--- title: Fourthwall Vulnerability Disclosure Program shortDescription: Report a security vulnerability in Fourthwall through the official Vulnerability Disclosure Program with safe harbor and bounty eligibility. articleType: Policy primaryTopic: vulnerability-disclosure-program categories: - Legal and Policy - Account Management tags: - vulnerability-disclosure - security-research - bug-bounty - safe-harbor - responsible-disclosure - trust-and-safety - legal-policy - security tasks: - Report a security vulnerability to Fourthwall - Check Vulnerability Disclosure Program scope - Submit a bug bounty report - Confirm safe harbor protection for security research - Find Fourthwall security contact terms: - vulnerability disclosure program - VDP - bug bounty - security vulnerability - responsible disclosure - safe harbor - CSIRT - csirt@fourthwall.com - security research - vdp.fourthwall.com - bounty matrix - in-scope domains - report a vulnerability labels: - security - vulnerability-disclosure - bug-bounty - legal - trust-and-safety contextString: For external security researchers reporting vulnerabilities in Fourthwall systems. Creators with account or shop issues should contact support@fourthwall.com instead. breadcrumbPath: "Frequently asked questions > Legal & compliance > Fourthwall Vulnerability Disclosure Program" path: frequently-asked-questions/legal-and-compliance/vulnerability-disclosure-program last_updated: '2026-06-18' --- # Fourthwall Vulnerability Disclosure Program Fourthwall runs a Vulnerability Disclosure Program (VDP) for security researchers who want to report bugs, exploits, or weaknesses in our platform. Reports submitted in good faith through the official form qualify for safe harbor protection and may be eligible for a bounty based on severity. This page is for external security researchers only. If you are a creator with a question about your shop, account, or products, contact [support@fourthwall.com](mailto:support@fourthwall.com). To report another shop for phishing, brand impersonation, or policy abuse, see [How to report a Fourthwall shop policy violation](/frequently-asked-questions/legal-and-compliance/report-policy-violation). ## How to report a vulnerability Submit your report through the official web form at [https://vdp.fourthwall.com/report](https://vdp.fourthwall.com/report). This is the channel for external researchers who want safe harbor protection and bounty eligibility. Professional security contacts, such as enterprise security operations center (SOC) teams, contracted penetration testers, and takedown vendors, can reach the team directly at [csirt@fourthwall.com](mailto:csirt@fourthwall.com) instead of the web form. Reports submitted through either channel are processed by our Computer Security Incident Response Team (CSIRT) at csirt@fourthwall.com for verification and further investigation. Reports must be submitted personally by the researcher through the web form. Do not submit reports programmatically. Automated submissions are rate-limited and may be flagged as spam, which can disqualify your report from review and bounty eligibility. Include a clear proof of concept, reproduction steps, and any supporting evidence (request/response captures, screenshots, scripts). The more detail you provide, the faster our CSIRT can validate and triage the issue. ## In-scope targets The following systems are in scope for the VDP: - `www.fourthwall.com` - `*.fourthwall.com` - `*-shop.fourthwall.com` - Fourthwall associated services and APIs Vulnerabilities found on any of these targets are eligible for review and, depending on severity, a bounty payment. ## Out-of-scope issues The following are explicitly excluded from the VDP. Reports limited to these issues will be closed without a bounty. **Reconnaissance and reporting quality:** - Enumeration of random identifiers without a proof of concept - Vulnerability scanner false positives or automated tool output without a proof of concept - Theoretical subdomain takeovers without supporting evidence - Generic host header attacks without evidence of impact on a remote victim - Perceived security weaknesses without remote-victim evidence (plaintext credentials in a POST body, missing rate limits, brute force without demonstrated impact) - Perceived permission issues without data integrity or confidentiality impact - Disclosure of server or software version numbers - General configuration or policy suggestions - Usability or UI issues - Slow requests that eventually complete **Social engineering and content issues:** - Social engineering, including phishing, employee impersonation, or contacting Support under false pretenses - Tab nabbing - Content spoofing - Broken links or unclaimed social media accounts, unless chained with an impactful exploit - Spam or flooding (email, SMS) - Hyperlink injection at the storefront level by a privileged user - HTML injection in emails by a store owner or staff, unless chained with an eligible vulnerability - Bypassing HTML sanitization to make external HTTP requests at the storefront level by a privileged user **Cross-site scripting (XSS) exclusions:** - XSS via Set-Header or full header control - XSS via Inspect Element or browser console - Self-XSS requiring more than two steps - Storefront or checkout XSS by a store owner or staff (including `*-shop.fourthwall.com`) - iFrame XSS in the admin Theme Editor - Legacy Rich Text Editor XSS by a privileged user **Cross-site request forgery (CSRF) exclusions:** - CSRF on login or logout, unless chained - CSRF on cart modification **Authentication and account handling:** - Insecure cookie handling for account-identifying cookies - Missing HttpOnly or Secure flags and browser cache issues - Permitted password strength - CVV validation during payment - User or store name enumeration - Email not requiring verification on signup - Password-reset tokens not expiring on email change - Lack of domain verification when adding a custom domain - Insecure "Coming Soon" password - Staff with edit permissions removing permissions they lack - Staff access to admin endpoints **Email and DNS:** - SPF, DKIM, DMARC, CAA, TLSA, or DNSSEC record issues, including email spoofing - CSV or formula injection **Browser, mobile, and infrastructure:** - Issues exploitable only in outdated browsers or plugins - Mobile app issues that only reproduce in an emulator, on a rooted or jailbroken device, with physical or debug access, biometric bypass, absence of app encryption, lack of binary protection, or lack of SSL pinning - Race conditions that cannot be exploited for access to sensitive information - Server-side request forgery (SSRF) limited to simple HTTP or DNS interactions - Open redirects without user interaction, unless chained to demonstrate significant impact **DDoS, CDN, and platform-specific exclusions:** - Denial of service. DoS is in scope only if a single user with a single request can disrupt the entire service, not a single shop - Content Delivery Network (CDN) issues at `static.fourthwall.com` and `cdn.fourthwall.com`: arbitrary file upload by staff, sensitive-data disclosure for files intentionally public, stored XSS unless chained to a real scenario - Creator HTML in store descriptions, product details, and content fields. This is by design, not a vulnerability - Intended public files - Third-party or partner security flaws. We escalate these to the partner, but they are not bountied ## Bounty matrix Bounties are determined by severity once our CSIRT validates the report. Ranges are in US dollars. - **Informational.** $0 - **Low.** $50 to $250 - **Medium.** $250 to $750 - **High.** $500 to $1,500 - **Critical.** $500 to $1,500 - **Super Critical.** $500 to $1,500 The final payout within each range depends on impact, exploitability, and the quality of the report. ## Response time We acknowledge every valid submission within 168 hours (7 days) of receipt. Acknowledgment confirms that your report has been received and triaged. It does not commit to a fix timeline or a final bounty decision, which depend on severity, scope, and remediation work. ## Safe harbor Any activities conducted in a manner consistent with this policy will be considered authorized conduct. If legal action is initiated by a third party against you in connection with activities you carried out under this policy, we will take steps to make it known that your actions were conducted in compliance with the program. To remain protected, only test on storefronts you own, stay within scope, avoid accessing or modifying supporter or creator data beyond what is needed to demonstrate the vulnerability, and submit your report through the official form before any public disclosure. ## Frequently asked questions ### Can I submit reports by email or through support? External researchers seeking safe harbor and bounty eligibility must use the official form at [https://vdp.fourthwall.com/report](https://vdp.fourthwall.com/report). Reports sent to support, abuse, or any other inbox will not be triaged as VDP submissions and are not eligible for a bounty. Professional security contacts (enterprise SOC teams, contracted pentesters, takedown vendors) can instead reach our CSIRT directly at [csirt@fourthwall.com](mailto:csirt@fourthwall.com). ### Can I automate or script my submissions? No. Reports must be submitted personally through the web form. Automated or programmatic submissions are rate-limited, may be flagged as spam, and can disqualify your report from review. ### Can I test storefronts I don't own? No. Safe harbor only covers testing on storefronts you own. Set up your own Fourthwall shop to research vulnerabilities, stay within scope, and report through the official form. Testing on other creators' shops falls outside the policy. ### What happens after I submit a report? Our CSIRT acknowledges receipt within 168 hours, validates the finding, and assigns a severity. Bounty amounts within each range depend on impact, exploitability, and report quality. We reach out by email if we need more information. ### Is there a bounty for informational findings? No. Informational reports are recorded but pay $0. To qualify for a paid bounty, your report must demonstrate a real security impact at Low severity or above. --- If your report concerns abuse, phishing, or policy violations rather than a security vulnerability, send the details to [abuse@fourthwall.com](mailto:abuse@fourthwall.com) instead. See [How to report a Fourthwall shop policy violation](/frequently-asked-questions/legal-and-compliance/report-policy-violation) for guidance.