Data Processing Addendum
Protecting user and personal identifiable information is of highest importance to Sendcloud. Part of this effort is our Bug Bounty Program. We welcome you to disclose any vulnerability you find to Sendcloud.
How it Works
Our Bug Bounty program is hosted privately on HackerOne
To participate:
Send your valid vulnerability report to security@sendcloud.com.
If the report meets our eligibility criteria, we will invite you to our private HackerOne program to continue the process.
Rules of Engagement
Only test with accounts you create using your HackerOne-registered @wearehackerone.com email address.
Only interact with accounts you own.
Cancel any shipping labels you create during testing to avoid charges.
Only use the free version or a trial subscription, and cancel trials before they convert to paid.
Do not attempt denial-of-service, social engineering, or use automated scanners.
Respect privacy – avoid accessing, modifying, or deleting customer data.
What We’re Looking For
We’re especially interested in vulnerabilities that could:
Expose or compromise customer data
Lead to account takeover
Allow unauthorized access to sensitive operations
Impact webshop or carrier integrations
What’s Out of Scope
Some systems and vulnerabilities are excluded, including:
Marketing websites (e.g., sendcloud.com, .es, .nl, .de, .co.uk, etc.) – except for critical issues like subdomain takeover, open redirect with impact, or sensitive data exposure
Third-party systems (e.g., carrier platforms, Zendesk, Atlassian portals, etc.)
Low-severity issues such as missing security headers, TLS best practices, version disclosures, or clickjacking without sensitive impact
Social engineering attacks, denial-of-service, or brute force attacks
For a full list of exclusions, you’ll find the details in our private HackerOne program once invited.
Rewards
Rewards are based on the severity of the issue (using CVSS as a guideline). Final reward amounts are at the discretion of the Sendcloud Bug Bounty team. Only valid reports against in-scope assets are eligible.
Safe Harbor
Any testing conducted in line with this policy is considered authorized. We will not pursue legal action against researchers who act in good faith and follow the rules.
Ready to report a vulnerability?
Send your valid report to security@sendcloud.com.
If accepted, we’ll invite you to our private HackerOne program to proceed.