Program Scope


At Global Fashion Group, we greatly appreciate and encourage security researchers to submit vulnerability reports. While we welcome reports on various types of vulnerabilities, please note that we may not consider certain issues outside the scope of our programme. To ensure clarity, we have provided a list of exclusions below. Kindly review the scope details carefully before submitting your report to ensure it aligns with our bug bounty programme guidelines. Your cooperation is invaluable in helping us maintain the security and integrity of our systems.

Out of Scope Issues

  • Denial of Service attacks
  • Use of outdated software/library versions
  • Use of a known-vulnerable library without a description of an exploit specific to our implementation
  • Login/logout/unauthenticated/low-impact CSRF
  • Cookies that lack HTTP Only or Secure settings for non-sensitive data
  • Self-XSS and issues exploitable only through Self-XSS
  • Reports from automated tools or scans
  • Attacks requiring physical access to a user’s device or MITM attacks
  • Username enumeration based on login, forgot password, account creation and registration pages
  • Enforcement policies for brute force or account lockout
  • Any CVE or well-known issue is out of the programme.
  • Reports about insecure SSL / TLS configuration
  • Clickjacking and issues only exploitable through clickjacking
  • Mail configuration issues including SPF, DKIM, DMARC settings
  • Rate-limiting issues
  • Hyperlink injection in emails using forms available to any user
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Reports of credentials exposed by other data breaches / known credential lists
  • 3rd party and Open Source Tools: Vulnerabilities found in third-party or open-source software that is not developed or maintained by GFG are considered out of scope for our bug bounty programme. This includes, but is not limited to, tools and platforms such as Grafana, WordPress, Jenkins, and others that are integrated into our environment but not under our direct control.

Low Priority Issues

  • Subdomain takeover – While our domains are not directly customer-facing, a subdomain takeover can still have minimal impact. Bugcrowd’s vulnerability rating taxonomy suggests classifying Basic Subdomain Takeover as P3, but since this doesn’t align with our subdomains, we categorise them as P4. Any top-level domain takeover will be treated as P1.

Informational Issues

  • Swagger vulnerabilities – As Swagger is primarily used for API documentation and testing, any vulnerabilities related to Swagger itself are beyond our control. Fixes for Swagger vulnerabilities need to be addressed by the Swagger team. Issues such as XSS and input injections within Swagger do not have a direct impact on our systems. While we categorise Swagger issues as P5, we are open to discussing any exploitation scenarios that could potentially impact our live infrastructure.