Program Brief
Response Targets
Global Fashion Group will make its best effort to meet the following response targets for hackers participating in our program:
- Time to First Response: 2 business days
- Time to Triage: 7 business days
- Time to Bounty: 5 business days
- Time to Resolution: Up to 45 business days. We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
- As the Bug Bounty Program of Global Fashion Group is a private program, we kindly request that you refrain from discussing the program or any vulnerabilities, including resolved ones, outside of the program without explicit consent from the organization.
- We appreciate your cooperation in adhering to Bugcrowd's disclosure guidelines, which can be found at Standard Disclosure Terms. Your adherence to these guidelines ensures the responsible handling of vulnerabilities and protects the interests of all parties involved.
Program Rules
- Ensure that you're not currently a GFG & its regions employee or contractor, were not a employee or contractor within six months prior to submission, and you did not collaborate on your submission with anyone who was.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Any activity that could lead to the disruption of our service (DoS) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
- Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
- Amounts below are the minimum and maximum bounties we will pay per bug based on severity. We aim to be fair; all reward amounts are at our discretion.
- GFG reserves the right to terminate or discontinue the Program at its discretion.
- You are solely responsible for any applicable taxes, withholding or otherwise, arising from or relating to your participation in the Program, including from any bounty payments.
- Never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
- When in doubt, contact us at
.
What to include in your report
A well-written report will allow us to more quickly and accurately triage your submission.
- A clear description of the issue, including the impact you believe it has on the user, Global Fashion Group or others.
- Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
- Clear and valid security impact of the issue.
- Your recommendations to resolve the issue.
Safe Harbor
We are dedicated to fostering a safe and collaborative environment for security research. By adhering to this policy, your actions will be considered authorized, and we will not take legal action against you. In the event that a third party initiates legal proceedings related to your activities under this policy, we will support you and highlight your compliance with our guidelines.
Our bug bounty program strongly upholds the principles of safe harbor, ensuring protection for genuine security research. To learn more about safe harbor, please visit disclose.io.
When conducting vulnerability research within the scope of this policy, we affirm the following:
- Your actions are authorized under the Computer Fraud and Abuse Act (CFAA) and similar state laws. Accidental and good-faith violations of this policy will not lead to legal action initiated or supported by us.
- You are exempt from any claims related to circumvention of technology controls under the Digital Millennium Copyright Act (DMCA).
- Restrictions outlined in our Terms & Conditions that hinder security research are waived on a limited basis for work conducted under this policy.
- Your research is lawful, contributes to the overall security of the Internet, and is conducted in good faith.
While engaging in security research, we expect you to comply with all applicable laws and regulations.
Thank you for helping keep Global Fashion Group and our users safe!