If you have a concern about your order or Redbubble account, please visit our Customer Experience Team.
If you believe that you have found a general security vulnerability in the Redbubble website, please submit a description of the vulnerability and its impact, along with reproduction steps, to firstname.lastname@example.org.
Responsible Disclosure Policy
The following guidelines apply when investigating and reporting security vulnerabilities to Redbubble:
- Please give us enough time to investigate and resolve the vulnerabilities you report to us before making them public, or sharing details of a vulnerability with others.
- In no circumstances should you:
- exploit any security vulnerability you discover (this includes pivoting to demonstrate additional risk),
- access or modify data from any other user without their permission (you may create new accounts to test against); or
- do anything to negatively impact the experience of Redbubble users, such as interrupting our services or destroying data.
The Redbubble website at www.redbubble.com and associated services.
Note that the following domains are hosted by third parties and should be reported to the relevant service provider:
What Are Some Examples of Valid Vulnerabilities?
- Anything in the OWASP Top 10
- Remote code execution
- Authentication and authorization vulnerabilities
What Are Some Examples of Invalid Vulnerabilities?
- Username enumeration
- Social engineering
- Missing HttpOnly flags, Secure flag, browser cache vulnerabilities
- Output from automated tools without a proof of concept
- Best practices. We don't accept submissions that are simply configuration/policy suggestions
- Flaws specific to out of date browsers/plugins
- Usability/UI issues
If you have any questions, or would like to submit a vulnerability to us for review, please email email@example.com