How can I report a Website Security Vulnerability?

If you have a concern about your order or Redbubble account, please contact our Customer Success Team.


 Responsible Disclosure Policy

The following guidelines apply when investigating and reporting security vulnerabilities to Redbubble:

  • Please give us enough time to investigate and resolve the vulnerabilities you report to us before making them public, or sharing details of a vulnerability with others.
  • In no circumstances should you:
    • exploit any security vulnerability you discover (this includes pivoting to demonstrate additional risk),
    • access or modify data from any other user without their permission (you may create new accounts to test against); or
    • do anything to negatively impact the experience of Redbubble users, such as interrupting our services or destroying data.

Valid Targets

The Redbubble website at and associated services.

Note that the following domains are hosted by third parties and should be reported to the relevant service provider:


What Are Some Examples of Valid Vulnerabilities?

  • Anything in the OWASP Top 10
  • Remote code execution
  • Authentication and authorization vulnerabilities

What Are Some Examples of Invalid Vulnerabilities?

  • Username enumeration
  • Social engineering
  • Missing HttpOnly flags, Secure flag, browser cache vulnerabilities
  • Output from automated tools without a proof of concept
  • Best practices. We don't accept submissions that are simply configuration/policy suggestions
  • Flaws specific to out of date browsers/plugins
  • Usability/UI issues
  • SFP, DKIM, and DMARC configuration

Security Researchers 

If you believe that you have found a general security vulnerability in the Redbubble website, please report your finding on this form.