Ensuring the safety and security of our products is a top priority, and we appreciate all efforts and research that is done to discover and responsibly disclose vulnerabilities in our products.

If you identify a vulnerability in any of our services, please report it as soon as possible via the form below following our disclosure guidelines.

Alternatively, you can email the report to us at vulnerability[ @ ]ml.mercari.com and use the PGP key specified below.

We take all disclosures very seriously and will do our best to promptly verify the vulnerability and respond to reporters. The security team will take steps to remediate confirmed vulnerabilities as soon as possible and will keep the reporter updated on the remediation process. Please do not disclose any vulnerabilities identified through this program to third parties without express consent from the Mercari Group.

• Provide detailed reports with reproducible steps. Reports lacking sufficient details will not be accepted. 
• Submit an individual report for each vulnerability, unless you need to include multiple vulnerabilities in a single report to demonstrate the impact of the issue you are reporting.

In order for us to conduct a thorough examination of reported vulnerabilities, please include the following in your report where applicable:

• Your name and contact email
  • We may use this information to follow up with you on additional details on the vulnerability
• Version and OS (iOS, Android, web) of the app affected
• Vulnerability type and category
• Description of potential vulnerability
• Steps to reproduce the issue
  • Include screenshots and/or video if possible
• Proof of Concept (PoC)
• Anticipated behavior or workaround
• Disclosure plans, if any
  • We will do our best to remediate vulnerabilities as quickly as possible and we ask that reporters refrain from making disclosures until the remediation is complete

• Do not disclose any potential or confirmed vulnerabilities identified through this program to third parties without express consent from the Mercari Group
• You must comply with all applicable laws and regulations while conducting your security research activities and participating in this program
• You must allow us a reasonable time to investigate and respond prior to contacting anyone else about potentially discovered vulnerabilities
• If your submission potentially or actually relates to a Mercari third-party vendor, Mercari reserves the right to forward your submission to the affected party
• Social engineering (e.g. phishing, vishing, smishing) is strictly prohibited and is not recognized by our vulnerability report window
• Do not exploit the vulnerability beyond the extent necessary for the vulnerability confirmation
• Do not engage in any activity that could harm the Mercari Group, our customers, or our employees
• Do not engage in any activity that can negatively impact the Mercari Group services or assets
• Do not attempt to interact with accounts you do not own 
• Do not initiate or facilitate any fraudulent transactions
• Do not conduct any further tests and inform us immediately if you discover any sensitive information (PII, financial information, etc), do not disclose sensitive information to third parties 
• Do not exfiltrate, modify, or delete any data from our systems, and do not make changes to systems

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Any physical attempts against Mercari Group property (infrastructure, facilities, offices, data centers, etc…)
• Social engineering (including phishing) of Mercari Group staff or contractors
• Any activity that could lead to the disruption of our service (DoS, DDoS, etc.)
• Public zero-day vulnerabilities that have had an official patch for less than 30 days will be awarded on a case-by-case basis
• Third-party API keys/secrets embedded in mobile applications, without a clear impact, as many third parties require this for their own client attribution purposes
• Issues regarding any applications that are not directly owned by us
• Issues regarding out-of-date versions of our applications
• User enumeration attacks – unless you can demonstrate that we don’t have any rate limiting in place to protect our users
• Password reuse attacks – unless you can demonstrate that we don’t have any rate limits in place to protect our users
• Open redirect – unless additional security impact beyond simple redirect abuse can be demonstrated (e.g. the use of redirects for phishing alone is not deemed to be of sufficient impact)
• Broken Link Hijacking – unless additional security impact beyond simple redirect abuse can be demonstrated (e.g. the use of redirects for phishing alone is not deemed to be of sufficient impact)
• Clickjacking on pages with no sensitive actions
• Missing or misconfigured security headers without proof-of-concept demonstrating exploit (content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options, HSTS, etc.)
• Host header injection – unless an additional security impact can be demonstrated
• Previously known vulnerable libraries without a working proof-of-concept
• Missing best practices in Content Security Policy
• TLS/SSL version, configuration, weak ciphers, or expired certificates
• Lack of HTTPOnly or Secure flags on non-session cookies
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Lack of a captcha on forms with no sensitive actions
• Bruteforcing of the login form without bypassing SMS OTP or other authentication methods
• Self-XSS
• Autocomplete enabled
• Tab-nabbing
• Spamming
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Software version disclosure / Banner identification issues / descriptive error messages or headers (e.g., stack traces, application, or server errors) unless an additional security impact can be demonstrated
• Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc…
• Homographs, RTLO, or other types of UI issues
• GPS spoofing – unless an additional security impact can be demonstrated
• Leverage black hat SEO techniques
• Account squatting by preventing users from registering with certain email addresses
• Issues that require unlikely user interaction unless an additional security impact can be demonstrated
• Unconfirmed reports from automated tools & vulnerability scanners
• Unauthenticated cache purging
• Misconfigurations and vulnerabilities in 3rd party services

If you are unable to use our vulnerability report form and would like to secure your email communications with us, please use the following PGP key:

Currently, we do not offer any remuneration for vulnerability reports. However, for valid reports, we may offer rewards such as swag or novelty goods (t-shirts, etc.) as a small token of our appreciation.

Please note that due to factors beyond our control (e.g., local import laws, shipping restrictions, and international logistics), we may be unable to deliver these rewards to certain countries.

If we receive duplicate reports (i.e. a report of an issue we are already aware of), only the first report will be rewarded (provided that it can be fully reproduced).

Mercari Group will not pursue legal action related to your activities of identifying vulnerabilities as long as you follow the responsible disclosure guidelines outlined above. Mercari Group reserves all legal rights in the event of non-compliance with these guidelines. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for your responsible disclosure and for helping to keep Mercari users safe and secure!