Ensuring the safety and security of our users is our top priority, and we appreciate all efforts to discover and disclose security vulnerabilities to us in a responsible manner.
If you would like to report a vulnerability found on the Mercari services, you can use the following form to submit a vulnerability report.

Alternatively you can email the report to us at vulnerability[ @ ]ml.mercari.com  and use the PGP key specified below if the content of your report is sensitive.

In order for us to properly investigate the vulnerability, please include the following details where possible when submitting a report:

• Your name and contact email
• Version and OS (iOS, Android, web) of the app affected
• Vulnerability type and category
• Description of potential vulnerability
• Steps to reproduce the issue
  • Include screenshots and/or video if possible
• Proof of Concept (PoC)
• Expected correct behavior or workaround
• Disclosure plans, if any
  • We will do our best to remediate vulnerabilities as quickly as possible and ask that reporters refrain from making disclosures until remediation is complete

We take all disclosures very seriously and will do our best to respond to you quickly as possible, verify the vulnerability, and take steps to get it remediated.
After our initial response, we will do our best to periodically update you with the status of verification / remediation of your report.

If you are unable to use our vulnerability report form and would like to secure your email communications with us, please use the following PGP key:

※At present, we do not offer a rewards program for vulnerability reports and therefore compensation for valid reports is not provided. For valid reports we may provide rewards such as novelty goods as a small token of our appreciation where possible.

Please do not discuss vulnerabilities with regards to this program without express consent from the organization.

At present, we do not offer a rewards program for vulnerability reports and therefore in general compensation for reports is not provided. However, for valid reports we may provide rewards such as swag/novelty goods (t-shirts, etc.) as a small token of our appreciation where possible.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, we will not accept the report.
• Submit one individual submission for each vulnerability you would like to report, unless you need to include multiple vulnerabilities in a single report to further demonstrate the impact of the issue you are reporting
• When we receive duplicate reports (i.e. a report of an issue we are already aware of), we only award the first report that was received (provided that it can be fully reproduced)
• Social engineering (e.g. phishing, vishing, smishing) is prohibited, and is not recognized by our vulnerability report window
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder
• Keep exploitation of assets and systems to the minimum, only going so far as to establish evidence of exploitability (e.g. if a SQL injection issue can be found, use the least invasive method to show feasibility, as opposed to dumping multiple records of confidential data)
• Do not engage in any activity that could harm Mercari, our customers, or our employees
• Do not engage in any activity that can potentially or actually stop or degrade Mercari’s services or assets
• Do not initiate or facilitate any fraudulent transactions
• Do not share, compromise or disclose any personally identifiable information
• You must comply with all applicable laws and regulations in connection with your security research activities and your participation in this program
• You must allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter
• You must not disclose any potential or actual vulnerability to any other person or to the public without the prior written permission of Mercari
• If your submission potentially or actually relates to a Mercari third-party vendor, Mercari reserves the right to forward your submission to the affected party

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Any physical attempts against Mercari property (infrastructure, facilities, offices, data centers, etc…)
• Social engineering (including phishing) of Mercari staff or contractors
• Any activity that could lead to the disruption of our service (DoS, DDoS, etc…
• Public zero-day vulnerabilities that have had an official patch for less than 30 days will be awarded on a case-by-case basis
• Third-party API keys/secrets embedded in mobile applications, without a clear impact, as many third-parties require this for their own client attribution purposes
• Issues regarding any non-Mercari applications
• Issues regarding out-of-date versions of Mercari’s applications
• User enumeration attacks – unless you can demonstrate that we don’t have any rate limiting in place to protect our users
• Password reuse attacks – unless you can demonstrate that we don’t have any rate limits in place to protect our users
• Open redirect – unless additional security impact beyond simple redirect abuse can be demonstrated (e.g. the use of redirects for phishing alone is not deemed to be of sufficient impact)
• Broken Link Hijacking – unless additional security impact beyond simple redirect abuse can be demonstrated (e.g. the use of redirects for phishing alone is not deemed to be of sufficient impact)
• Clickjacking on pages with no sensitive actions
• Missing or misconfigured security headers without proof-of-concept demonstrating exploit (content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options, HSTS, etc.)
• Host header injection – unless an additional security impact can be demonstrated
• Previously known vulnerable libraries without a working proof-of-concept
• Missing best practices in Content Security Policy
• TLS/SSL version, configuration, weak ciphers or expired certificates
• Lack of HTTPOnly or Secure flags on non-session cookies
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Self-XSS
• Autocomplete enabled
• Tab-nabbing
• Spamming
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc…)
• Software version disclosure / Banner identification issues / descriptive error messages or headers (e.g., stack traces, application, or server errors) unless an additional security impact can be demonstrated
• Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc…
• Homographs, RTLO, or other types of UI issues
• GPS spoofing – unless an additional security impact can be demonstrated
• Leverage black hat SEO techniques
• Account squatting by preventing users from registering with certain email addresses
• Issues that require unlikely user interaction unless an additional security impact can be demonstrated
• Unconfirmed reports from automated tools & vulnerability scanners
• Unauthenticated cache purging
• Misconfigurations and vulnerabilities in 3rd parties

By responsibly submitting your findings to Mercari in accordance with these guidelines, Mercari agrees not to pursue legal action against you. Mercari reserves all legal rights in the event of noncompliance with these guidelines. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for your responsible disclosure and helping to keep Mercari users safe and secure!