Responsible Disclosure Program
At 11main, we take security and privacy very seriously. We believe that responsible security researchers across the globe are critical in identifying vulnerabilities in any technology. 11main welcomes and encourages security researchers to report vulnerabilities with our systems and we appreciate your efforts to make the internet a safer place.
How the Program Works
Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
- Let us know as soon as possible upon discovery of a potential security issue and we'll make every effort to quickly resolve the issue.
- Please avoid any privacy violations, degradations and disruption to our production systems during your testing. This includes any activity that has an impact on the availability of our systems, including the use of vulnerability scanning tools.
- Do not attempt to brute-force or spam our systems.
- Never exploit a vulnerability you discover to view data or alter data without authorization.
- Do not do anything illegal. Researchers are responsible for complying with local laws, restrictions, regulations, etc.
- Please keep information disclosed confidential between yourself and 11main, until we resolve the issue. Again, we will make our best efforts to fix issues in a short time frame, but some vulnerabilities take longer than others to resolve.
By responsibly submitting your findings to 11main in accordance with these guidelines 11main agrees not to pursue legal action against you. 11main reserves all legal rights in the event of noncompliance with these guidelines.
Once a report is submitted, 11main commits to provide prompt acknowledgement of receipt of all reports and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.
Vulnerability Submissions
Please report any security issues you find to security@morecommerce.com. If your submission contains any sensitive vulnerability information, please encrypt it using our PGP public key at the bottom of this page.
Please include the following in your submission:
- Your name and contact information
- Company name (if applicable)
- A detailed description of the potential vulnerability.
- Exact steps to reproduce the issue, including any associated URL and parameters demonstrating the vulnerability, proof of concept links and/or payloads.
- Any relevant details of your system’s configuration, such as any browser or user-agent information where the tests were conducted.
- Your IP address and 11main account, to assist with coordinated log review.
Exclusions
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program, including:
- Social engineering (including phishing) of 11main staff, contractors, or users.
- DoS/DDoS
- Resource Exhaustion attacks
- Self XXS
- Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
- Reports from automated tools and/or scans
- Bugs in 3rd party software
- Physical attacks on our infrastructure
- DNSSEC
- CSV Injection
- SSL/TLS Best Practices
- X-Frame-Options related
- Missing security headers which do not lead directly to a vulnerability
Thank You
We want to make sure to sincerely thank you for your disclosing security vulnerabilities responsibly and working with us to improve our security. We understand the work and talent you've put into finding these issues and appreciate you reaching out to us.