MENU
vulnerability

Reporting a Vulnerability

Found a security issue or vulnerability in one of Mercari Group’s services? Let us know!

vulnerability

Ensuring the safety and security of our users is our top priority, and we appreciate all efforts to discover and disclose security vulnerabilities to us in a responsible manner.
If you would like to report a vulnerability found on the Mercari services, you can use the following form to submit a vulnerability report.
*Jira account requiredReport Form

Alternatively you can email the report to us at security[ @ ]mercari.com and use the PGP key specified below.

Guideline

Reporting Guidelines

In order for us to properly investigate the vulnerability, please include the following details where possible when submitting a report:

  • Your name and contact email
  • Version and OS (iOS, Android, web) of the app affected
  • Vulnerability type and category
  • Description of potential vulnerability
  • Steps to reproduce the issue
    • Include screenshots and/or video if possible
  • Proof of Concept (PoC)
  • Expected correct behavior or workaround
  • Disclosure plans, if any
    • We will do our best to remediate vulnerabilities as quickly as possible and ask that reporters refrain from making disclosures until remediation is complete

We take all disclosures very seriously and will do our best to respond to you quickly as possible, verify the vulnerability, and take steps to get it remediated.
After our initial response, we will do our best to periodically update you with the status of verification / remediation of your report.

PGP key

Secure Communications

If you are unable to use our vulnerability report form and would like to secure your email communications with us, please use the following PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF7zEV4BEADUPOY8BdIsdRYpEq+3LmhMpLeIlZJwChaYuYN5X3476gBFj1GO 3MYLnCiq22SQUybcPKkv8Z/jVtVtZVuHSbfwt0ygx26mgI8+bUxI33kLXsNQjhWi qCYFXso0TeXS4EHvdO47Gd0LUP9FeBMMbwfOHZDkFJpe2drUJhTwXcMqQmDfgCPs IOAIGd99cIgsemCuS22rDKaLoGbruKczF7NEgPyFYenhhGNB3l0fWUt0/zow/3cn 0Zv7v5VhmH4QkVOamLtonnGcpbalRf8Gg2mPtCD3M+IraHsSgRBc1KTSSh0GkXCM wkPJFBxogz2Zv1FsKXk7vMJWmM13nanMtW56fkTiLuByW2egEzC2Fp1m6i5XLrw3 Ioai53GMgxOw+O2VYrR6JrBzCaE8YhzI5bFEgc9XSQ8cuRoxakDn2wvZoT0R/YDb PZu/un/ZMpD9pK7A5GzeHcnJHD5u9kLu4TAl80Liyi8X2inFoMmoUP9yETp+OqaM RDMWlUtXW+1qpz6JZnXuJSfIhB0Ihru0ks13PEJdZdIzvGT7B2HCCSptA8yGAjSC CPKCautBDaAvyhJp2JbGAJPdJ8UEVaXVyeA5avV2EuKJNXwP5AVMPvVoZV47nBPG kYH3l4FWwssKN+/UVe95bspBd/74VsaA0VU/UYQTIRoX/+b/AdkXEGiaJwARAQAB tCxNZXJjYXJpIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1lcmNhcmkuY29tPokC VAQTAQgAPhYhBBOdCLzrvTyPzrtY+ETEAtRfLRyxBQJe8xFeAhsDBQkHhh+ABQsJ CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEETEAtRfLRyxWgoP/jfRhdlGm86L9/DY iQbGFqSL8dzmTTQFe3BSE83EH7v4FfmBQpd0ce12PJMc3Y4L1MFQ3fJdrwPgEPB4 LPHGItfl0IfqPS7/Ru45mIVx02ZGgsWfh5XKZ2UN5gbc/bW0GgoNtsKCAQFQZ2G8 tPmhOZTbcTImFSyeFu/YJOAFv6gXSVBq87afj8ZePBVQ6w/s0Zrmn7NrnWDmwECD UqTFdObCYNBPnAx7wqgyH4tiW0OxiB7S92S4tzfqYFlAva3onDAt5FNhUIyEKcMu dQSnyeBGTWgrdaiT/pbsNuFsp/U0aXDKRJTAs6/rhgOUJoEPmOrNxQi0AqhWoeEy 68OcRFxtAxijLLpbriQk5MNtOKhE/zOvIG/yO72rVAbT4Jat6oQuJcZzr0DO0W16 CL6zgClpHwa4BC1qwGOfj0vyhwOOkwnyHt5dXhod/YadpUw5uIVdAOHLJ+6tEC36 v3zj3lQ9s0iud6TTy9EEVYC6G9lwkq8JybIRSh8yVGYd0yDEKZszvYn9anxfry4T CoukqacYhQMXC/AM0RNETl7SmdrglK0XlvHlZqaAMPqdIAmVseAiwUUHj+XLQYH1 mXDRXnv0te0o9PM1dyA4I+d8et4gFE5DLvH2xfmzeUXcSYdaBolBiQihnNf7kWj+ 8E9dLmau2bJn/7SpXFDAJhKJ+U7VuQINBF7zEV4BEADNc776NslA+ClR39ydRmPH GXazJX+6d7Wz55MnNZMZ4BNqbjXSx55C5ZrRjZdn8/21leZdCXtAZZ8YYBS/tT1p s/8+yjaGj0jvbnZNc7Mcz9VHjItU0SQVqL+tE5qqgY2US1OEHQnWntBrIDGtFZhR XsTMtaIaXitmIlyfu907ezp93ez4nlY8lyZAe44cX7DlUHMbo1JwvTVYLLXHKzYW HSvVnxPaR0pxxLyzU0xFzV2gi/7gS+OutoAn/b7Q69rLq+RbrqRxLKhQPSEkxf1w jaNIx0a0pFY7gCiyUaMuafdHAR091KNfL/pPygXv8DGq8pqiJ3HpdUcznGQRvLic MJgv+WzR76sFg1M4PlhlxXZR+ln3vKgp58yyiLuPl0QZcfXoZHxvE03lY0qnT/aC 6zLXlG1CotPCQ8aBEoYY1V1bUSI8arVT4dpHktjYOvoGdV4Geo9VlRyS70tfeUPr EVaCec6XgA1QWWPzHevQYwRRZVQ400lSnN7qxmJ0I39Ea1QFAPdv8iHDJL0XW9C8 VjKjzgvULsBwQoXXTfV2AFo4tPz+AzT+yV7Unni6TJ49PW6CNvWMohyXI/tYcrPR 8Hx82ay5QH2mHluehozlo8m/hwvW/J7uWxFQut7uLE9ckWklYj1pCuK0WweoUibI 30KKA83wckiAfgxeV1jVwQARAQABiQI8BBgBCAAmFiEEE50IvOu9PI/Ou1j4RMQC 1F8tHLEFAl7zEV4CGwwFCQeGH4AACgkQRMQC1F8tHLH3sBAAwXGSFXmfOAXGB+pI 13Be+vhQ3BXK+GIcx6kx8xnpuQrPMcPS05aWQDJQz82qYcEtevx5AmmTV/JjYQCv EWYhOlXHgFVJRzb0HFt6zO8jkaX4eN0XObZ2vDmCVjgWzfCHq9EnJAn5ULEm1nkD SAXWSjLsQA612FvAPLHmOE9wS5KWHjoX3xA2IPBi67O9G4YvdD0S/eiFjgu5gno5 qtB7KnnhEroPJPP56ZDIatjN9Y9XycrZbVYtbFPstRn0I59R1DGKuqVOCVIt6GcD DgWaHsvr4vUX1sJzUArCOXxIym2Ryn5EXfI2R4B5pspbkpbxor2JtsvtQSg8VkqN lAEUl0aV4d1CGol03i1s53ZzVzuSaueZ/mRXm3bkXvC186tecjA8NNUNQ+w3enrX y0z3Z95rx2jcP33b18BMvFdm3FvUu++kJl8oNy8oVPLmIHRsCxIF1+Kw37psJa/k khDmL4NmVsQD50cIZa2vUqaYMxvpDcFMICAvPJx9AdV1Y8NtHLOE/0K5vvAHMGEu jbkKYjlQ0fl7epAq3omWkF/y2PLChupqgoTtb/sPw1/m54XljFigj8oukxtsXvrq A7cGnh4/+4Ai4ThWF3gKDdCccney0JdbPdN/9CxlkH2fQgwDlU2BW8AWQmsbd1nC uR7pv1ZH72//tAy9atj3QaO61Nw= =A4SH -----END PGP PUBLIC KEY BLOCK-----

※At present, we do not offer a rewards program for vulnerability reports and therefore compensation for valid reports is not provided. For valid reports we may provide rewards such as novelty goods as a small token of our appreciation where possible.

Watch out for suspicious email claiming to be from Mercari

Watch out for suspicious email claiming to be from Mercari

Read more