Bug Bounty Program

Effective as of August 12, 2021
Website : ("https://shopiro.ca/")
Shopiro Ltd : also referred to as "Shopiro", "we", "us" or "our")

We takes steps to improve our product and provide secure solutions to our customers. In this Bug Bounty Policy ("Policy"), we describe the circumstances applicable to our Bug Bounty program and how it is to be used in connection with your use of our website at https://shopiro.ca/ , including, but not limited to, the mobile app, social media pages or other online properties (collectively, the “Website”) , or when you use any of the products, services, content, features, technologies or functions that we offer (collectively, the “Services”). This policy is designed to help you obtain information about how you can participate in our Bug Bounty program, what safe search results are applicable, and what benefits you may receive. Please note that our service offerings may vary by region.

For all purposes, the English language version of this policy will be the original and governing instrument. In the event of a conflict between the English version of this policy and any subsequent translation to another language, the English version shall prevail and control.

We will send you an e-mail to advise you of changes done to the english version. These changes take effect immediately.

What is the Bug Bounty program?

In order to improve Shopiro and the Services, the Shopiro Bug Bounty program offers our users the opportunity to earn a reward for identifying technical issues.

How can you communicate the results of your Bug Bounty program to us?

All such communications should be addressed to bug-bounty@shopiro.ca. In your submission, please specify a full description of the vulnerability and verifiable evidence that the vulnerability exists (explanation / steps to reproduce / screenshots / videos / scripts or other material).

Rules of the program

Violation of any of these rules may result in the ineligibility of a bonus.

  • Test for vulnerabilities only against an account you own or against accounts where you have the account owner's consent to test.
  • Never use a result to compromise / exfiltrate data or failover to other systems. Use a proof of concept only to demonstrate a problem.
  • If sensitive information such as personal information, identifying information, etc. are accessed as part of a vulnerability, they should not be recorded, stored, transferred, accessed, or otherwise handled after initial discovery.
  • Researchers cannot and are not permitted to engage in any activity that would be disruptive, harmful or detrimental to Shopiro.
  • Researchers may not publicly disclose vulnerabilities (share details with anyone other than authorized Shopiro employees), or share vulnerabilities with any third party, without Shopiro's express permission.

How do we assess the issues identified in the Bug Bounty program?

All outcomes are assessed using a risk-based approach.

Non-disclosure agreement

Before we start discussing the details related to the confirmed issues you have identified under the Bug Bounty program, including compensation, etc., you will need to enter into a nondisclosure agreement with us.

How do we pay for the Bug Bounty program rewards?

All of these rewards are paid for by Shopiro. All rewards can only be paid if they are not in violation of applicable laws and regulations, including, but not limited to, trade sanctions and economic restrictions.

How long will it take us to analyze the results of your Bug Bounty program?

Due to the variable and complex nature of the technical issues, we have not established a specific timeframe for the analysis of results under the Bug Bounty program. Our analysis is not complete until we have confirmed the existence or absence of a vulnerability.

Which cases are excluded from the Bug Bounty program?

Some vulnerabilities are considered out of the scope of the Bug Bounty program. These out-of-reach vulnerabilities include, but are not limited to:

  • Spam;
  • Vulnerabilities that require social engineering/phishing;
  • DDOS attacks;
  • Hypothetical issues that do not have any practical impact;
  • Security vulnerabilities in third-party applications and on third-party websites integrated with Shopiro;
  • Scanner output or scanner-generated reports;
  • Issues found through automated testing;
  • Publicly-released bugs in Internet software within 30 days of their disclosure;
  • Man-in-the-Middle attacks;
  • Host header injections without a specific, demonstrable impact;
  • Self-XSS, which includes any payload entered by the victim;
  • Login/logout CSRF;

More Information
If you are looking for more information regarding this Policy, you may contact us by emailing help@shopiro.ca.