YourStore.
YourStore.

Vulnerability Disclosure Program

Introduction

At YourStore, we are committed to providing safe and secure digital services for our valued customers. We are dedicated to maintaining the highest security standards and safeguarding user privacy. As part of our ongoing efforts to fortify our systems and services, we invite the collaboration of external security researchers and ethical hackers through our Vulnerability Disclosure Programme (VDP).

Guidelines

  • Notify us promptly: Inform us as soon as possible after you discover a real or potential security issue.
  • Responsible Testing: Avoid actions that could violate user privacy, degrade user experience, disrupt our systems, or destroy/manipulate data.
  • Limited Exploitation: Only use exploits to verify a vulnerability's presence. Don't use them to steal data, gain persistent access, or pivot to other systems.
  • Confidentiality: Don't reveal information from your report or acknowledge the vulnerability to any third party.
  • Quality over Quantity: Ensure your vulnerability reports are well-researched, detailed, and reproducible.
  • Stop Testing on Sensitive Data: If you encounter sensitive data (personal information, financial data, or trade secrets), stop testing immediately, report it to us, and don't disclose the data to anyone else.

Scope

All publicly accessible IT services owned by YourStore are in scope.

Websites

  • *.yourstore.ch
  • *.ur-store.ch
  • *.ur-store.io

Public Repositories

  • https://github.com/Ur-Store/

Vulnerabilities

The following vulnerabilities qualify for our VDP:

  • XSS (Cross-Site Scripting)
  • CSRF (Cross-Site Request Forgery)
  • SSRF (Server-Side Request Forgery)
  • SSTI (Server-Side Template Injection)
  • SQL Injection
  • XXE (XML External Entity)
  • RCE (Remote Code Execution)
  • LFI/RFI (Local/Remote File Inclusions)
  • Flaws in Authentication or Authorization processes

Out of Scope Vulnerabilities

  • Security concerns or best practices without a clear exploitable impact.
  • Social engineering.
  • Physical access vulnerabilities.
  • Denial of Service attacks.
  • Email Spoofing.
  • Lack of jailbreak detection, binary protection, certificate pinning, obfuscation.
  • Reports regarding missing HTTP security headers (unless accompanied by proof of exploitability).
  • Use of libraries with known vulnerabilities (unless there's proof of exploitation beyond the known ones).
  • Reports on insecure SSL/TLS ciphers or weak signature algorithms (unless accompanied by a functional proof of concept demonstrating potential exploitation).

Safe Harbour

As long as you follow this policy, your actions will be considered authorized, and we won't pursue legal action against you. If someone else tries to sue you for following this policy, we'll help demonstrate your compliance. If you have any concerns or are unsure if your research aligns with this policy, please contact us before proceeding.

What You Can Expect From Us

  • This is not a bug bounty program, so there is no financial reward. However, we will acknowledge your contribution based on the severity of the finding.
  • We aim for a timely response within 5 business days.

Reporting

Send an email to: security@yourstore.ch

Report Language:

English or German (preferred)

Report Template:

  • Description: Provide details about the vulnerability.
  • Proof of Concept: Include screenshots or code.
  • Steps for Reproduction: List steps to reproduce the vulnerability.
  • Supporting Materials: Attach screenshots, logs, etc.