Bold’s Bug Bounty Program
Accordingly, recognizing that we may have missed something, we encourage individual security researchers to analyze our solutions to make them safer for our merchants. Bold’s Bug Bounty Program is our way to reward security researchers for finding serious security vulnerabilities in the In-Scope properties listed below.
If you think you have found a security vulnerability in our solutions, please contact us! We’ll investigate the issue and try to resolve it quickly. Before you report an issue, review this page.
Our team strives to:
- Triage and reply to all reports within a week (where applicable)
- Determine the security impact transparently
- Award bounties within a week of resolution (excluding extenuating circumstances)
- Only close reports as N/A when the issue reported has already been identified by another researcher (known issues), lacks evidence of a vulnerability, or falls under the Out-of-Scope Vulnerabilities
Bug Bounty Program Policy
To protect both Bold and security researchers, we ask you to comply with the following policies:
- Allow reasonable time to investigate and mitigate an issue you report before you publicize any information about the report or share such information with others.
- Avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
- Do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- Do not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.
- For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.
- By submitting content to Bold, you irrevocably waive all moral rights which you may have in the content.
- All content submitted by you to Bold under this program is licensed under the MIT License.
- You must report any discovered vulnerability to Bold as soon as you have validated the vulnerability.
- Failure to follow any of the foregoing rules will disqualify you from participating in this program.
Bold reserves the right to cancel this program at any time and the decision to pay a bounty is entirely at our discretion. Your testing and submission must not violate any law, or disrupt or compromise any data that is not your own. There may be additional restrictions on your ability to submit content or receive a bounty depending on your local laws.
Bold considers activities conducted consistent with this program to constitute “authorized” conduct under the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you and you have fully complied with this program, Bold will take steps to make it known, either to the public or to the court, that your actions were conducted in compliance with the Bold policy.
Upon Bold’s request, you will execute, acknowledge and deliver such further instruments, and will otherwise cooperate and do all other acts as may be necessary or appropriate in order to perfect or carry out the purpose and intent of these terms.
Bold Bug Bounty Guidelines
Participating in Bold’s Bug Bounty Program requires that you follow our guidelines. Adhere to the following guidelines to be eligible for rewards as part of this program:
- Don’t violate the privacy of other users, destroy data, disrupt our services, etc.
- Since we’re handling many reports and spam impacts our efficiency, don’t request updates on an hourly basis.
- Threatening behaviour of any kind will automatically disqualify you from participating in the program.
- Don’t target, attempt to access, or otherwise disrupt the accounts of other users. All investigative targets must be accounts you own.
- Exploiting or mis-using the vulnerability for own or others benefit will automatically disqualify the report.
- Don’t target our physical security measures, or attempt to use social engineering, spam, or distributed denial of service (DDOS) attacks.
- If you find a severe vulnerability that allows system access, you must not proceed further.
- Disclosing bugs to a party other than Bold is forbidden, all bug reports are to remain at the reporter and Bold’s discretion.
- It’s Bold’s decision to determine when and how bugs should be addressed and fixed.
- Bug disclosure communications with Bold’s Security team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (PoC code, videos, screenshots) after the bug report is closed.
Bold Bug Bounty Scope
The following services and domains are considered in scope: all of Bold’s solution admin consoles and all of Bold’s APIs
Generally speaking, any bug that poses a significant vulnerability to our merchants could be eligible for reward. It’s entirely at Bold’s discretion to decide whether a bug is significant enough to be eligible for reward. Security issues that typically would be eligible include:
- SQL injections
- Code Executions
- Directory Traversal
- Privilege Escalations
- Authentication Bypasses
- Leakage of sensitive data
- Cross-Site Scripting (XSS)
- File inclusions (Local & Remote)
- Cross-Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- Open redirects which allow stealing tokens/secrets
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Administration portals without authentication mechanism
Things that aren’t eligible for reward include:
- Cache Poisoning
- Content spoofing
- Missing SPF records
- Brute force attacks
- Issues that aren’t reproducible
- Lack of rate limiting mechanisms
- Distributed Denial of Service attacks
- Open redirects without a severe impact
- CSRF issues on actions with minimal impact
- Application stack traces (path disclosures, etc.)
- Vulnerabilities that require Man in the Middle (MiTM) attacks
- Theoretical subdomain takeovers with no supporting evidence
- Any exploit that a merchant can intentionally use against themselves
- HSTS not enabled on *.boldcommerce.com or *.boldapps.net websites
- Vulnerabilities affecting outdated or unpatched browsers/operating systems
- Security practices (banner revealing a software version, missing security headers, etc.)
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack, etc.
- Bugs already known to us, or already reported by someone else (reward goes to first reporter)
- Vulnerabilities on sites hosted by third parties unless they lead to a vulnerability on the main websites.
To report an issue: Send an email to [email protected].
Include information about the vulnerability and detailed steps on how to replicate it. The report must pertain to an item explicitly listed under our in-scope vulnerabilities section.
The report should also contain as much detailed information as you can include—ideally, a description of your findings, the steps needed to reproduce the issue, when you discovered the vulnerability and the vulnerable component.