Security Escalation

If you think you have discovered a security issue with, please contact You can encrypt any messages you send to this email address with OpenPGP using the public key at the end of this post.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue to Selz we will not initiate a lawsuit or law enforcement investigation against you in response to your report.
We ask that:
  • You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
  • You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
  • You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
  • You do not violate any other applicable laws or regulations.

Bug Bounty

We reward security researchers who help us keep people safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at our discretion and are based on factors such as importance and impact.
To potentially qualify for a bounty, you first need to meet the following requirements:
  • Adhere to our Responsible Disclosure Policy (see above).
  • Report a security bug: that is, identify a vulnerability in our services or infrastructure which creates a security or privacy risk.
  • Submit your report by sending it to Please do not contact employees directly or through other channels about a report.
  • If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating an issue, be sure to disclose this in your report.
  • Use test accounts when investigating issues.
  • If we pay a bounty, it will be between $10 and $60, depending on the importance of the report.
  • We seek to pay similar amounts for similar issues, but bounty amounts and qualifying issues may change with time. Past rewards do not necessarily guarantee similar results in the future.
  • In the event of duplicate reports, we award a bounty to the first person to submit an issue.
  • We reserve the right to publish reports and accompanying updates.

Bounty Ineligible Issue

We will not consider bug bounty submissions in areas of functionality where the user intentionally enables the JS opt-in feature and includes arbitrary HTML or Javascript of their choosing:

  • XSS (or a behavior) where you can only attack yourself
  • XSS - Storefront - Any issue where a store administrator is able to insert javascript in the storefront area of their own store.
  • XSS on pages where admins are intentionally given full HTML editing capabilities, such as custom theme editing

We will not consider bug bounty submissions for the following areas:

  • Brute-force/Rate-limiting/Velocity throttling, and other denial of service based issues.
  • Login/Logout CSRF
  • Clickjacking.
  • Content spoofing issues without branding CSS.
  • Cookie flags.
  • Covert Redirects.
  • Issue where the fix only requires a text change.
  • Malicious attachments on file uploads or attachments.
  • Missing additional security controls, such as HSTS or CSP headers
  • Mobile issues that require a Rooted or Jailbroken device.
  • Password recovery policies, such as reset link expiration or password complexity
  • Reflected File Download (this may be rewarded in the future, but is currently out of scope)
  • SPF, DKIM, DMARC issues.

Bug bounty program scope

  • DoS attacks, phishing, and social engineering are out of scope
  • Note that services not owned by Selz (e.g. WordPress and Unbounce) are not eligible under our bug bounty program. While we often care about vulnerabilities affecting services we use, we cannot guarantee our disclosure policies apply to services from other companies. 
  • The following domains,,, are out of scope.
In no event are you permitted to access, download or modify data residing in any other Account, or one that is not registered to you.

You are also prohibited from:

  • Executing or attempting to execute any "Denial of Service" attack.
  • Knowingly posting, transmitting, uploading, linking to, sending or storing any Malicious Software.
  • Attempting to social engineer support staff.
  • Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid 
  • Schemes or other forms of duplicative or unsolicited messages.
  • Testing in a manner that would degrade the operation of the Service.
  • Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction.
  • Testing third-party applications or websites or services that integrate with or link to the Service.
Thank you for helping keep and our users safe!
Version: GnuPG v2


Still need help? Contact Us Contact Us