Skip to main content

Bug Bounty Program

Protecting user and personal identifiable information is of highest importance to Sendcloud. Part of this effort is our Bug Bounty Program. We welcome you to disclose any vulnerability you find to Sendcloud.

Icon of bug on computer chip

How it Works

Our Bug Bounty program is hosted privately on HackerOne

To participate:

  1. Send your valid vulnerability report to [email protected].
  2. If the report meets our eligibility criteria, we will invite you to our private HackerOne program to continue the process.

Rules of Engagement

  • Only test with accounts you create using your HackerOne-registered @wearehackerone.com email address.
  • Only interact with accounts you own.
  • Cancel any shipping labels you create during testing to avoid charges.
  • Only use the free version or a trial subscription, and cancel trials before they convert to paid.
  • Do not attempt denial-of-service, social engineering, or use automated scanners.
  • Respect privacy – avoid accessing, modifying, or deleting customer data.

What We’re Looking For

We’re especially interested in vulnerabilities that could:

  • Expose or compromise customer data
  • Lead to account takeover
  • Allow unauthorized access to sensitive operations
  • Impact webshop or carrier integrations

What’s Out of Scope

Some systems and vulnerabilities are excluded, including:

  • Marketing websites (e.g., sendcloud.com, .es, .nl, .de, .co.uk, etc.) – except for critical issues like subdomain takeover, open redirect with impact, or sensitive data exposure
  • Third-party systems (e.g., carrier platforms, Zendesk, Atlassian portals, etc.)
  • Low-severity issues such as missing security headers, TLS best practices, version disclosures, or clickjacking without sensitive impact
  • Social engineering attacks, denial-of-service, or brute force attacks

For a full list of exclusions, you’ll find the details in our private HackerOne program once invited.

Rewards

Rewards are based on the severity of the issue (using CVSS as a guideline). Final reward amounts are at the discretion of the Sendcloud Bug Bounty team. Only valid reports against in-scope assets are eligible.

Safe Harbor

Any testing conducted in line with this policy is considered authorized. We will not pursue legal action against researchers who act in good faith and follow the rules.

Ready to report a vulnerability?
Send your valid report to [email protected].
If accepted, we’ll invite you to our private HackerOne program to proceed.