Thank you for taking the time to participate in our Responsible Disclosure program.
At Catawiki, we consider the security of our systems a top priority. When developing and providing our services, security has a key role.
Below you can see our guidelines to submit quality bug reports to Catawiki, that will enable us to effectively address them.
The assets we have control over include https://www.catawiki.com or pages derived from logging into the https://www.catawiki.com marketplace. This does NOT include 3rd party applications we make use of, but are not controlling directly. For example, any blogging or marketing websites that are not hosted with the Catawiki domain, or GCP, or any cloud platform vulnerabilities.
What we would like you to do
- Send in vulnerabilities with CVE scores, if they have one, that are applicable to our website and how they can be exploited.
- Send videos and photos included in your report; they're greatly appreciated!
- Send examples where malicious files can be uploaded within our platform.
- Send reports of vulnerable network ports or services.
- Send vulnerabilities in which validation, CSRF or otherwise, fails enabling bypass or circumvention of security controls.
What you should not do
- Please do not send in vulnerabilities reported by 3rd party tools or scanners without proof of concept resulting in exploitation.
- Please do not send in password vulnerabilities exploited by brute force, dictionary attacks, or otherwise guessing passwords.
- Please do not attempt DDoS or other resource exhaustive attacks.
- Please do not attempt spam attacks unless a vulnerability includes easily sending spam.
- Please do not send vulnerabilities associated with account verification or password policy.
- Please do not send vulnerabilities associated with a Self-XSS attack.
- Please do not send vulnerabilities associated with a missing Certificate Authority Authorization (CAA) record for a Catawiki's domain name.
In the event that you have not followed our above code of conduct, Catawiki reserves the right to legal action against you. This code of conduct for notifying security vulnerabilities at Catawiki is subject to Dutch law.
In addition, please do not use the Zerocopter platform for any questions or complaints related to the services of Catawiki or user material on the platform. Should you have any questions or complaints that are unrelated to security vulnerability of our systems, please review our help centre further, and contact our Customer Support teams if necessary.
Our Responsible Disclosure Program can be found here