Report Security Issues

At Toy Box Barnsley Market, we value the efforts of security researchers who help us identify vulnerabilities to ensure the safety of our users. If you find a security vulnerability, we will not initiate a lawsuit or enforcement investigation in response to your report, provided you follow the principles outlined below.

Reporting Principles

  1. Reasonable Time for Review
    Please allow us reasonable time to review and address the security issue before making any information public or sharing it with others.
  2. Respect Privacy
    Do not interact with any private accounts (including modifying or accessing data from those accounts) unless the account owner has explicitly consented to such actions.
  3. Avoid Privacy Violations
    Make an honest effort to avoid privacy violations and service disruptions, such as data destruction or interruptions to our services.
  4. No Exploitation
    Do not exploit any security issue you discover. This includes demonstrating additional risks, such as attempting to compromise sensitive company data or seeking out more vulnerabilities.
  5. Comply with Laws
    Ensure that you do not violate any applicable laws or regulations during your investigation.

Bounty Program

We recognize and reward security researchers who help us keep our services safe by reporting vulnerabilities. Monetary bounties for these reports are entirely at the discretion of Toy Box Barnsley Market, depending on the severity, impact, and other factors. To qualify for a bounty, please meet the following requirements:

  1. Follow the Reporting Principles
    Adhere to the principles outlined above when submitting your report.
  2. Report a Valid Security Bug
    You must identify a vulnerability that creates a security or privacy risk within our services or infrastructure. Note that Toy Box Barnsley Market determines the risk and severity of the issue, and not all bugs will qualify as security issues.
  3. Submit via Our Security Center
    Please submit your report through our official security center. Do not contact individual employees directly.
  4. Inadvertent Privacy Violations
    If you inadvertently cause a privacy violation (such as accessing account data, service configurations, or other confidential information), please disclose this in your report.
  5. Investigation and Response
    We investigate all valid reports. Due to the high volume of submissions, we prioritize reports based on risk and other factors. It may take some time before you receive a response.
  6. Right to Publish
    We reserve the right to publish reports related to the vulnerabilities found and reported.

Rewards

Our rewards are based on the impact of the vulnerability. We regularly update the program based on feedback, so please let us know if you have suggestions for improvement.

  1. Provide Detailed Reports
    Please include clear, detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, it may not qualify for a bounty.
  2. Handling Duplicate Reports
    If multiple reports are submitted for the same vulnerability, we will award the first report that we can fully reproduce.
  3. Multiple Vulnerabilities
    If one underlying issue leads to multiple vulnerabilities, we will award a single bounty for the entire issue.
  4. Bounty Reward Criteria
    We determine the reward based on factors such as impact, ease of exploitation, and the quality of the report. The following are the maximum amounts we may award per severity level:

Critical Severity Vulnerabilities (£200)
Vulnerabilities that allow privilege escalation (e.g., from unprivileged to admin), remote code execution, or financial theft.

Examples:

  • Remote Code Execution
  • Remote Shell/Command Execution
  • Vertical Authentication Bypass
  • SQL Injection that leaks targeted data
  • Full access to accounts

High Severity Vulnerabilities (£100)
Vulnerabilities affecting the safety of the platform or its core processes.

Examples:

  • Lateral Authentication Bypass
  • Disclosure of Sensitive Information
  • Cross-Site Scripting (XSS) affecting other users
  • Local File Inclusion
  • Insecure Handling of Authentication Cookies

Medium Severity Vulnerabilities (£50)
Vulnerabilities that affect multiple users and require little or no user interaction to trigger.

Examples:

  • Common logic design flaws or business process defects
  • Insecure Object References

Low Severity Vulnerabilities
Issues affecting single users and requiring user interaction or specific conditions (e.g., Man-in-the-Middle attacks).

Examples:

  • Open Redirect
  • Reflective XSS
  • Low Sensitivity Information Leaks