Shopsy AS appreciates security researchers who help keep Onebase safe. This page describes how to report vulnerabilities, what to expect from us, and which actions fall within coordinated disclosure.
1. How to Report
Email [email protected] with the subject "Vulnerability report". We also publish a security.txt per RFC 9116 (valid through 2027-05-01).
Please include in the report:
- Description of the vulnerability and expected impact
- Step-by-step reproduction
- URLs, parameters, IPs or accounts involved
- Your contact details if you'd like a response or credit
2. Our Response
- Within 72 hours: Acknowledgment of receipt.
- Within 7 days: Initial assessment and status.
- Within 90 days: Patch or mitigation for most cases. Complex issues may take longer; you'll be kept informed.
3. Safe Harbor
When you follow these guidelines, Shopsy AS will not pursue or report good-faith research:
- Test only against your own accounts or with explicit owner consent
- Avoid data loss, service disruption, mass email or deleting others' data
- Do not exfiltrate more customer data than necessary to demonstrate the issue; delete copies immediately after reporting
- Do not exploit the vulnerability for personal gain or harm
- Give us reasonable time (usually 90 days) before public disclosure
4. Out of Scope
- Denial-of-service attacks (DoS/DDoS)
- Social engineering against Shopsy AS staff or customers
- Physical intrusion into facilities or infrastructure
- Findings that require full compromise of the victim's device or browser
- Self-reported XSS in emails Onebase sends, where the only recipient is the reporter
- Missing security headers without a concrete exploit
5. Recognition
With your consent, we credit researchers on a public page or in release notes when the patch ships. We do not currently offer monetary rewards but consider them on case severity.
6. Non-security Contact
For privacy questions, GDPR rights, or general inquiries, use the same address: [email protected].