchers who help us improve security by reporting vulnerabilities in our services. Bounty rewards are based on the severity of the issue, supported risk, and impact, among other factors. To qualify for a bounty, you must:

  • Follow the Fundamentals (listed above).

  • Report a security vulnerability that poses a security or privacy risk to our services (some bugs may not qualify as security issues based on our assessment).

  • Submit your report via our Security Center (please avoid contacting employees directly).

  • If you inadvertently cause a privacy violation or disruption (such as accessing sensitive data or service configurations), please include this information in your report.

  • We prioritize and review all valid reports, and response times may vary depending on the volume of reports and the severity of the issues.

Rewards

The reward amount will be based on the severity and impact of the vulnerability discovered. The program is regularly updated, and feedback is appreciated to help improve it. To be eligible for a bounty:

  • Submit detailed reports with clear, reproducible steps. Incomplete reports may not be eligible for a reward.

  • Duplicate reports will result in the first report being rewarded.

  • Multiple vulnerabilities caused by a single issue will be rewarded as one.

Bounty Amounts

The following outlines the maximum rewards per severity level:

  • Critical Severity Vulnerabilities (£200)
    Issues that allow privilege escalation, remote code execution, or cause significant data exposure. Example vulnerabilities:

    • Remote Code Execution

    • Vertical Authentication Bypass

    • SQL Injection with data leakage

    • Full access to accounts

  • High Severity Vulnerabilities (£100)
    Vulnerabilities that impact the platform’s safety. Examples include:

    • Lateral Authentication Bypass

    • Important information leakage within the company

    • Cross-Site Scripting (XSS) vulnerabilities targeting users

    • Local File Inclusion

  • Medium Severity Vulnerabilities (£50)
    Vulnerabilities that affect multiple users and require minimal user interaction. Examples include:

    • Logic flaws or business process defects

    • Insecure object references

    • Sensitive data exposure without authentication

  • Low Severity Vulnerabilities
    Issues that only affect individual users and require specific interaction. Examples include:

    • Open Redirects

    • Reflective XSS

    • Low-sensitivity data leaks

We reserve the right to publish reports once the vulnerability has been addressed and resolved.