If you think you have discovered a security issue with Selz.com, please contact firstname.lastname@example.org. You can encrypt any messages you send to this email address with OpenPGP using the public key at the end of this post.
Responsible Disclosure Policy
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You do not violate any other applicable laws or regulations.
- Adhere to our Responsible Disclosure Policy (see above).
- Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk.
- Submit your report by sending it to email@example.com. Please do not contact employees directly or through other channels about a report.
- If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.
- Use test accounts when investigating issues.
- If we pay a bounty, it will be between $10 and $60, depending on the importance of the report.
- We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
- In the event of duplicate reports, we award a bounty to the first person to submit an issue.
- We reserve the right to publish reports and accompanying updates.
Bounty Ineligible Issue
- XSS (or a behavior) where you can only attack yourself
- XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing
We will not consider bug bounty submissions for the following areas:
- Brute-force/Rate-limiting/Velocity throttling, and other denial of service based issues.
- Login/Logout CSRF
- Content spoofing issues without branding CSS.
- Cookie flags.
- Covert Redirects.
- Issue where the fix only requires a text change.
- Malicious attachments on file uploads or attachments.
- Missing additional security controls, such as HSTS or CSP headers
- Mobile issues that require a Rooted or Jailbroken device.
- Password recovery policies, such as reset link expiration or password complexity
- Reflected File Download (this may be rewarded in the future, but is currently out of scope)
- SPF, DKIM, DMARC issues.
Bug bounty program scope
- DoS attacks, phishing, and social engineering are out of scope
- Note that services not owned by Selz (e.g. WordPress and Unbounce) are not eligible under our bug bounty program. While we often care about vulnerabilities affecting services we use, we cannot guarantee our disclosure policies apply to services from other companies.
- The following domains founderu.selz.com, affiliate.selz.com, developer.selz.com, api.selz.com are out of scope.
You are also prohibited from:
- Executing or attempting to execute any "Denial of Service" attack.
- Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.
- Attempting to social engineer support staff.
- Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid
- Schemes or other forms of duplicative or unsolicited messages.
- Testing in a manner that would degrade the operation of the Service.
- Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction.
- Testing third-party applications or websites or services that integrate with or link to the Service.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2 mQENBFeoBkUBCAC+OEh54RKKUsiZT64m4sL88jJChjPplaJUHBkYWuomCS7veCSS dRUiMSKUwiG1XGzLMaBH425RWHfIfICQ2Q//+mXFL2ywKZuIFaeqRtuJbht0IJ7O SrQfPjfQmgnZPDjZTzl1z95OpiLbjtK7lMmbV2e9ykbKESJVBr7q3+PHET1XfvYM aEo/NikHJe/koGjH64mygjiUDD85mtQfE+rbEBPrH5Hscq1e3SSoN0jyPbeev5Q/ l8//VvGbuBW0ATkye4BUKmYkrM3gjAZw4SdYYeATbX231dHinSGbAqQHTsIDOnt/ 7wBAoyPh0jsuZFfn86w2LLQgUyFMOHnFeFmJABEBAAG0IU1hdGhpZXUgS2VtcGUg PHNlY3VyaXR5QHNlbHouY29tPokBOQQTAQgAIwUCV6gGRQIbAwcLCQgHAwIBBhUI AgkKCwQWAgMBAh4BAheAAAoJEBAUXPeTibnL2bUH/jrW0tR/FfJ03HqorBv1g5ag 5YKT3DDMmwkGwSseyfhTvPS4qpODMwiYJqLPr7Jl75dh7E+w8eA0wn9iK+AhkRXm ZaqE0y8RAGNWO/1oRxy1pDiqaWq9v73Ff1QosGy8h3cU6zTrcRSu9jT7ts0TQPiw 9EWHML68fX9/tN1EJeDYW2hfBzfwbvDAiMpH+XOH1QvsHMNRBhLoJ8RyVep47MZ9 hIXZqRs91vLGxN6PclIUEyCW7epnH8F3VsHArcxgRS5mDpDsJVjk5amLhZ3qpFaD 4LZwKfBu9G7SJXSBBalzNF/3IMMDTtfvEqru8ZwkWYI+6DuNMSyJotvvitEah4a5 AQ0EV6gGRQEIAN1WyLCDKwiuX4KVOCr311gCV4diB7wKlDlENPl/KHw3RvnrOOw+ t9JM2M1+9xoS0KQuZh4Cut/ALj+pWeacorj7jMZ27lBEYmydbwjrtqzJeGYftJUF Q4hLAGwvWrLKZ/frSd4UYhqky6gt1eMda+dJ7ifO2BY+bZ4nTuM/UIbyTFcn2NMl 9uqAiAYOd4yuRbAEceKW3LOjKdlTdyDdpN/S6wKhGy+6leTBOKVdAcnpyNzpofrR z+3iblA34aaQY9VgPaoclFJv3ZS2WXQ+lBfduY3lxt1ODlo7EUn6M1twv7Lz5YvG HNY3Kfy1dat82v21rmNe3nu5nOwvKXJZJl0AEQEAAYkBHwQYAQgACQUCV6gGRQIb DAAKCRAQFFz3k4m5y5iACACi7+if+2wd8yDD5JNHNfp5gNjB4wlXec89+bTW/yQR FrkHU8gbor4NbJWGN21NbhPa9y8MSICjmECsHxmNjGA+JLGXAZ6h39NCHIadVxkI c//AUOXygoKJbXlgS4LBopn8Zcz1xa9jo7r+8pXlfKPGBs1LXKa+8j7jANLeiim7 pW4MNvo3Kqp2LfoYv82q2VCiTc5Mj8xh3Gfh1Y2QrI8UFPvgVdJalEIHdAVmDxOA /LK4RMldGdlSXABdszytxRyROFB7uMt3NpEAzYyuQBx+5MUAXuLbXDgqs5q1K2Vx xRBVGPmEiydR7SuPew7F4BtaKD4OIcZ6gyQhaW+fWxF6 =/vJp -----END PGP PUBLIC KEY BLOCK-----