Fourthwall

Vulnerability Disclosure Policy

Scope

In scope

  • www.fourthwall.com
  • *.fourthwall.com
  • *-shop.fourthwall.com
  • Fourthwall associated services and APIs

Out of scope

  • Enumeration of random identifiers without proof of concept
  • Tab nabbing
  • Vulnerability scanner false positives / automated tool output without PoC
  • Social engineering (phishing, employee impersonation, contacting Support under false pretenses)
  • Broken links / unclaimed social media accounts (unless chained with impactful exploit)
  • Content spoofing
  • Bypassing HTML sanitization to make external HTTP requests at storefront level by privileged user
  • DDoS — DoS in scope only if single user with single request disrupts the entire service, not one shop
  • Issues exploitable only in outdated browsers or plugins
  • SPF/DKIM/DMARC/CAA/TLSA/DNSSEC record issues (email spoofing)
  • CSV / formula injection
  • Hyperlink injection at storefront level by privileged user
  • Insecure cookie handling for account-identifying cookies
  • Perceived permission issues without data integrity/confidentiality impact
  • Theoretical subdomain takeovers without supporting evidence
  • Generic host header attacks without remote-victim evidence
  • CVV validation during payment
  • Disclosure of server or software version numbers
  • Spam/flooding (email, SMS)
  • Permitted password strength
  • Missing HttpOnly/Secure flags and browser cache issues
  • General configuration or policy suggestions
  • Slow requests that eventually complete
  • Usability or UI issues
  • Third-party / partner security flaws (escalated to partner, not bountied)
  • XSS exclusions: via Set-Header/full header control; via Inspect Element/console; Self-XSS requiring more than two steps; storefront or checkout XSS by store owner/staff (incl. *-shop.fourthwall.com); iFrame XSS in admin Theme Editor; legacy Rich Text Editor XSS by privileged user
  • Creator HTML in store descriptions, product details and content fields (by design, not a vulnerability)
  • CSRF for login/logout (unless chained) and cart modification
  • CDN (static.fourthwall.com, cdn.fourthwall.com): arbitrary file upload by staff; sensitive-data disclosure (files intentionally public); stored XSS unless chained to a real scenario
  • Fourthwall-hosted store false positives: staff access to admin endpoints; password-reset tokens not expiring on email change; insecure 'Coming Soon' password; staff with edit perms removing perms they lack; intended public files; lack of domain verification when adding custom domain; email not requiring verification on signup; user/store name enumeration
  • Mobile apps: emulator-only issues; rooted/jailbroken/physical/debug access; biometric bypass; absence of app encryption; lack of binary protection or SSL pinning
  • Race conditions not exploitable for access to sensitive information
  • SSRF with only simple HTTP/DNS interactions
  • Open redirects without user interaction (unless chained to demonstrate significant impact)
  • HTML injection in emails by store owner/staff (unless chained with an eligible vulnerability)
  • Perceived security weaknesses without remote-victim evidence (plaintext credentials in POST body, missing rate limits, brute force without demonstrated impact)

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Bounty Rewards

Super Critical
$750 – $1,500
Critical
$500 – $1,250
High
$250 – $1,000
Medium
$75 – $500
Low
$50 – $100
Informational
Recognition only

Final award amounts are determined by impact, exploitability, and report quality.

Response Times

7 days
Initial Acknowledgment — we confirm receipt of every report within this window.

Target resolution time

Maximum time from triage to remediation, by severity. Bar length shows relative urgency.

Super Critical
1 day
Critical
3 days
High
7 days
Medium
14 days
Low
30 days
Informational
30 days

How to Report

Submit your vulnerability report through our secure form.

What to include in your report

  • Affected URL, endpoint, or component (and version if known)
  • Clear, step-by-step instructions to reproduce
  • Proof of concept (code, screenshots, or a short video)
  • Impact — what an attacker could achieve
  • Your contact details for follow-up
Submit a Report
security.txt Policy as Markdown See researchers we've recognized