Important updates about our Bug Bounty Program
Firstly, thanks a lot for the overwhelming response as soon as our Program went Public. On behalf of the BigCommerce security team, we are extremely delighted for having you submit vulnerabilities to us. As you all continue to test our platform, we wanted to send some updates:
- Please refrain from testing anyone else's stores. All the testing needs to be done only on your store. All the vulnerabilities reported on any of our other's stores will be marked as not applicable.
- Due to the high rate of automation & spam we are currently replacing our production trial Sign up-page page to our staging environment "https://www.staging.zone/start-your-trial/". We request you all to use the staging environment for only "trial sign up flow". All other findings will be marked out of scope.
- Also, keep in mind that we have fraud filtering in place which is the reason you might see a failure when trying to create a trial sign up flow. Moving to the staging env. should change this issue.
- We have received a lot of submissions in our third party services. As mentioned in the Program Brief, this is out of scope. Vulnerabilities submitted on acquisitions, support portals, partner portals will be deemed low priority and purely handled on a case by case basis.
- We noticed that some of you are yet to be rewarded with bounty for valid findings. We apologise for the delays.
Please keep an eye on the Program brief for Scope updates in the next 24 hours.
Once again, thank you for your interest in participating in our Program.