Help us keep ShopCircle secure
We take security seriously. If you've discovered a vulnerability in our systems or applications, we want to hear from you. Report responsibly and get recognized in our Hall of Fame.
What you can test
We are exclusively interested in vulnerabilities that affect the production environments of our official Shopify applications.
In-Scope Targets
- Production environments of our official Shopify applications
- Core application logic, APIs, and integrations of these specific production apps
Out-of-Scope Targets
- Corporate, informational, or marketing websites (e.g., the main shopcircle.co site)
- Staging, development, or sandbox environments
- Third-party services, support portals (e.g., Zendesk, Intercom), or hosting infrastructure not directly tied to the production app's logic
- The core Shopify platform itself (report those directly to Shopify's bug bounty program)
What we want to hear about
The following vulnerability categories are considered in-scope for our responsible disclosure program.
Remote Code Execution & Path Traversal
Local File Inclusion (LFI), OS command injection, or unsafe deserialization (e.g., Prototype Pollution).
Authentication & Authorization Flaws
Privilege escalation, broken access control (IDOR/BOLA), insecure session management, OAuth implementation flaws, and account takeover.
Server-Side Request Forgery (SSRF)
Unauthorized backend request generation that exposes internal network infrastructure or metadata.
Injection Attacks
SQL injection, NoSQL injection, Server-Side Template Injection (SSTI), and GraphQL injection.
Cross-Site Scripting (XSS)
Stored, reflected, or DOM-based XSS that leads to data theft or session hijacking. Self-XSS is excluded unless a clear chaining impact is demonstrated.
Data Exposure
Unintended access to sensitive merchant/customer data, PII leaks, or hardcoded secrets/API keys.
Cryptographic Weaknesses
Broken encryption, predictable tokens, or insecure key management.
Business Logic Flaws
Abuse of application workflows, pricing manipulation, unauthorized modification of subscription tiers, or feature-gating bypasses.
Out of Scope
Infrastructure Attacks
- Denial of Service (DoS/DDoS) attacks
- Network-level stress testing
- Physical security attacks
Social Engineering
- Phishing, vishing, or any social engineering attacks against ShopCircle employees, merchants, or customers
Third-Party Services
- Vulnerabilities in third-party applications or libraries
- The core Shopify platform itself (report those directly to Shopify's bug bounty program)
Email Configuration
- Missing or misconfigured SPF, DKIM, or DMARC records (email spoofing)
Theoretical / Scanner Noise
- Automated scanning results without a demonstrated, chained exploit
Missing Best Practices (No Impact)
- Missing HTTP security headers without a demonstrable exploit
- Missing cookie flags (Secure, HttpOnly) on non-sensitive cookies
- Information disclosure of non-sensitive data (e.g., server version banners)
Self-Exploitation
- Self-XSS or issues requiring unlikely user interaction
Authentication UX
- Logout CSRF, password complexity policies
- Account enumeration via password reset responses
Brute-Force
- Brute-force attacks against login or password reset forms
From report to resolution
We follow a structured process to handle every report professionally, keeping you informed at every stage.
Submit your report
Send a detailed email to security@shopcircle.co. Include a clear description of the vulnerability, steps to reproduce, potential impact, and any supporting screenshots or proof-of-concept code.
Acknowledgement
We will acknowledge your report within 2 business days. You will receive a tracking reference and the name of the team member handling your case.
Triage & validation
Our security team assesses the report, attempts to reproduce the vulnerability, and assigns a severity rating (Critical, High, Medium, Low) based on CVSS scoring methodology.
Remediation
We develop and test a fix. For critical and high severity issues we aim for a patch within 7 days. Medium and low severity issues are addressed within 30–90 days.
Coordinated disclosure
We will notify you before any public disclosure and coordinate the timeline with you. We ask that you observe a 90-day embargo from the date of our acknowledgement.
Recognition & Thank You
Once the fix is confirmed, we publicly thank you and add your name to our Hall of Fame along with a link of your choice and the severity level of your finding. Please note: we do not offer monetary rewards.
Found a security issue?
Send us a detailed report and we will get back to you within 2 business days. If confirmed, we'll publicly thank you and feature your name in our Hall of Fame. Please include a description, reproduction steps, and the potential impact of the vulnerability you found.
security@shopcircle.coThis is a recognition-only program. We do not offer monetary rewards.
Reporting guidelines
Provide detail
Include reproduction steps, impact assessment, affected endpoints or components, and any PoC code or screenshots.
Give us time
Allow us reasonable time to investigate and remediate before any public disclosure. We will keep you updated throughout.
Act in good faith
Do not access, modify, or delete data beyond what is needed to prove the vulnerability. Avoid impacting service availability.
Security researchers we thank
We recognize and thank these security researchers for their responsible disclosure and help in making ShopCircle safer for all our merchants and their customers.