Skip to main content
All CollectionsLegal
Bug Bounty Program
Bug Bounty Program

Learn how to report issues and vulnerabilities to the Sellix Bug Bounty program

Daniele avatar
Written by Daniele
Updated over 6 months ago

Welcome to Sellix's Bug Bounty Program

Our goal is to ensure the security of our services, and we appreciate the contribution of every hacker who helps us in this mission. We reward experts who find and report vulnerabilities in our systems.

Guidelines

Activities that cause damage to our systems or users, or that violate user data privacy, will not be tolerated. Therefore, analyzing accounts that do not belong to you is strictly prohibited.

Any activity that does not respect our Vulnerability Policy or provides information on vulnerabilities considered "Out of Scope" is strictly forbidden.

Report Requirements

For a report to be eligible for a reward, it must include the following information:

  • Description of the Vulnerability: A detailed description of the identified vulnerability and the technical/economic damage it could cause if exploited.

  • Proof of Concept: A detailed, step-by-step explanation of how the vulnerability can be identified and how it could be exploited.

  • Solution/Mitigation: A detailed, step-by-step explanation of how the vulnerability can be corrected or mitigated.

Out of Scope

The following types of issues are considered out of scope and may not qualify for a reward:

  • Clickjacking on pages without sensitive functionality.

  • Self-XSS (Cross-Site Scripting involving user actions).

  • Reports of missing or misconfigured Content Security Policy (CSP) unless a significant impact can be demonstrated.

  • Low-impact information disclosures without concrete consequences (e.g., banner grabbing).

  • Vulnerabilities requiring physical interaction with the victim (e.g., physical device theft, in-person phishing) and social engineering attacks targeting Sellix employees or partners.

  • Automated scan tool results or reports generated by automatic tools without further verification or proof of real impact.

  • Issues related to outdated or unsupported browsers, platforms, or operating systems.

  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

  • Vulnerabilities stemming from third-party applications unless due to misconfigurations by Sellix.

  • Reports on general security practices without practical impact (e.g., missing HTTP Strict Transport Security).

  • Password management issues such as lack of complexity checks or failed login attempt limits.

  • "Missing Rate Limiting" vulnerabilities without demonstrable real impact.

  • Reports on spam or unsolicited emails without exploitability.

  • Issues related to DNSSEC (Domain Name System Security Extensions) unless directly impacting the security of the main domain.

  • Brute force attacks.

  • Reports on credential/API key leaks without real impact.

  • Any attack that intentionally harms Sellix users.

  • Reports on best practices without practical impact or potential for escalation (e.g., error pages, DMARC, SPF, DNSSEC, mixed content SSL).

  • Attacks exploiting the ability to insert code in one's own shop and execute it from the visiting browser (e.g., XSS) without real impact on the application or significant user harm. Reports must highlight realistic attack scenarios compromising sensitive data or significantly altering Sellix applications' functionality.

By participating in our Bug Bounty Program, you help us enhance the security and reliability of our services. We value your contributions and look forward to working with you to make Sellix safer for everyone.

Official page and reporting

You can use the button below to be redirected to our official bug bounty program, managed by a third party.

Other information

If you need help for more urgent or important issues, please email admin@sellix.io.

Did this answer your question?