ShipHero Bug Bounty Program

Guidelines for Responsible Disclosure

Overview

At ShipHero, the security of our users data and communication is our top priority. We are committed to maintaining the highest standards of security and welcome contributions from security researchers to help us achieve this goal. Through our Bug Bounty Program, we encourage the responsible reporting of vulnerabilities in our systems.

We value the efforts of security researchers and offer rewards for valid, high-quality reports that help us improve our platform’s security. By participating in this program, you agree to abide by the rules and guidelines outlined below.

Scope

We are interested in vulnerabilities that impact the security of ShipHero’s core services and customer data. Below is a list of in-scope and out-of-scope assets and vulnerability types.

In-scope Assets

  • Domains:

    • *.shiphero.com

    • *.lvk.com

    • *.shipsfor.us

  • Vulnerability Types:

    • Authentication flaws

    • Circumvention of our Platform/Privacy permissions model

    • Cross-site scripting (XSS)

    • Cross-site request forgery (CSRF/XSRF)

    • Server-side code execution

Out-of-Scope Assets

Theoretical vulnerabilities that require unlikely user interaction or circumstances. For example:

  • Vulnerabilities only affecting users of unsupported or end-of-life browsers or operating systems

  • Broken link hijacking

  • Tabnabbing

  • Content spoofing and text injection issues

  • Attacks requiring physical access to a device (unless explicitly in scope)

  • Self-exploitation, such as self-XSS or self-DoS (unless it can be used to attack a different account)

Theoretical vulnerabilities that do not demonstrate real-world security impact. For example:

  • Clickjacking on pages with no sensitive actions

  • Cross-Site Request Forgery (CSRF) on forms with no sensitive actions (e.g., Logout)

  • Permissive CORS configurations without demonstrated security impact

  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)

  • Comma Separated Values (CSV) injection

  • Open redirects (unless you can demonstrate additional security impact)

Optional security hardening steps / Missing best practices. For example:

  • SSL/TLS Configurations

  • Lack of SSL Pinning

  • Lack of jailbreak detection in mobile apps

  • Cookie handling (e.g., missing HttpOnly/Secure flags)

  • Content-Security-Policy configuration opinions

  • Optional email security features (e.g., SPF/DKIM/DMARC configurations)

  • Most issues related to rate limiting

Vulnerabilities that may require hazardous testing. This type of testing must never be attempted unless explicitly authorized:

  • Issues relating to excessive traffic/requests (e.g., DoS, DDoS)

  • Any other issues where testing may affect the availability of systems

  • Social engineering attacks (e.g., phishing, opening support requests)

  • Attacks that are noisy to users or admins (e.g., spamming notifications or forms)

  • Attacks against physical facilities

Reports related to WordPress vulnerabilities are also out of scope.

Rules of Engagement

To ensure a safe and productive environment for testing, please adhere to the following rules:

Allowed Actions

  • Test only on accounts or data that you own or have explicit permission to access.

  • Use non-disruptive scanning techniques to avoid degrading service for other users.

  • Follow the guidelines outlined in our Terms of Service.

Prohibited Actions

  • Do not access, modify, or delete data that does not belong to you.

  • Do not perform Denial of Service (DoS) testing or any activity that could disrupt our services.

  • Do not publicly disclose vulnerabilities before they are resolved.

  • Do not engage in social engineering, phishing, or physical attacks against ShipHero or its employees.

We encourage clear, detailed, and actionable reports to help us quickly understand and resolve vulnerabilities.

Vulnerability Reporting

How to Submit a Report

  • Submit your findings via infosec@shiphero.com

  • Include a detailed description of the vulnerability, steps to reproduce, and any relevant proof of concept (e.g., code, screenshots, or videos).

Required Information

  • Steps to Reproduce: Clear and concise steps to replicate the issue.

  • Impact Analysis: Explanation of the potential security impact.

  • Environment Details: Information about the testing environment (e.g., browser, OS, device).

Communication Guidelines

  • Do not disclose the vulnerability to others before it is resolved.

  • Allow ShipHero a reasonable amount of time to address the issue before sharing details publicly.

Reward Guidelines

We offer rewards for valid vulnerabilities based on their severity and impact. Below are the general rules and reward ranges for our program.

General Rules

  • Only one bounty will be awarded per vulnerability.

  • If multiple reports are submitted for the same issue, only the first valid report will be rewarded.

  • Rewards are determined at ShipHero’s discretion and are based on severity, impact, and report quality.

  • Reward amounts are final and non-negotiable.

Eligibility

  • You must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan, Syria).

  • ShipHero reserves the right to cancel or modify the program at any time.

Legal and Compliance

By participating in this program, you agree to the following terms:

Program Modifications

  • ShipHero reserves the right to modify or cancel the program at any time.

  • The decision to award a bounty is at ShipHero’s sole discretion.

Tax Implications

  • You are responsible for any tax implications related to bounty payments, depending on your country of residence.

Responsible Disclosure

Security of user data and communication is of utmost importance to ShipHero. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in ShipHero. Principles of responsible disclosure include, but are not limited to:

  • Accessing or exposing only customer data that is your own.

  • Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site).

  • Keeping within the guidelines of our Terms Of Service.

  • Keeping details of vulnerabilities secret until ShipHero has been notified and had a reasonable amount of time to fix the vulnerability.

  • In order to be eligible for a bounty, your submission must be accepted as valid by ShipHero. We use the following guidelines to determine the validity of requests and the reward compensation offered.