Found a security issue or vulnerability in one of Mercari Group’s services? Let us know!
Ensuring the safety and security of our users is our top priority, and we appreciate all efforts to discover and disclose security vulnerabilities to us in a responsible manner.
If you would like to report a vulnerability found on the Mercari services, you can use the following form to submit a vulnerability report. *Jira account required
Alternatively you can email the report to us at security[ @ ]mercari.com and use the PGP key specified below.
In order for us to properly investigate the vulnerability, please include the following details where possible when submitting a report:
Your name and contact email
Version and OS (iOS, Android, web) of the app affected
Vulnerability type and category
Description of potential vulnerability
Steps to reproduce the issue
Include screenshots and/or video if possible
Proof of Concept (PoC)
Expected correct behavior or workaround
Disclosure plans, if any
We will do our best to remediate vulnerabilities as quickly as possible and ask that reporters refrain from making disclosures until remediation is complete
We take all disclosures very seriously and will do our best to respond to you quickly as possible, verify the vulnerability, and take steps to get it remediated.
After our initial response, we will do our best to periodically update you with the status of verification / remediation of your report.
If you are unable to use our vulnerability report form and would like to secure your email communications with us, please use the following PGP key:
※At present, we do not offer a rewards program for vulnerability reports and therefore compensation for valid reports is not provided. For valid reports we may provide rewards such as novelty goods as a small token of our appreciation where possible.
Watch out for suspicious email claiming to be from Mercari