Program Scope
At Global Fashion Group, we greatly appreciate and encourage security researchers to submit vulnerability reports. While we welcome reports on various types of vulnerabilities, please note that we may not consider certain issues outside the scope of our program. To ensure clarity, we have provided a list of exclusions below. Kindly review the scope details carefully before submitting your report to ensure it aligns with our bug bounty program guidelines. Your cooperation is invaluable in helping us maintain the security and integrity of our systems.
Out of Scope Issues
- Denial of Service attacks
- Use of outdated software/library versions
- Use of a known-vulnerable library without a description of an exploit specific to our implementation
- Login/logout/unauthenticated/low-impact CSRF
- Cookies that lack HTTP Only or Secure settings for non-sensitive data
- Self-XSS and issues exploitable only through Self-XSS
- Reports from automated tools or scans
- Attacks requiring physical access to a user's device or MITM attacks
- Username enumeration based on login, forgot password, account creation and registration pages
- Enforcement policies for brute force or account lockout
- Any CVE or well-known issue is out of the program.
- Reports about insecure SSL / TLS configuration
- Clickjacking and issues only exploitable through clickjacking
- Mail configuration issues including SPF, DKIM, DMARC settings
- Rate-limiting issues
- Hyperlink injection in emails using forms available to any user
- Vulnerabilities affecting users of outdated browsers or platforms
- Reports of credentials exposed by other data breaches / known credential lists
Low priority issues
- Subdomain takeover - While our domains are not directly customer-facing, a subdomain takeover can still have minimal impact. Bugcrowd's vulnerability rating taxonomy suggests classifying Basic Subdomain Takeover as P3, but since this doesn't align with our subdomains, we categorize them as P4. Any top-level domain takeover will be treated as P1.
Informational issues
- Swagger vulnerabilities - As Swagger is primarily used for API documentation and testing, any vulnerabilities related to Swagger itself are beyond our control. Fixes for Swagger vulnerabilities need to be addressed by the Swagger team. Issues such as XSS and input injections within Swagger do not have a direct impact on our systems. While we categorize Swagger issues as P5, we are open to discussing any exploitation scenarios that could potentially impact our live infrastructure.