Add to Chrome
Security

Responsible Disclosure

Security researchers help keep SniffIt — and the millions of shoppers who rely on it — safe. If you've found a vulnerability, here's how to report it and what to expect in return.

Last updated: April 20, 2026 Program status: ● Active
Report a vulnerability: info@poslovno.ba
Encrypted reports welcome · PGP key fingerprint below

1. Our promise to researchers

SniffIt treats security reports as a first-class signal. When you report a vulnerability in good faith, we commit to:

  • Respond within 2 business days.
  • Triage and confirm within 5 business days.
  • Remediate based on severity (see SLAs below).
  • Credit you publicly, or privately if you prefer.
  • Not pursue legal action against good-faith research that follows this policy.

2. In scope

The following assets are within scope for this program:

  • *.sniffit.app — marketing, dashboard, API
  • The SniffIt Chrome / Edge / Brave extension
  • The SniffIt iOS and Android applications
  • First-party backend infrastructure (APIs, auth, scoring endpoints)

3. Out of scope

Please don't test these — reports will be closed as out-of-scope.

  • Denial-of-service, rate-limit testing, or volumetric attacks.
  • Social engineering of staff, contractors, or users.
  • Physical attacks against offices or hardware.
  • Third-party services, merchant sites, or marketplaces that SniffIt scores.
  • Findings from automated scanners without a working proof of concept.
  • Missing best-practice headers (HSTS, CSP) without a demonstrable impact.
  • Self-XSS or issues that require a fully-compromised browser.
  • Reports of outdated software without a known exploit affecting our configuration.

4. Rules of engagement

  • Use test accounts you create yourself; never access another user's data.
  • Stop as soon as you confirm the vulnerability — don't exfiltrate data.
  • Don't publicly disclose before we've had a chance to fix (coordinated disclosure).
  • Don't hold findings for ransom. Extortion disqualifies the report and voids safe harbor.

5. How to report

Email info@poslovno.ba. For high-severity findings, please encrypt with the PGP key below.

A good report includes:

  • A clear title and summary of the issue.
  • Affected asset (URL, extension version, endpoint).
  • Step-by-step reproduction instructions.
  • A proof-of-concept (video, cURL, or script).
  • Suspected impact and suggested severity.
Subject: [SEC] Stored XSS in dashboard profile settings
Asset:  https://app.sniffit.app/settings/profile
Impact: Executes arbitrary JS in victim's session
Steps:
  1. Log in and navigate to /settings/profile
  2. Set display name to: <img src=x onerror=alert(1)>
  3. Save, then view the profile as another user
Expected: HTML escaping
Actual:   payload executes on render

6. Severity & rewards

We base severity on CVSS 3.1 plus real-world impact. Rewards scale with severity and quality of the report. Duplicates are paid for the first valid submission only.

Critical
$500 – $1,500
RCE, auth bypass, mass PII exposure
High
$200 – $500
Account takeover, stored XSS, privilege escalation
Medium
$75 – $200
IDOR on low-risk resources, reflected XSS, CSRF
Low
$25 – $75
Swag / Hall of Fame credit, minor misconfigurations

7. Response SLAs

  • First response: within 2 business days.
  • Triage / confirmation: within 5 business days.
  • Critical fix: deployed within 7 days of confirmation.
  • High fix: within 30 days.
  • Medium / Low fix: within 90 days.
  • Public disclosure: coordinated with you, typically 90 days after fix deploy.

8. Safe harbor

We will not pursue civil or criminal action against researchers acting in good faith under this policy. Activity consistent with this policy is considered authorized, and we will work with you to understand and resolve the issue quickly.

If legal action is initiated by a third party against you for research conducted in compliance with this policy, we'll make it known that your activities were authorized.

9. Hall of fame

With your permission, we publicly credit every researcher who reports a confirmed, in-scope vulnerability. If you'd rather stay anonymous, just say the word.

Recent credits: coming soon — be the first.

10. PGP key

For encrypting sensitive reports:

Questions about the program: info@poslovno.ba. Thank you for helping keep SniffIt safe.