No technology is perfect, and Triple-A believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you’ve found a security issue in our product or service, we encourage you to notify us. We welcome you to work with us in resolving the issue promptly. Please review the following program rules before you report a vulnerability. By participating in this program, you agree to be bound by these rules.
Triple-A looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.
Please contact us at email@example.com.
The following domains and applications are within the scope of this program:
WooCommerce plugin (provided via WordPress plugins directory)
OpenCart plugin (provided via Opencart plugins directory)
Out of scope of this program:
any WordPress or any prototype or test instances that may temporarily be reachable.
If a third-party application is hosted on a subdomain, it is eligible for our program. However, we only accept severe vulnerabilities that affect our users, service, or infrastructure. Other vulnerabilities will be reported or forwarded to the third-party vendor.
Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
Give us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for a bounty.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
If any sensitive information is accessed as a part of exploitation, it must not be stored, transferred or otherwise processed after the initial discovery. All copies of sensitive information must be returned to Triple-A and may not be retained
Always limit exploitation to minimal proof of concept required to demonstrate the vulnerability. Do not attempt to access Triple-A or users’ accounts or data or post-exploitation of other vulnerabilities. Stop and report what you have found and request additional testing permission
Please follow this report format when submitting vulnerabilities:
Title: A brief and descriptive title of the vulnerability
Description: A detailed explanation of the vulnerability, its impact, and its root cause
Severity: A rating of the severity of the vulnerability based on the CVSS v3.1 scoring system
Impact: A description of how the vulnerability affects Triple-A or its users, service, or infrastructure
Steps to reproduce: A clear and step-by-step guide on how to reproduce the vulnerability
Proof of concept: A demonstration of the vulnerability using code, screenshots, video, etc.
Mitigation: A suggestion on how to fix or prevent the vulnerability
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
Reports that include clear steps to reproduce and proof of concept code will be more likely to be accepted
While researching, we’d like to ask you to refrain from:
Denial of service to Triple-A services or our merchants’ and partners’ services
Degrading performance or service of Triple-A services or our merchants’ and partners’ services
Spamming (even self-spamming)
Social engineering (including phishing) of any Triple-A staff or contractors
Any physical attempts against Triple-A or Triple-A merchants’ and partners’ property or data centers
Accessing private information of Triple-A merchants and partners
In order to be eligible for a bounty, you must meet the following requirements:
You must be the first reporter of the vulnerability
Vulnerability must be associated with a domain or application listed above and not applicable to the above exclusions
You must not publicly disclose the vulnerability without our prior discretion
Vulnerability must have a clearly identified security impact and presented with enough information for investigation and reproduction by Triple-A staff
Any vulnerabilities reported with the following criteria are not eligible for a bounty:
Affecting an ineligible scope
Bugs caused by a third-party website that our JS client is embedded on
Only affecting outdated browsers/platforms
Only affecting the executing user (self-XSS and similar)
Caused by misbehaving third-party software/website
Applicable only through social engineering
Pretense being you already have access to affected account (or user’s browser)
Vulnerabilities considered by Triple-A to be of low severity
Tool outputs are not enough. Scanners and automation tools are common trade practice in the security community. They often produce many results for further investigation and can yield many false positives. Reports from automated tools or scans must include additional analysis to demonstrate the exploitability of the vulnerability to be eligible for bounty awards.
When duplicates occur, we only award the first report that we receive
If a vulnerability is fixed in the beta version we will consider it as duplicate
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty
Remote Code Execution (RCE)
Injection (SQLi or equivalent)
Local/Remote File Inclusion (LFI, RFI)
Account Takeover (depends on the complexity of user interaction)
Sensitive Data Disclosure or Manipulation (IDOR, memory leak, etc.)
Server Side Request Forgery (SSRF), non-blind
Server Side Request Forgery (SSRF), blind
Corp Admin Stored Cross Site Scripting, blind
Stored Cross Site Scripting
Reflected/Other Cross Site Scripting
Cross Site Request Forgery (CSRF)
Self Cross Site Scripting
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.
Triple-A will determine at its own discretion whether a reward should be granted and the amount of the reward. Depending on their impact, not all reported issues qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis.
You must comply with all applicable laws in connection with your participation in this program.
Thank you for helping keep Triple-A and our users safe!