Photobox Responsible Disclosure Policy

By Dinis Cruz | December 12, 2018

Protecting our customers’ information is of utmost importance to us. Our Security Team works with researchers to ensure all vulnerabilities submitted to us are reviewed and actioned.

We appreciate security researchers who help us keep our employees and customers safe by reporting vulnerabilities that may exist on our platform. If you believe you have discovered a possible security vulnerability, please help us to fix it as quickly as possible by submitting your findings in accordance with our disclosure policy below

Our commitment to you

We will review all submissions and provide timely and clear responses on validation.

Please note that this is not a bug bounty program, but we will recognise the efforts of those researchers who help us improve our security controls when we see fit.

The prioritization and rating of a submission will be based upon a number of factors including, but not limited to, the Bugcrowd Vulnerability Rating Taxonomy and the business impact of the vulnerability reported. |

Contact us

Acceptable Research

We will investigate legitimate submissions and make every effort to quickly correct any vulnerability - we ask that you:

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services to our customers.
  • Do not exploit a security vulnerability you discover for any reason. Impermissible exploitation includes, but is not limited to, actions intended to demonstrate the potential impact or risk of the vulnerability such as attempting to pivot from one system to another. We will determine the worst possible credible scenario for the submission and keep you informed.
  • Do not modify or attempt to access data that does not belong to you.

In scope

We ensure we track all issues so any duplicates submissions (e.g. previously submitted by others or from a common code base) will be identified and may be rejected

Out of scope

Any research that negatively affects the Confidentiality, Integrity or Availability of our services is prohibited. Denial of service attacks

  • Spamming/social engineering/phishing attacks
  • Physical exploits and/or attacks on our infrastructure
  • Accessible non-sensitive files and directories (e.g., README.txt, robots.txt, etc)
  • Fingerprinting/banner/version disclosure of common/public services
  • Username/e-mail enumeration by brute forcing or by inference of certain error messages - except in exceptional circumstances; for example, the ability to enumerate e-mail addresses by incrementing a variable
  • Local network-based attacks such as DNS poisoning or ARP spoofing 3- rd party applications (such as Wordpress)

Please include the following information

  • Date and time of discovery
  • Your contact information so we can get in touch if we need to respond to your submission Name
  • E-mail address
  • Phone number (optional)
  • Detailed description of the issue you found
  • Clear and concise step-by-step guide to allow for validation
  • Include screenshots or video where possible

Information restriction

All information you gather as part of your research is considered confidential and must only be used to demonstrate the existence of a vulnerability to Photobox Group

If you have any queries or questions, please don’t hesitate to get in contact with us at

About us

Photobox Group is Europe’s leading digital consumer service for personalised products and gifts and parent of the Photobox, Moonpig, Hofmann and posterXXL brands.

Creative Commons License

© 2018, Photobox Group Security. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.


Photobox Group Security
Unit 7, Metal Box Factory
30 Great Guildford Street