The RealReal looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

SLA

The RealReal will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 2 business days
• Time to triage (from report submit) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.

Program Rules

• Employees or relatives of employees are prohibited from participating
• Please provide detailed reports with reproducible steps.
• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
• Please be aware that using a high volume of scanners or automated testing tools may cause our security team to classify your traffic as "malicious" and may result in the suspension of your account or banning your IP address.
• Please keep all communications in HackerOne’s platform
• Don’t publicly disclose a bug before it has been fixed
• Do not impact other users with your testing

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of The RealReal staff or contractors
• Any physical attempts against The RealReal property or data centers

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Bugs requiring exceedingly unlikely user interaction.
• Disclosure of public information and information that does not present a significant risk.
• Insecure cookie settings for non-sensitive cookies
• Host header injection without a specific proof of concept.
• Open redirects that cannot be leveraged to programmatically exfiltrate sensitive information (e.g., cookies, OAuth tokens, etc.).
• Two-factor authentication bypass that requires physical access to a logged-in device.
• Issues relating to Password Policy
• CSRF-able actions that do not require authentication (or a session) to exploit
• Reports relating to self-DoS issues (as in, only the person doing the action is denied service).
• Spamming other users with automated emails or notifications (e.g. abusing the forgot password form).
• Reports that are only theoretical without a practical exploit scenario.
• Disclosure of software version numbers

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep The RealReal and our users safe!