Responsible Disclosure

At emporiva, we take the security of our customers and platform seriously. We believe in collaborating with the security community to identify and resolve vulnerabilities responsibly.

1. Our Commitment

We are committed to providing a safe and secure shopping experience. If you discover a security issue, we ask that you report it directly to us so we can investigate and resolve it promptly.

We may take 10 to 15 days to validate the reported issue.

2. Guidelines for Researchers

To ensure responsible collaboration, please follow these rules:

  • Please add Security Testing in input fields.
  • Do not exploit vulnerabilities beyond what is necessary to prove their existence.
  • Do not access, modify, or delete customer data.
  • Avoid any actions that could disrupt our services (e.g., DDoS, spamming).
  • Give us reasonable time to investigate and fix the issue before disclosing it publicly.

3. Scope

In-scope areas include (but are not limited to):

  • Our Shopify storefront and subdomains owned by Emporiva
  • Customer authentication, account security, and checkout process
  • APIs, integrations, or plugins directly used on our store
  • Out-of-scope:
  • Attacks requiring physical access to a device
  • Social engineering, phishing, or spam
  • Vulnerabilities in third-party services outside our control

4. Qualifying & Non-Qualifying Vulnerability

Qualifying Bugs

Reports will be considered valid if they demonstrate a real security risk, such as:

  • Authentication bypass
  • SQL Injection / XSS / CSRF
  • Sensitive data exposure (e.g., PII, payment info)
  • Privilege escalation
  • Business logic flaws impacting security

Non-Qualifying Bugs

Reports that will not be considered valid include:

  • Missing security best practices without a direct exploit (e.g., missing SPF/DMARC)
  • Outdated browser vulnerabilities
  • Denial of Service attacks
  • Spam or brute force rate-limit tests
  • Self-XSS (where the attacker can only execute code in their own browser)
  • Vulnerabilities in third-party apps or services we do not control

5. Reporting Format

When reporting a potential issue, please include:

  • Title: Short description of the issue
  • Vulnerability Type: (e.g., XSS, SQL Injection, Authentication Bypass)
  • Impact: What risk the vulnerability poses
  • Steps to Reproduce: Clear, step-by-step instructions
  • Proof of Concept (PoC): Screenshots, videos, or sample code if applicable
  • Suggested Fix (optional): If you have recommendations

Send all reports to: admin@emporiva.in

6. Hall of Fame

We value contributions from the security community. Researchers who submit valid and impactful reports will be featured on our Hall of Fame page as a token of appreciation.

7. Recognition

While we do not currently offer monetary rewards, valid submissions that improve our security will be publicly acknowledged (with your consent).

8. Legal Safe Harbor

If you follow this policy when conducting your research and reporting, we will not pursue legal action against you. Responsible security research is highly valued at emporiva.

Thank you for helping us keep EMPORIVA secure.

Hall of Fame