Responsible Disclosure

Intro

Ucartz appreciates and values the researchers who bring security to Ucartz platform. As a security researcher, we want to hear from you if you have found a vulnerability in Ucartz website. Suppose your vulnerability report affects a product or service within the scope of our bounty programs below. In that case, we would reward reporters for the responsible disclosure of in-scope issues. Even if it is not covered under an existing bounty program, we will publicly acknowledge your contributions to fix the vulnerability.

Responsible disclosure policy

We ask that you make every effort to maintain the integrity of our users’ data during your research, avoiding violating privacy or degrading our service. It would be best to give us a reasonable time to fix any vulnerability you find before making it public. In return, we promise to investigate reports promptly and not take any legal action against you.

Eligibility

Please include detailed steps to reproduce and a brief description of the impact. You have to agree to test the countermeasure's effectiveness applied to your report. You should agree to keep any communication private.

We encourage responsible disclosure, and we promise to investigate all legitimate reports promptly and fix any issues as soon as we can. We do read all reports within 48 hours, but as all reports are reviewed and personally investigated by our senior staff, it may take up to 15 business days before you hear back from us.

• Follow our responsible disclosure policy (see above).
• Report the bug to us first, and give us reasonable time to fix the issue before making it public.
• Be the first person to report the issue to us.
• Use a test account or an account that you control. Never interact with other accounts without the owner’s consent.
• Find a bug that could allow access to private user data, or enable access to a system running Ucartz infrastructure.

Qualifying Vulnerabilities!

The submissions under the following are eligible for rewards:

1. Authentication or session management issues.
2. Cross-Site Scripting (XSS) (only on www.ucartz.com not on www.ucartz.com/clients/ and inner cart pages).
3. Cross-Site Request Forgery (CSRF/XSRF).
4. Remote Code Execution.
5. Privilege Escalation.
6. Payment manipulation.

Note that third-party applications or websites are not owned or controlled by Ucartz and are not within the program's scope.

We do not accepts bugs related to Billing/WHMCS & cPanel. Instead we accept bugs related to Code Injection & File uploaded vulnerabilities on our main Domain ucartz.com. The reporter must submit a POC & Steps to reproduce the bug through our ticket system.

Report a Security Vulnerability

If you discover a bug, we appreciate your cooperation in responsibly investigating and reporting it to us to address it as soon as possible. Click here to submit a security vulnerability.

Rewards!

We don't offer any reward amounts for any bugs reported. Instead, a valid report will be verified and considered for the Hall Of Fame.

Hall of Fame!

Our thanks to the following security researchers for their submissions: