Bug Bounty Program

Protecting user and personal identifiable information is of highest importance to Sendcloud. Part of this effort is our Bug Bounty Program. We welcome you to disclose any vulnerability you find to Sendcloud.

Icon of bug on computer chip

If you believe you have found a security issue that meets our definition of a vulnerability, please submit the report to our security team by following the guidelines below.

Act responsibly

The rules of responsible disclosure of vulnerabilities include, but are not limited to:

  • Avoid accessing, exploiting or exposing of any customer data other than your own,
  • Avoid any action that may cause a degradation of our services, or will harm our customers (for example overloading our systems),
  • Keep details of vulnerabilities secret for at least 60 days after Sendcloud has been notified, based on our research we may extend this secrecy period,
  • Do not use any social engineering techniques, such as sending phishing emails to Sendcloud’s employees, partners or customers,
  • When methods are used that do not comply with your local law, Dutch law and/or the above mentioned responsibility rules, enforcement authorities will be notified

Our security team assesses if you’re eligible for a bounty. We use the following guidelines to determine the validity of requests and the reward compensation offered.

 

Reproducibility

Our security team and engineers must be able to reproduce the reported security flaw. Make sure your report is clearly written and includes all the necessary information so we can reproduce the flaw. Please include:

  • Type of vulnerability issue 
  • In case the vulnerability is in one of our web-services include the URL
  • The potential impact of the vulnerability
  • Step-by-step instructions to reproduce the issue, including any proof-of-concept or exploit code to reproduce

 

Definition of a Vulnerability

To be eligible for a reward, your report must be considered valid by the Sendcloud security team. Sendcloud’s platform is accessible via the following hosts: panel.sendcloud.{com, nl, sc}, servicepoints.sendcloud.com 

 

Examples of Non-Qualifying Vulnerabilities

  • Denial of Service vulnerabilities (DOS)
  • Mixed-content scripts and insecure cookies outside of our platform
  • Social engineering attacks against Sendcloud Support
  • Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
  • Unconfirmed/unverified reports from vulnerability scanners
  • Reports exploiting the behavior of, or vulnerabilities in, outdated browsers

 

Rewards

  • Only one bounty will be awarded per vulnerability
  • If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
  • Our reward system is flexible. We have no minimum or maximum amounts as rewards are based on severity, impact and report quality.
  • Vulnerabilities affecting our platform or plugins typically have a higher impact. 
  • To receive a reward, you must reside in a country not on sanctions lists.
  • This is a discretionary program and Sendcloud reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.

 

Reporting

You can contact us via security@sendcloud.com to report any vulnerability or questions about this program. If you’re sharing any security flaw or sensitive information with us, we strongly encourage you to encrypt this email using PGP, our key is in many public registries. (https://keys.openpgp.org/search?q=security%40sendcloud.com

By submitting a report, you grant us a perpetual, worldwide, royalty-free, irrevocable and non-exclusive license to use and modify your submission into Sendcloud’s platform and services.