GFG Bug Bounty Program


Welcome to Global Fashion Group, a leading international fashion e-commerce platform! We're dedicated to providing a secure and trustworthy environment for our valued customers. As part of our commitment to maintaining the highest security standards, we have partnered with Bugcrowd, a renowned bug bounty platform, to facilitate our Bug Bounty Program. We highly appreciate the crucial role that security researchers like you play in identifying and addressing vulnerabilities. By joining our Bug Bounty Program through Bugcrowd, you can showcase your expertise and contribute to the security of our fashion ecosystem.

Together, let's create a safer online environment and ensure the integrity of Global Fashion Group. Please note that we cannot accept direct submissions outside of the Bugcrowd platform. Thank you for your interest, and we look forward to collaborating with you on our journey towards a secure and fashionable future!


Join Our Program


Email us at with your bugcrowd username or email, and we'll send you the invite.


Rewards


At Global Fashion Group, our Bug Bounty Program provides bounties for security software bugs that satisfy the following criteria:

GFG employs a straightforward rating and reward scale for all bounty submissions. While each vulnerability is unique, we use the following rough guideline internally to assess and acknowledge submissions.

Critical (P1) $1200 - $1600

Critical severity issues pose an immediate and significant risk to a wide range of our users or to a GFG platform. These issues typically impact foundational components within our application stacks or infrastructure. Examples of such critical vulnerabilities include:

  • Execution of arbitrary code or commands on a server within our production network.
  • Unauthorized execution of arbitrary SQL queries on a production database.
  • Unauthorized access to sensitive user data within our production environment or internal production systems.

The upper bound for critical vulnerabilities, $1600, is only a guideline, and GFG may reward higher amounts for exceptional reports.


High (P2) $600 - $1000

High severity issues involve unauthorized access to or modification of highly sensitive data. These vulnerabilities typically have a narrower scope compared to critical issues but can still provide an attacker with significant access. Examples of high severity vulnerabilities include:

  • Unauthorized access to customer data: Identifying vulnerabilities that could lead to unauthorized access to sensitive customer information.
  • Injection attacks compromising user input: Detecting and reporting vulnerabilities related to injection attacks, such as SQL injection or cross-site scripting (XSS), which can manipulate user input and compromise accounts.
  • Privilege escalation: Uncovering weaknesses that allow unauthorized users to elevate their privileges, accessing sensitive functionalities or data.
  • Insecure direct object references: Identifying vulnerabilities where insecure direct object references exist, enabling unauthorized access or manipulation of data or resources.
  • E-commerce transaction vulnerabilities: Discovering flaws related to e-commerce transactions, such as payment bypass, cart manipulation, or fraudulent transactions, posing risks to the platform and users.

Medium (P3) $300 - $400

Medium severity issues enable attackers to access or modify restricted data that they are not authorized to access. These vulnerabilities typically involve less sensitive information compared to high severity issues.


Low (P4) $100 - $200

Low severity issues involve minimal data access for an attacker. While they may deviate from intended functionality, they offer little to no privilege escalation or ability to trigger unintended behavior.