Thank you for taking the time
We are intensely focused on keeping our customers’ data safe and secure here at FoxyCart. Any input that helps us better serve and protect our customers is welcome. We are glad that you took the time to contact us.
Reporting a security concern
The Foxycart disclosure program is managed through Bugcrowd. To see the terms of the program and participate, go to Bugcrowd and sign up as a tester. You will need to accept the Foxycart terms of service to engage in testing. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.
If you need to be invited to the Foxycart program, please email firstname.lastname@example.org.
If you cannot submit via BugCrowd, we also will accept email to email@example.com(using our public key and encrypting with PGP/GPG if possible), but we do not provide bounties outside of Bugcrowd.
Please do not use automated scanners or aggressive scripts in your testing.
The most important thing to note is how FoxyCart works. Please don't report the following behavior:
- Products can be added via a
POST, and a product's
price, or other options can be modified. This is by design. We designed our system for flexibility and there is a way to protect add-to-cart links and forms.
The following finding types are specifically excluded from the bounty:
- Account creation at
admin.foxycart.comdoes not have captcha or email validation.
- Multiple failed login attempts for an invalid user do not result in an IP-based block. (Please note that multiple failed login attempts for a valid user will result in a temporary lock for that user.)
- Login Page / Forgot Password page messaging, account brute force, or account lockout not enforced.
- Admin session is not invalidated on password reset.
- Logout Cross-Site Request Forgery (logout CSRF).
- Form POSTs and GETs to
/cartare possible from http. (http->https MITM attack vector.)
- Self-XSS and issues exploitable only through Self-XSS.
- Editing certain non-user-controllable HTTP headers such as Referer can trigger a reflected XSS on certain pages.
- SSL cipher strength issues as reported by automated scanning tools, unless you have a practical exploit.
- Clickjacking headers not present on some of our subdomains.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- CSRF on forms that are available to anonymous users (e.g. the contact form, search form).
- Presence of application or web browser 'autocomplete' or 'save password'.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Banner disclosure on common/public services.
- No Strict Transport Security (HSTS) headers set.
Out of Scope: Other *.foxycart.com Domains
FoxyCart customer sites and applications are out of scope for this program. You can create a free test account at admin.foxycart.com if you'd like to test the cart and checkout flow itself.
Vulnerabilities found at the following subdomains will be passed along to the vendors/creators, and may be eligible for kudos (via BugCrowd), but no cash rewards. Please don't report issues with account login, SSL, CSRF, clickjacking, or any of the above noted known issues. For issues with the system and not our implementation, please report directly to the company responsible for it.
- forum.foxycart.com uses Vanilla
- www.foxycart.com uses Hifi CMS
- wiki.foxycart.com uses Dokuwiki
- affiliate.foxycart.com uses iDevAffiliate
Tracking security issues
Have a security issue that you think affects FoxyCart stores? Please let us know. We track multiple security lists and watch for issues that affect our infrastructure. Once we are aware of an issue, here’s how we handle it:
- We immediately patch and repair of any affected software or infrastructure.
- We review our internal policies and procedures to understand how the issue arose.
- We give full disclosure to our customers, crediting the person or team that discovered the issue and detailing our measures to resolve any impact and prevent any future recurrence.
Security is a major focus for us
Thanks for working with us
We appreciate your time and skill in finding security vulnerabilities as well as the professional courtesy of taking the time to contact us.
*Occasionally we receive reports that are valid only in theory or for educational purposes. We cannot promise our full attention in situations like this. Thanks for understanding.
We appreciate the security professionals who have responsibly disclosed potential issues to us. For clarification, we split this list between vulnerabilities found in our own systems (admin.foxycart.com, example.foxycart.com) and vulnerabilities in 3rd party systems we use (www.foxycart.com, affiliate.foxycart.com, forum.foxycart.com, requests.foxycart.com, wiki.foxycart.com, docs.foxycart.com, etc.).
The following are sorted from oldest (at the top) to newest (at the bottom).
FoxyCart Application Disclosures
- Yaroslav Olejnik - O.J.A.
- Edis Konstantini
- Kamil Sevi
- Jayvardhan Singh
- Parichay Rai
- Tejash Patel
- Parveen Yadav & Mayank Bhatodra
- Rafael Pablos
- Nakul Mohan
- Dibyendu Sikdar
- Narendra Bhati
- Mazen Gamal
- Kalpesh Makwana
- Aditya Agrawal
- Sangeetha Rajesh S
- Abdul Haq Khokhar
- Areeb Khan
- Kiran Karnad
- Justine Edic
- Gineesh George
- FaisaL Ahmed
- Md Ishrat Shahriyar
- Paulos Yibelo
- Abdul Wasay
- Nithish Varghese, Shivam Kumar Agarwal, Sahil Srivastava
3rd Party System Disclosures
- Sergey Bobrov
- Danish Tariq & Noman Ramzan
- Ahmad Ashraff
- Jatinpreet Singh
- J Muhammed Gazzaly
- Anand Prakash
- Ahmad Ashraff
- Prem Kumar
- Vaibhav Deshmukh
- Atulkumar Hariba Shedage
- Sasi Levi
- Sahil Saif
- Ali Hasan Ghauri
- Yazane Hassan
- Evan Ricafort
- Rodolfo Godalle, Jr.
- Rakesh Singh & Harish Kumar
- Jerold Camacho
Owais Ahmed Siddiqui