Ensuring the safety and security of our users is our top priority, and we appreciate all efforts to discover and disclose security vulnerabilities to us in a responsible manner.
If you would like to report a vulnerability found on the Mercari services, you can use the following form to submit a vulnerability report.
*Jira account required
Alternatively you can email the report to us at security[ @ ]mercari.com and use the PGP key specified below.
In order for us to properly investigate the vulnerability, please include the following details where possible when submitting a report:
- Your name and contact email
- Version and OS (iOS, Android, web) of the app affected
- Vulnerability type and category
- Description of potential vulnerability
- Steps to reproduce the issue
- Include screenshots and/or video if possible
- Proof of Concept (PoC)
- Expected correct behavior or workaround
- Disclosure plans, if any
- We will do our best to remediate vulnerabilities as quickly as possible and ask that reporters refrain from making disclosures until remediation is complete
We take all disclosures very seriously and will do our best to respond to you quickly as possible, verify the vulnerability, and take steps to get it remediated.
After our initial response, we will do our best to periodically update you with the status of verification / remediation of your report.
If you are unable to use our vulnerability report form and would like to secure your email communications with us, please use the following PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF7zEV4BEADUPOY8BdIsdRYpEq+3LmhMpLeIlZJwChaYuYN5X3476gBFj1GO 3MYLnCiq22SQUybcPKkv8Z/jVtVtZVuHSbfwt0ygx26mgI8+bUxI33kLXsNQjhWi qCYFXso0TeXS4EHvdO47Gd0LUP9FeBMMbwfOHZDkFJpe2drUJhTwXcMqQmDfgCPs IOAIGd99cIgsemCuS22rDKaLoGbruKczF7NEgPyFYenhhGNB3l0fWUt0/zow/3cn 0Zv7v5VhmH4QkVOamLtonnGcpbalRf8Gg2mPtCD3M+IraHsSgRBc1KTSSh0GkXCM wkPJFBxogz2Zv1FsKXk7vMJWmM13nanMtW56fkTiLuByW2egEzC2Fp1m6i5XLrw3 Ioai53GMgxOw+O2VYrR6JrBzCaE8YhzI5bFEgc9XSQ8cuRoxakDn2wvZoT0R/YDb PZu/un/ZMpD9pK7A5GzeHcnJHD5u9kLu4TAl80Liyi8X2inFoMmoUP9yETp+OqaM RDMWlUtXW+1qpz6JZnXuJSfIhB0Ihru0ks13PEJdZdIzvGT7B2HCCSptA8yGAjSC CPKCautBDaAvyhJp2JbGAJPdJ8UEVaXVyeA5avV2EuKJNXwP5AVMPvVoZV47nBPG kYH3l4FWwssKN+/UVe95bspBd/74VsaA0VU/UYQTIRoX/+b/AdkXEGiaJwARAQAB tCxNZXJjYXJpIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1lcmNhcmkuY29tPokC VAQTAQgAPhYhBBOdCLzrvTyPzrtY+ETEAtRfLRyxBQJe8xFeAhsDBQkHhh+ABQsJ CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEETEAtRfLRyxWgoP/jfRhdlGm86L9/DY iQbGFqSL8dzmTTQFe3BSE83EH7v4FfmBQpd0ce12PJMc3Y4L1MFQ3fJdrwPgEPB4 LPHGItfl0IfqPS7/Ru45mIVx02ZGgsWfh5XKZ2UN5gbc/bW0GgoNtsKCAQFQZ2G8 tPmhOZTbcTImFSyeFu/YJOAFv6gXSVBq87afj8ZePBVQ6w/s0Zrmn7NrnWDmwECD UqTFdObCYNBPnAx7wqgyH4tiW0OxiB7S92S4tzfqYFlAva3onDAt5FNhUIyEKcMu dQSnyeBGTWgrdaiT/pbsNuFsp/U0aXDKRJTAs6/rhgOUJoEPmOrNxQi0AqhWoeEy 68OcRFxtAxijLLpbriQk5MNtOKhE/zOvIG/yO72rVAbT4Jat6oQuJcZzr0DO0W16 CL6zgClpHwa4BC1qwGOfj0vyhwOOkwnyHt5dXhod/YadpUw5uIVdAOHLJ+6tEC36 v3zj3lQ9s0iud6TTy9EEVYC6G9lwkq8JybIRSh8yVGYd0yDEKZszvYn9anxfry4T CoukqacYhQMXC/AM0RNETl7SmdrglK0XlvHlZqaAMPqdIAmVseAiwUUHj+XLQYH1 mXDRXnv0te0o9PM1dyA4I+d8et4gFE5DLvH2xfmzeUXcSYdaBolBiQihnNf7kWj+ 8E9dLmau2bJn/7SpXFDAJhKJ+U7VuQINBF7zEV4BEADNc776NslA+ClR39ydRmPH GXazJX+6d7Wz55MnNZMZ4BNqbjXSx55C5ZrRjZdn8/21leZdCXtAZZ8YYBS/tT1p s/8+yjaGj0jvbnZNc7Mcz9VHjItU0SQVqL+tE5qqgY2US1OEHQnWntBrIDGtFZhR XsTMtaIaXitmIlyfu907ezp93ez4nlY8lyZAe44cX7DlUHMbo1JwvTVYLLXHKzYW HSvVnxPaR0pxxLyzU0xFzV2gi/7gS+OutoAn/b7Q69rLq+RbrqRxLKhQPSEkxf1w jaNIx0a0pFY7gCiyUaMuafdHAR091KNfL/pPygXv8DGq8pqiJ3HpdUcznGQRvLic MJgv+WzR76sFg1M4PlhlxXZR+ln3vKgp58yyiLuPl0QZcfXoZHxvE03lY0qnT/aC 6zLXlG1CotPCQ8aBEoYY1V1bUSI8arVT4dpHktjYOvoGdV4Geo9VlRyS70tfeUPr EVaCec6XgA1QWWPzHevQYwRRZVQ400lSnN7qxmJ0I39Ea1QFAPdv8iHDJL0XW9C8 VjKjzgvULsBwQoXXTfV2AFo4tPz+AzT+yV7Unni6TJ49PW6CNvWMohyXI/tYcrPR 8Hx82ay5QH2mHluehozlo8m/hwvW/J7uWxFQut7uLE9ckWklYj1pCuK0WweoUibI 30KKA83wckiAfgxeV1jVwQARAQABiQI8BBgBCAAmFiEEE50IvOu9PI/Ou1j4RMQC 1F8tHLEFAl7zEV4CGwwFCQeGH4AACgkQRMQC1F8tHLH3sBAAwXGSFXmfOAXGB+pI 13Be+vhQ3BXK+GIcx6kx8xnpuQrPMcPS05aWQDJQz82qYcEtevx5AmmTV/JjYQCv EWYhOlXHgFVJRzb0HFt6zO8jkaX4eN0XObZ2vDmCVjgWzfCHq9EnJAn5ULEm1nkD SAXWSjLsQA612FvAPLHmOE9wS5KWHjoX3xA2IPBi67O9G4YvdD0S/eiFjgu5gno5 qtB7KnnhEroPJPP56ZDIatjN9Y9XycrZbVYtbFPstRn0I59R1DGKuqVOCVIt6GcD DgWaHsvr4vUX1sJzUArCOXxIym2Ryn5EXfI2R4B5pspbkpbxor2JtsvtQSg8VkqN lAEUl0aV4d1CGol03i1s53ZzVzuSaueZ/mRXm3bkXvC186tecjA8NNUNQ+w3enrX y0z3Z95rx2jcP33b18BMvFdm3FvUu++kJl8oNy8oVPLmIHRsCxIF1+Kw37psJa/k khDmL4NmVsQD50cIZa2vUqaYMxvpDcFMICAvPJx9AdV1Y8NtHLOE/0K5vvAHMGEu jbkKYjlQ0fl7epAq3omWkF/y2PLChupqgoTtb/sPw1/m54XljFigj8oukxtsXvrq A7cGnh4/+4Ai4ThWF3gKDdCccney0JdbPdN/9CxlkH2fQgwDlU2BW8AWQmsbd1nC uR7pv1ZH72//tAy9atj3QaO61Nw= =A4SH -----END PGP PUBLIC KEY BLOCK-----
※At present, we do not offer a rewards program for vulnerability reports and therefore compensation for valid reports is not provided. For valid reports we may provide rewards such as novelty goods as a small token of our appreciation where possible.
Please do not discuss vulnerabilities with regards to this program without express consent from the organization.
At present, we do not offer a rewards program for vulnerability reports and therefore in general compensation for reports is not provided. However, for valid reports we may provide rewards such as swag/novelty goods (t-shirts/hoodies,etc) as a small token of our appreciation where possible.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, we will not accept the report.
- Submit one individual submission for each vulnerability you would like to report, unless you need to include multiple vulnerabilities in a single report to further demonstrate the impact of the issue you are reporting
- When we receive duplicate reports (i.e. a report of an issue we are already aware of), we only award the first report that was received (provided that it can be fully reproduced)
- Social engineering (e.g. phishing, vishing, smishing) is prohibited, and is not recognized by our vulnerability report window
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder
- Keep exploitation of assets and systems to the minimum, only going so far as to establish evidence of exploitability (e.g. if a SQL injection issue can be found, use the least invasive method to show feasibility, as opposed to dumping multiple records of confidential data)
- Do not engage in any activity that could harm Mercari, our customers, or our employees
- Do not engage in any activity that can potentially or actually stop or degrade Mercari’s services or assets
- Do not initiate or facilitate any fraudulent transactions
- Do not share, compromise or disclose any personally identifiable information
- You must comply with all applicable laws and regulations in connection with your security research activities and your participation in this program
- You must allow us a reasonable opportunity to investigate and respond prior to contacting anyone else about this matter
- You must not disclose any potential or actual vulnerability to any other person or to the public without the prior written permission of Mercari
- If your submission potentially or actually relates to a Mercari third-party vendor, Mercari reserves the right to forward your submission to the affected party
Out of Scope Vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Any physical attempts against Mercari property (infrastructure, facilities, offices, data centers, etc…)
- Social engineering (including phishing) of Mercari staff or contractors
- Any activity that could lead to the disruption of our service (DoS, DDoS, etc…
- Public zero-day vulnerabilities that have had an official patch for less than 30 days will be awarded on a case-by-case basis
- Third-party API keys/secrets embedded in mobile applications, without a clear impact, as many third-parties require this for their own client attribution purposes
- Issues regarding any non-Mercari applications
- Issues regarding out-of-date versions of Mercari’s applications
- User enumeration attacks – unless you can demonstrate that we don’t have any rate limiting in place to protect our users
- Password reuse attacks – unless you can demonstrate that we don’t have any rate limits in place to protect our users
- Open redirect – unless additional security impact beyond simple redirect abuse can be demonstrated (e.g. the use of redirects for phishing alone is not deemed to be of sufficient impact)
- Clickjacking on pages with no sensitive actions
- Missing or misconfigured security headers without proof-of-concept demonstrating exploit (content-security-policy, public-key-pins, x-xss-protection, x-content-type-options, x-frame-options, HSTS, etc.)
- Host header injection – unless an additional security impact can be demonstrated
- Previously known vulnerable libraries without a working proof-of-concept
- Missing best practices in Content Security Policy
- TLS/SSL version, configuration, weak ciphers or expired certificates
- Lack of HTTPOnly or Secure flags on non-session cookies
- Content spoofing and text injection – unless an additional security impact can be demonstrated
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Autocomplete enabled
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc…)
- Software version disclosure / Banner identification issues / descriptive error messages or headers (e.g., stack traces, application, or server errors) unless an additional security impact can be demonstrated
- Unrestricted file uploads without a clear impact, beyond resource consumption, DoS, undesirable content, etc…
- Homographs, RTLO, or other types of UI issues
- GPS spoofing – unless an additional security impact can be demonstrated
- Leverage black hat SEO techniques
- Account squatting by preventing users from registering with certain email addresses
- Missing Referrer Policy
- Issues that require unlikely user interaction unless an additional security impact can be demonstrated
- Unconfirmed reports from automated tools & vulnerability scanners
By responsibly submitting your findings to Mercari in accordance with these guidelines, Mercari agrees not to pursue legal action against you. Mercari reserves all legal rights in the event of noncompliance with these guidelines. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for your responsible disclosure and helping to keep Mercari users safe and secure!