Terms and Policies
Catawiki Responsible Disclosure Statement

Thank you for taking the time to participate in our Responsible Disclosure program. 

At Catawiki, we consider the security of our systems a top priority. When developing and providing our services, security has a key role.

Below you can see our guidelines to submit quality bug reports to Catawiki, that will enable us to effectively address them.

The assets we have control over include https://www.catawiki.com or pages derived from logging into the https://www.catawiki.com marketplace. This does NOT include 3rd party applications we make use of, but are not controlling directly. For example, any blogging, careers or marketing websites that are not hosted with the Catawiki domain, or GCP, or any cloud platform vulnerabilities.

What we would like you to do

  • Send in vulnerabilities with CVE scores, if they have one, that are applicable to our website and how they can be exploited.
  • Send videos and photos included in your report; they're greatly appreciated!
  • Send examples where malicious files can be uploaded within our platform.
  • Send reports of vulnerable network ports or services.
  • Send vulnerabilities in which validation, CSRF or otherwise, fails enabling bypass or circumvention of security controls.

What you should not do

  • Please do not send in vulnerabilities reported by 3rd party tools or scanners without proof of concept resulting in exploitation.
  • Please do not send in password vulnerabilities exploited by brute force, dictionary attacks, or otherwise guessing passwords.
  • Please do not attempt DDoS or other resource exhaustive attacks.
  • Please do not attempt spam attacks unless a vulnerability includes easily sending spam.
  • Please do not send vulnerabilities associated with account verification or password policy.
  • Please do not send vulnerabilities associated with a Self-XSS attack.
  • Please do not send vulnerabilities associated with a missing Certificate Authority Authorization (CAA) record for a Catawiki's domain name.

In the event that you have not followed our above code of conduct, Catawiki reserves the right to legal action against you. This code of conduct for notifying security vulnerabilities at Catawiki is subject to Dutch law.

In addition, please do not use the BugCrowd platform for any questions or complaints related to the services of Catawiki or user material on the platform. Should you have any questions or complaints that are unrelated to security vulnerability of our systems, please review our help centre further, and contact our Customer Support teams if necessary.

To participate in our Responsible Disclosure Program, please sign into or register a hacker account on BugCrowd.

Data Protection

The Responsible Disclosure Program is subject to Catawiki’s Privacy Policy. Please note however, that only limited personal data is processed for the reports you make. Catawiki makes use of BugCrowd to support the reporting of vulnerabilities, which you can do by using your BugCrowd credentials. If you have an account, Catawiki will be able to see your user name, but no other personal data linked to your account. All data included in a vulnerability report, will be processed in our internal ticketing system, and accessible to our Security team and relevant other technical staff. 

Was this article helpful?
Contact us