Ensuring the safety and security of our users is our top priority, and we appreciate all efforts to discover and disclose security vulnerabilities to us in a responsible manner.
If you would like to report a vulnerability found on the Mercari services, you can use the following form to submit a vulnerability report.
*Jira account required
Alternatively you can email the report to us at security[ @ ]mercari.com and use the PGP key specified below.
Reporting Guidelines
In order for us to properly investigate the vulnerability, please include the following details where possible when submitting a report:
- Your name and contact email
- Version and OS (iOS, Android, web) of the app affected
- Vulnerability type and category
- Description of potential vulnerability
-
Steps to reproduce the issue
- Include screenshots and/or video if possible
- Proof of Concept (PoC)
- Expected correct behavior or workaround
-
Disclosure plans, if any
- We will do our best to remediate vulnerabilities as quickly as possible and ask that reporters refrain from making disclosures until remediation is complete
We take all disclosures very seriously and will do our best to respond to you quickly as possible, verify the vulnerability, and take steps to get it remediated.
After our initial response, we will do our best to periodically update you with the status of verification / remediation of your report.
Secure Communications
If you are unable to use our vulnerability report form and would like to secure your email communications with us, please use the following PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF7zEV4BEADUPOY8BdIsdRYpEq+3LmhMpLeIlZJwChaYuYN5X3476gBFj1GO
3MYLnCiq22SQUybcPKkv8Z/jVtVtZVuHSbfwt0ygx26mgI8+bUxI33kLXsNQjhWi
qCYFXso0TeXS4EHvdO47Gd0LUP9FeBMMbwfOHZDkFJpe2drUJhTwXcMqQmDfgCPs
IOAIGd99cIgsemCuS22rDKaLoGbruKczF7NEgPyFYenhhGNB3l0fWUt0/zow/3cn
0Zv7v5VhmH4QkVOamLtonnGcpbalRf8Gg2mPtCD3M+IraHsSgRBc1KTSSh0GkXCM
wkPJFBxogz2Zv1FsKXk7vMJWmM13nanMtW56fkTiLuByW2egEzC2Fp1m6i5XLrw3
Ioai53GMgxOw+O2VYrR6JrBzCaE8YhzI5bFEgc9XSQ8cuRoxakDn2wvZoT0R/YDb
PZu/un/ZMpD9pK7A5GzeHcnJHD5u9kLu4TAl80Liyi8X2inFoMmoUP9yETp+OqaM
RDMWlUtXW+1qpz6JZnXuJSfIhB0Ihru0ks13PEJdZdIzvGT7B2HCCSptA8yGAjSC
CPKCautBDaAvyhJp2JbGAJPdJ8UEVaXVyeA5avV2EuKJNXwP5AVMPvVoZV47nBPG
kYH3l4FWwssKN+/UVe95bspBd/74VsaA0VU/UYQTIRoX/+b/AdkXEGiaJwARAQAB
tCxNZXJjYXJpIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1lcmNhcmkuY29tPokC
VAQTAQgAPhYhBBOdCLzrvTyPzrtY+ETEAtRfLRyxBQJe8xFeAhsDBQkHhh+ABQsJ
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEETEAtRfLRyxWgoP/jfRhdlGm86L9/DY
iQbGFqSL8dzmTTQFe3BSE83EH7v4FfmBQpd0ce12PJMc3Y4L1MFQ3fJdrwPgEPB4
LPHGItfl0IfqPS7/Ru45mIVx02ZGgsWfh5XKZ2UN5gbc/bW0GgoNtsKCAQFQZ2G8
tPmhOZTbcTImFSyeFu/YJOAFv6gXSVBq87afj8ZePBVQ6w/s0Zrmn7NrnWDmwECD
UqTFdObCYNBPnAx7wqgyH4tiW0OxiB7S92S4tzfqYFlAva3onDAt5FNhUIyEKcMu
dQSnyeBGTWgrdaiT/pbsNuFsp/U0aXDKRJTAs6/rhgOUJoEPmOrNxQi0AqhWoeEy
68OcRFxtAxijLLpbriQk5MNtOKhE/zOvIG/yO72rVAbT4Jat6oQuJcZzr0DO0W16
CL6zgClpHwa4BC1qwGOfj0vyhwOOkwnyHt5dXhod/YadpUw5uIVdAOHLJ+6tEC36
v3zj3lQ9s0iud6TTy9EEVYC6G9lwkq8JybIRSh8yVGYd0yDEKZszvYn9anxfry4T
CoukqacYhQMXC/AM0RNETl7SmdrglK0XlvHlZqaAMPqdIAmVseAiwUUHj+XLQYH1
mXDRXnv0te0o9PM1dyA4I+d8et4gFE5DLvH2xfmzeUXcSYdaBolBiQihnNf7kWj+
8E9dLmau2bJn/7SpXFDAJhKJ+U7VuQINBF7zEV4BEADNc776NslA+ClR39ydRmPH
GXazJX+6d7Wz55MnNZMZ4BNqbjXSx55C5ZrRjZdn8/21leZdCXtAZZ8YYBS/tT1p
s/8+yjaGj0jvbnZNc7Mcz9VHjItU0SQVqL+tE5qqgY2US1OEHQnWntBrIDGtFZhR
XsTMtaIaXitmIlyfu907ezp93ez4nlY8lyZAe44cX7DlUHMbo1JwvTVYLLXHKzYW
HSvVnxPaR0pxxLyzU0xFzV2gi/7gS+OutoAn/b7Q69rLq+RbrqRxLKhQPSEkxf1w
jaNIx0a0pFY7gCiyUaMuafdHAR091KNfL/pPygXv8DGq8pqiJ3HpdUcznGQRvLic
MJgv+WzR76sFg1M4PlhlxXZR+ln3vKgp58yyiLuPl0QZcfXoZHxvE03lY0qnT/aC
6zLXlG1CotPCQ8aBEoYY1V1bUSI8arVT4dpHktjYOvoGdV4Geo9VlRyS70tfeUPr
EVaCec6XgA1QWWPzHevQYwRRZVQ400lSnN7qxmJ0I39Ea1QFAPdv8iHDJL0XW9C8
VjKjzgvULsBwQoXXTfV2AFo4tPz+AzT+yV7Unni6TJ49PW6CNvWMohyXI/tYcrPR
8Hx82ay5QH2mHluehozlo8m/hwvW/J7uWxFQut7uLE9ckWklYj1pCuK0WweoUibI
30KKA83wckiAfgxeV1jVwQARAQABiQI8BBgBCAAmFiEEE50IvOu9PI/Ou1j4RMQC
1F8tHLEFAl7zEV4CGwwFCQeGH4AACgkQRMQC1F8tHLH3sBAAwXGSFXmfOAXGB+pI
13Be+vhQ3BXK+GIcx6kx8xnpuQrPMcPS05aWQDJQz82qYcEtevx5AmmTV/JjYQCv
EWYhOlXHgFVJRzb0HFt6zO8jkaX4eN0XObZ2vDmCVjgWzfCHq9EnJAn5ULEm1nkD
SAXWSjLsQA612FvAPLHmOE9wS5KWHjoX3xA2IPBi67O9G4YvdD0S/eiFjgu5gno5
qtB7KnnhEroPJPP56ZDIatjN9Y9XycrZbVYtbFPstRn0I59R1DGKuqVOCVIt6GcD
DgWaHsvr4vUX1sJzUArCOXxIym2Ryn5EXfI2R4B5pspbkpbxor2JtsvtQSg8VkqN
lAEUl0aV4d1CGol03i1s53ZzVzuSaueZ/mRXm3bkXvC186tecjA8NNUNQ+w3enrX
y0z3Z95rx2jcP33b18BMvFdm3FvUu++kJl8oNy8oVPLmIHRsCxIF1+Kw37psJa/k
khDmL4NmVsQD50cIZa2vUqaYMxvpDcFMICAvPJx9AdV1Y8NtHLOE/0K5vvAHMGEu
jbkKYjlQ0fl7epAq3omWkF/y2PLChupqgoTtb/sPw1/m54XljFigj8oukxtsXvrq
A7cGnh4/+4Ai4ThWF3gKDdCccney0JdbPdN/9CxlkH2fQgwDlU2BW8AWQmsbd1nC
uR7pv1ZH72//tAy9atj3QaO61Nw=
=A4SH
-----END PGP PUBLIC KEY BLOCK-----
※At present, we do not offer a rewards program for vulnerability reports and therefore compensation for valid reports is not provided. For valid reports we may provide rewards such as novelty goods as a small token of our appreciation where possible.