By Dinis Cruz | December 12, 2018
Protecting our customers’ information is of utmost importance to us. Our Security Team works with researchers to ensure all vulnerabilities submitted to us are reviewed and actioned.
We appreciate security researchers who help us keep our employees and customers safe by reporting vulnerabilities that may exist on our platform. If you believe you have discovered a possible security vulnerability, please help us to fix it as quickly as possible by submitting your findings in accordance with our disclosure policy below
Our commitment to you
We will review all submissions and provide timely and clear responses on validation.
Please note that this is not a bug bounty program, but we will recognise the efforts of those researchers who help us improve our security controls when we see fit.
The prioritization and rating of a submission will be based upon a number of factors including, but not limited to, the Bugcrowd Vulnerability Rating Taxonomy and the business impact of the vulnerability reported. |
We will investigate legitimate submissions and make every effort to quickly correct any vulnerability - we ask that you:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services to our customers.
- Do not exploit a security vulnerability you discover for any reason. Impermissible exploitation includes, but is not limited to, actions intended to demonstrate the potential impact or risk of the vulnerability such as attempting to pivot from one system to another. We will determine the worst possible credible scenario for the submission and keep you informed.
- Do not modify or attempt to access data that does not belong to you.
We ensure we track all issues so any duplicates submissions (e.g. previously submitted by others or from a common code base) will be identified and may be rejected
- Photobox website https://www.photobox.co.uk/
- Hofmann website https://www.hofmann.es/
- Moonpig website https://www.moonpig.com
- PosterXXL website https://www.posterxxl.de/
- Any other publically accessible system of these brands including but not limited to mobile applications
Out of scope
Any research that negatively affects the Confidentiality, Integrity or Availability of our services is prohibited. Denial of service attacks
- Spamming/social engineering/phishing attacks
- Physical exploits and/or attacks on our infrastructure
- Accessible non-sensitive files and directories (e.g., README.txt, robots.txt, etc)
- Fingerprinting/banner/version disclosure of common/public services
- Username/e-mail enumeration by brute forcing or by inference of certain error messages - except in exceptional circumstances; for example, the ability to enumerate e-mail addresses by incrementing a variable
- Local network-based attacks such as DNS poisoning or ARP spoofing 3- rd party applications (such as Wordpress)
Please include the following information
- Date and time of discovery
- Your contact information so we can get in touch if we need to respond to your submission Name
- E-mail address
- Phone number (optional)
- Detailed description of the issue you found
- Clear and concise step-by-step guide to allow for validation
- Include screenshots or video where possible
All information you gather as part of your research is considered confidential and must only be used to demonstrate the existence of a vulnerability to Photobox Group
If you have any queries or questions, please don’t hesitate to get in contact with us at firstname.lastname@example.org