Vulnerability Reporting Program

Applications in Scope

We are interested in identifying and addressing critical vulnerabilities in our infrastructure. Specifically, we focus on issues that could substantially impact the confidentiality, integrity, or availability of user data.

While we welcome all reports, not every finding will qualify for a reward. The decision to offer a reward will be at the discretion of the security team, based on the severity and impact of the reported vulnerability.

Important:

  • Avoid Denial-of-Service (DoS) attacks, spam, or any activity that could disrupt our systems or degrade service availability.
  • Refrain from using tools that generate excessive traffic during testing.

Eligibility and Responsible Disclosure

To ensure the security and privacy of our users, please adhere to the following guidelines:

  1. Report the Vulnerability: Share the technical details with us, including the exact domain and steps to reproduce the issue.
  2. Avoid Automated Scanning Tools: Do not spam our applications with automated vulnerability scanners.
  3. Do Not Make Public Disclosures: Give us adequate time to respond and address the issue before discussing it publicly.
  4. Do Not Modify User Data: You must not alter, save, transfer, or interact with data that does not belong to you.
  5. Respect Privacy: Avoid violating privacy rights, destroying data, or disrupting our services.
  6. Follow Legal and Ethical Guidelines: Testing must comply with applicable laws and must not intentionally disrupt other users or systems.

Timelines for Reporting and Resolution

  1. Acknowledgment of Report:
    • Timeline: Within 2 business days.
    • We will confirm receipt of your report and may request additional details if necessary.
  2. Initial Triage:
    • Timeline: Within 5 business days.
    • Our team will evaluate the severity, scope, and validity of the reported issue.
  3. Verification and Analysis:
    • Timeline: Within 10 business days.
    • The vulnerability will be reproduced and analyzed to confirm its impact.
  4. Remediation or Mitigation:
    • Timeline: Within 30 business days, depending on the complexity.
    • We will prioritize fixing the vulnerability and deploy any necessary patches or mitigations.
  5. Reward Decision:
    • Timeline: Within 15 business days after resolution.
    • If applicable, we will inform you of your eligibility for a reward. Reward decisions are based on the severity and impact of the vulnerability.
  6. Public Disclosure (Optional):
    • Timeline: After mutual agreement or post-resolution (at least 90 days).
    • Public disclosure can only occur after we provide explicit approval and after the issue is resolved.

Out-of-Scope Vulnerabilities

The following reports are out of scope:

  • Weak password policies or lack of email/account verification.
  • Reports from automated tools without clear analysis.
  • Spam-related vulnerabilities or excessive email rates.
  • Issues affecting outdated browsers or platforms no longer supported by their vendors.
  • Well known exploits

How to Report Vulnerabilities to Us

When reporting a vulnerability:

  1. Include the exact domain and detailed reproduction steps.
  2. Clearly outline the potential impact of the vulnerability.

Contact Email: security@anafore.com

Our security team is committed to maintaining open communication and resolving issues promptly. Thank you for helping us improve the safety and reliability of our systems.

<p class="text-21-rich-text-13px">Effective as of November 18, 2024</p>

Available On The
Shopify App Store
Try free for 14 days