If you have discovered a security vulnerability on Comor Store, we urge you to contact us immediately. We promise to review all legitimate vulnerability reports and take swift action to resolve the issue. Before reporting, please carefully review our guidelines, including our fundamentals, bounty program, reward guidelines, and what not to report.
By following the principles below when reporting a security issue to Comor Store, we will not pursue legal action or enforcement action against you in response to your report. We request that:
- You give us reasonable time to review and repair an issue you report before disclosing any information about the report or sharing it with others.
- You do not interact with a private account, including modifying or accessing data from the account, if the account owner has not given consent to such actions.
- You make a good faith effort to avoid privacy violations and disruptions to others, such as destruction of data or interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason, including demonstrating additional risk, such as attempting to compromise sensitive company data or finding additional issues.
- You do not violate any other applicable laws or regulations.
We acknowledge and appreciate security researchers who help us keep our users safe by reporting vulnerabilities in our services. Monetary bounties for such reports are entirely at Comor Store’s discretion, based on risk, impact, and other factors. To potentially qualify for a bounty, you must initially meet the following requirements:
- Adhere to our fundamentals (see above).
- Report a security bug: identify a vulnerability in our services or infrastructure that creates a security or privacy risk. Note that Comor Store ultimately determines the risk of an issue, and that many bugs are not security issues.
- Submit your report via our security center. Please do not contact employees.
- If you accidentally cause a privacy violation or disruption, such as accessing account data, service configurations, or other confidential information, while investigating an issue, disclose this in your report.
We investigate and respond to all valid reports. Due to the volume of reports we receive, we prioritize evaluations based on risk and other factors, and it may take some time before you receive a reply. We reserve the right to publish reports.
Our rewards are based on the impact of a vulnerability. We update the program over time based on feedback, so please provide us with feedback on any aspect of the program you believe we can improve.
To be eligible for a bounty, please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, it will not be eligible for a bounty. When duplicates occur, we award the first report that we can fully reproduce. One bounty will be awarded for multiple vulnerabilities caused by one underlying issue.
We determine bounty rewards based on a variety of factors, including impact, ease of exploitation, and quality of the report. The maximum amounts we will pay per level are as follows:
Severity Level Bounty Rewards Critical $200 High $100 Medium $50 Low Not eligible
Note: Critical severity vulnerabilities refer to vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allowing remote code execution.