Details

Shutterfly VDP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Shutterfly VDP will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	2 days
Time to Triage	2 days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

The Shutterfly program requires researchers to identify themselves by adding X-BugBounty: where feasible.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
If it does not present a security vulnerability, any reports of suspected illicit content should be e-mailed to [email protected] and should not be submitted as reports to HackerOne.

Rate Limiting

Automated testing must be rate-limited to avoid service degradation, and testing that exceeds reasonable request rates may be considered disruptive or out of scope. Unless explicitly approved in advance, automated requests from a single researcher must not exceed the following limits:

General pages: ≤ 30 requests per second
API endpoints: ≤ 15 requests per second
Authentication or other critical logic: ≤ 5 requests per second

#Asset in scope Any domain owned by Shutterfly Inc, listed in the Scope section will be eligible for submission.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or brute force issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Issues that require unlikely user interaction

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Shutterfly and our users safe!

###Guidelines

Shutterfly will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:

Your activities are limited exclusively to:
- (1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
- (2) Sharing with, or receiving from, Shutterfly information about a vulnerability or an indicator related to a vulnerability.
You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
You avoid intentionally accessing the content of any communications, data, or information transiting or stored on Shutterfly information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
You do not exfiltrate any data under any circumstances.
You do not intentionally compromise the privacy, confidentiality, or safety of Shutterfly personnel or any third parties.
You do not intentionally compromise the intellectual property or other commercial or financial interests of any Shutterfly personnel or entities, or any third parties.
You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from Shutterfly.
You do not conduct denial of service testing.
You do not conduct social engineering, including spear phishing, of Shutterfly personnel or contractors.
You submit any known or recommended remediations or mitigations with your report.

Type of Response

SLA in business days

First Response

2 days

Time to Triage

2 days

Program Rules

The Shutterfly program requires researchers to identify themselves by adding X-BugBounty: where feasible.

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

If it does not present a security vulnerability, any reports of suspected illicit content should be e-mailed to [email protected] and should not be submitted as reports to HackerOne.

Rate Limiting

General pages: ≤ 30 requests per second

API endpoints: ≤ 15 requests per second

Authentication or other critical logic: ≤ 5 requests per second

#Asset in scope Any domain owned by Shutterfly Inc, listed in the Scope section will be eligible for submission.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Attacks requiring MITM or physical access to a user's device.

Previously known vulnerable libraries without a working Proof of Concept.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Any activity that could lead to the disruption of our service (DoS).

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Rate limiting or brute force issues on non-authentication endpoints

Missing best practices in Content Security Policy.

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Issues that require unlikely user interaction

Safe Harbor

Thank you for helping keep Shutterfly and our users safe!

###Guidelines

Shutterfly will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:

Your activities are limited exclusively to:

(1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or
(2) Sharing with, or receiving from, Shutterfly information about a vulnerability or an indicator related to a vulnerability.

You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.

You avoid intentionally accessing the content of any communications, data, or information transiting or stored on Shutterfly information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.

You do not exfiltrate any data under any circumstances.

You do not intentionally compromise the privacy, confidentiality, or safety of Shutterfly personnel or any third parties.

You do not intentionally compromise the intellectual property or other commercial or financial interests of any Shutterfly personnel or entities, or any third parties.

You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from Shutterfly.

You do not conduct denial of service testing.

You do not conduct social engineering, including spear phishing, of Shutterfly personnel or contractors.

You submit any known or recommended remediations or mitigations with your report.