Security Escalation

If you think you have discovered a security issue with Selz.com, please contact security@selz.com. You can encrypt any messages you send to this email address with OpenPGP using the public key at the end of this post.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue to Selz we will not initiate a lawsuit or law enforcement investigation against you in response to your report.
We ask that:
  • You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
  • You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
  • You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
  • You do not violate any other applicable laws or regulations.

Bug Bounty

We reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at our discretion and are based on factors such as importance and impact.
To potentially qualify for a bounty, you first need to meet the following requirements:
  • Adhere to our Responsible Disclosure Policy (see above).
  • Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk.
  • Submit your report by sending it to security@selz.com. Please do not contact employees directly or through other channels about a report.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.
  • Use test accounts when investigating issues.
  • If we pay a bounty, it will be between $10 and $60, depending on the importance of the report.
  • We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
  • In the event of duplicate reports, we award a bounty to the first person to submit an issue.
  • We reserve the right to publish reports and accompanying updates.

Bounty Ineligible Issues

The following items are known issues or accepted risks where we will not reward you:
  • Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
  • Clickjacking.
  • Content spoofing issues without branding CSS.
  • Cookie flags.
  • Covert Redirects.
  • Issue where the fix only requires a text change.
  • Login/Logout CSRF
  • Malicious attachments on file uploads or attachments.
  • Missing additional security controls, such as HSTS or CSP headers
  • Mobile issues that require a Rooted or Jailbroken device.
  • Password recovery policies, such as reset link expiration or password complexity
  • Reflected File Download (this may be rewarded in the future, but is currently out of scope)
  • SPF, DKIM, DMARC issues.
  • XSS (or a behavior) where you can only attack yourself
  • XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing

Bug bounty program scope

  • DoS attacks, phishing, and social engineering are out of scope
  • Note that services not owned by Selz (e.g. WordPress and Unbounce) are not eligible under our bug bounty program. While we often care about vulnerabilities affecting services we use, we cannot guarantee our disclosure policies apply to services from other companies. 
  • The following domains founderu.selz.comaffiliate.selz.comstart.selz.com,  developers.selz.comapi.selz.com are out of scope.
In no event are you permitted to access, download or modify data residing in any other Account, or one that is not registered to you.

You are also prohibited from:

  • Executing or attempting to execute any "Denial of Service" attack.
  • Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.
  • Attempting to social engineer support staff.
  • Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid 
  • Schemes or other forms of duplicative or unsolicited messages.
  • Testing in a manner that would degrade the operation of the Service.
  • Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction.
  • Testing third-party applications or websites or services that integrate with or link to the Service.
Thank you for helping keep Selz.com and our users safe!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2

mQENBFeoBkUBCAC+OEh54RKKUsiZT64m4sL88jJChjPplaJUHBkYWuomCS7veCSS
dRUiMSKUwiG1XGzLMaBH425RWHfIfICQ2Q//+mXFL2ywKZuIFaeqRtuJbht0IJ7O
SrQfPjfQmgnZPDjZTzl1z95OpiLbjtK7lMmbV2e9ykbKESJVBr7q3+PHET1XfvYM
aEo/NikHJe/koGjH64mygjiUDD85mtQfE+rbEBPrH5Hscq1e3SSoN0jyPbeev5Q/
l8//VvGbuBW0ATkye4BUKmYkrM3gjAZw4SdYYeATbX231dHinSGbAqQHTsIDOnt/
7wBAoyPh0jsuZFfn86w2LLQgUyFMOHnFeFmJABEBAAG0IU1hdGhpZXUgS2VtcGUg
PHNlY3VyaXR5QHNlbHouY29tPokBOQQTAQgAIwUCV6gGRQIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJEBAUXPeTibnL2bUH/jrW0tR/FfJ03HqorBv1g5ag
5YKT3DDMmwkGwSseyfhTvPS4qpODMwiYJqLPr7Jl75dh7E+w8eA0wn9iK+AhkRXm
ZaqE0y8RAGNWO/1oRxy1pDiqaWq9v73Ff1QosGy8h3cU6zTrcRSu9jT7ts0TQPiw
9EWHML68fX9/tN1EJeDYW2hfBzfwbvDAiMpH+XOH1QvsHMNRBhLoJ8RyVep47MZ9
hIXZqRs91vLGxN6PclIUEyCW7epnH8F3VsHArcxgRS5mDpDsJVjk5amLhZ3qpFaD
4LZwKfBu9G7SJXSBBalzNF/3IMMDTtfvEqru8ZwkWYI+6DuNMSyJotvvitEah4a5
AQ0EV6gGRQEIAN1WyLCDKwiuX4KVOCr311gCV4diB7wKlDlENPl/KHw3RvnrOOw+
t9JM2M1+9xoS0KQuZh4Cut/ALj+pWeacorj7jMZ27lBEYmydbwjrtqzJeGYftJUF
Q4hLAGwvWrLKZ/frSd4UYhqky6gt1eMda+dJ7ifO2BY+bZ4nTuM/UIbyTFcn2NMl
9uqAiAYOd4yuRbAEceKW3LOjKdlTdyDdpN/S6wKhGy+6leTBOKVdAcnpyNzpofrR
z+3iblA34aaQY9VgPaoclFJv3ZS2WXQ+lBfduY3lxt1ODlo7EUn6M1twv7Lz5YvG
HNY3Kfy1dat82v21rmNe3nu5nOwvKXJZJl0AEQEAAYkBHwQYAQgACQUCV6gGRQIb
DAAKCRAQFFz3k4m5y5iACACi7+if+2wd8yDD5JNHNfp5gNjB4wlXec89+bTW/yQR
FrkHU8gbor4NbJWGN21NbhPa9y8MSICjmECsHxmNjGA+JLGXAZ6h39NCHIadVxkI
c//AUOXygoKJbXlgS4LBopn8Zcz1xa9jo7r+8pXlfKPGBs1LXKa+8j7jANLeiim7
pW4MNvo3Kqp2LfoYv82q2VCiTc5Mj8xh3Gfh1Y2QrI8UFPvgVdJalEIHdAVmDxOA
/LK4RMldGdlSXABdszytxRyROFB7uMt3NpEAzYyuQBx+5MUAXuLbXDgqs5q1K2Vx
xRBVGPmEiydR7SuPew7F4BtaKD4OIcZ6gyQhaW+fWxF6
=/vJp
-----END PGP PUBLIC KEY BLOCK-----

Still need help? Contact Us Contact Us