Reporting a Security Issue
Disc.Market is a marketplace that handles payments and personal information, and we take the security of our buyers and Pro Shops seriously. We're grateful to the security-research community for helping keep the platform safe.
If you believe you've found a vulnerability, please report it to us privately using the steps below and give us a reasonable chance to fix it before disclosing it anywhere else. We commit to handling your report promptly, keeping you informed, and not pursuing legal action against good-faith research that follows this policy.
How to Report
Send security reports to one of these channels:
- Email security@disc.market — the preferred channel for security issues.
- Or use our contact form and choose a security-related topic if you'd rather not email.
To help us reproduce and fix the issue quickly, please include:
- A clear description of the vulnerability and the impact you believe it has.
- The exact URL, endpoint, or page involved, and the type of issue (for example, XSS, access control, injection).
- Step-by-step instructions or a short proof-of-concept that lets us reproduce it.
- Any IP addresses or accounts you tested from, so we can correlate it in our logs.
We currently accept reports in English. If your report contains especially sensitive details and you'd like an encrypted channel, say so in your first message and we'll arrange one.
Rules of Engagement
When researching, please:
- Only interact with accounts you own or have explicit permission to test.
- Stop as soon as you've confirmed a vulnerability — a single proof-of-concept is enough. Do not pivot, escalate, or pull more data than needed to demonstrate the issue.
- Never access, modify, delete, or exfiltrate another person's data, orders, messages, or payment information. If you encounter someone else's data, stop and report it immediately.
- Avoid anything that degrades service for others — no denial-of-service, automated high-volume scanning, brute forcing, or spam.
- Do not use social engineering, phishing, or physical attacks against our team, our users, or our service providers.
- Give us a reasonable time to remediate (we aim for 90 days) and coordinate with us before any public disclosure.
Safe Harbor
We consider security research conducted in good faith and in accordance with this policy to be authorized conduct. If you follow these guidelines, we will not pursue or support legal action against you for your research, and we'll treat your activity as exempt from restrictions in our Terms of Use that would otherwise prohibit it.
If a third party brings legal action against you for activity that complied with this policy, we will make it known that your actions were authorized. If you're ever unsure whether a specific test is permitted, ask us first at security@disc.market — we're happy to clarify.
Out of Scope
The following generally do not qualify as security vulnerabilities by themselves. We may already know about them, accept them as a reasonable trade-off, or consider them low risk:
- Output from automated scanners or generic best-practice flags without a working proof-of-concept.
- Missing security headers, cookie flags, or TLS configuration nitpicks with no demonstrated exploit.
- Email-authentication findings (SPF, DKIM, DMARC) on hostnames that don't send mail.
- Rate limiting, brute force, or account enumeration reports without a concrete, demonstrated impact.
- Self-XSS, clickjacking on pages with no sensitive actions, or issues requiring an unlikely level of user interaction.
- Software version disclosure or reports based solely on the presence of a known-vulnerable library without a working exploit on our site.
- Denial-of-service, social engineering, and physical attacks.
- Vulnerabilities in third-party services we rely on (such as Stripe, Cloudflare, Vercel, or EasyPost). Please report those directly to the vendor; we're glad to help coordinate where it affects our users.
What to Expect From Us
When you submit a report that follows this policy, we will:
- Acknowledge receipt within about two business days.
- Work to validate the issue and keep you updated on our progress as we remediate.
- Let you know when the issue is resolved.
- With your permission, credit you for the discovery once a fix is in place.
We do not currently run a paid bug-bounty program, so we're unable to offer monetary rewards. We deeply appreciate responsible reports and are glad to publicly thank researchers who help us protect the Disc.Market community.