SHEIN takes the security of our products and businesses as the most important issue. We've committed ourselves to protect our users' interests. We invite every white hat to report the security vulnerabilities of SHEIN and contribute to increasing security of SHEIN products and businesses.
1. Vulnerability reporting and processing flow
1.1 Registration
Please register SHEIN SRC account with your own email. Your email will be requested while retrieve the password, please make sure it is valid.
1.2 Reporting
Fill out the information of the security vulnerability and submit the report. (Please describe the issue as detailed as possible. Do not release or spread the information without SHEIN's authorization.)
1.3 Processing
SHEIN SRC will assess the reported vulnerability in 1-2 business days since the reported is submitted (Status: under review/ confirmed/ fixed/ ignored):
a) Under review: SHEIN SRC will assess the issue reported in 1-2 business days;
b) Confirmed: the vulnerability is confirmed exists, SHEIN SRC will fix and rate it within 3 business days.
c) Fixed: the reported issue is fixed. We may need the reporter's assistance to confirm it.
d) Ignored: The security vulnerability doesn't exist or has been reported. We'll reject the report and inform the reason.
1.4 Rewards
SHEIN SRC will reward the reporter according to the rank of the vulnerability reported. (please refer to "vulnerability assessment criteria").
2. Applicable Range
At this site(security.shein.com) we do not accept related low - and medium-level vulnerabilities.
*.shein.com(Except security.shein.com)
*.shein.in
*.shein.tw
*.shein.se
*.shein.com.hk
*.shein.com.vn
*.shein.com.mx
*.shein.co.uk
*.romwe.com
*.romwe.co.in
*.sheinoutlet.com
*.emmacloth.com
3. Basic Principles
We hope you could follow the principles while running vulnerability testing:
3.1 Please do not exploit security vulnerabilities without minimum verification or out of the range of vulnerability testing requirements.
3.2 Denial of service (DoS or DDoS) tests are not allowed.
3.3 Physical tests, social engineering tests and other non-technical tests are not allowed.
3.4 Please avoid accessing data in our information system unless necessary. Please stop testing and contact us if you gain access to the following information:
a) Personal identification information
b) Financial information (credit information or bank account information, etc.)
c) Enterprise property information or business secrets
3.5 Please do not reveal any information acquired in vulnerability testing under any circumstances.
3.6 Please do not publicly disclose or reveal any details of the security vulnerabilities unless you have our written authorization. If you are unable to determine if you can continue testing, please contact us.
3.7 SHEIN opposes and condemns all activities that exploit security vulnerabilities to damage users' interests in the name of vulnerability testing. SHEIN will reserve the right to take further legal action against such activities.
4. Vulnerability Assessment Criteria
SHEIN SRC will give reporters Security Coins and Points according to the risk rank and exploitability of the reported vulnerability (Points represent for the degree of contribution to our site).
Assessment Criteria is as follows:
Ranking | Security Coin | Point |
High-Risk | 71-150 | 71-150 |
Medium-Risk | 20-70 | 20-70 |
Low-Risk | 1-19 | 1-19 |
*Security Coins could be exchanged into cash or gifts in gift center.
5. Vulnerability Ranking Standard
SHEIN SRC divides security vulnerabilities into 4 rank: High-risk, Medium-risk, Low-risk, No-effect.
Ranking standards are as follows:
5.1 High-risk
●Vulnerabilities cause leakage of highly sensitive data, include but not limited to SQL injections which allow an attacker to gain access to crucial data (the one includes key code such as user's account and pass word) or read/download arbitrary files (e.g. the ones include key code).
●Critical logic flaws, include but not limited to vulnerabilities which allow an attacker to log in arbitrary accounts, reset the passwords, avoid payment or conduct any sensitive activities anonymously.
●Vulnerabilities which allows an attacker to gain system privilege (server side or user side), include but not limited to remote code execution, webshell uploading, buffer overflow, SQL injections, etc.
●Vulnerabilities cause massive effect, include but not limited to exploitable storage - type XSS, CSRF, etc.
●High-impact vulnerabilities that leak sensitive information, include but not limited to leakage of exploitable source codes, SQL injections which allow an attacker to obtain general data, read or download arbitrary files.
●Unauthorized access to sensitive information, include but not limited to vulnerabilities which allow unauthorized direct access to admin panel, visit weak password accounts, or other service featuring weak password, which contains information of highly sensitivity or have actual permissions .
5.2 Medium-risk
●Vulnerabilities requiring user interactions that permit obtaining users' credentials. Include but not limited to JSOM Hijacking, CSRF, stored XSS in normal applications.
●Leakage of general information, include but not limited to SQL injections which cause small amount of low-impact information leakage, SQL injections that is hard to exploit, common unauthorized operation and design or process flaws.
●Vulnerabilities that may cause resource abuse or harassment to users, include but not limited to SMS bomb, email bombs, etc.
5.3 Low-risk
●Include but not limited to reflected cross-site scripting (reflected DOM-based XSS), small amount of low-impact information leakage, full path disclosure, leakage of source code without sensitive information, leakage of PHPINFO、SVN, etc.
●Open redirectors, clients' password stored as plain text, and password transmitted in plain text.
●Vulnerabilities that cause local denial of service, include but not limited to local denial of service on users' end (crush down caused by format of parsed file or Internet protocol).
●Confirmed potential risks that are hard to exploit.
5.4 No-effect
●Vulnerabilities that can not affect users, include but limited to Self-XSS.
●Vulnerabilities that can not be exploited, include but not limited to the version is out of date.
●Bugs without potential risk, include but not limited to function failure, encoding of the page, application compatibility, etc.
●CSRF with no or low practical meaning.
6. Reward rules
6.1 Rewards are only face to the white hats who report security vulnerabilities to SHEIN SRC or SHEIN SRC email src@shein.com.
6.2 Rewards are only specific to the information which threat SHEIN's products and businesses. The threat which does not affect SHEIN products and businesses will not be included.
6.3 For a same vulnerability, the reward will be given to the first person who submit the report, others will not be rewarded.
6.4 Security vulnerabilities that have been revealed to the public will not be rewarded.
6.5 the reward will be offered if the vulnerability is disclosed before fixed.
7. Supplement
7.1 Malicious reporters will be banned from our site.
7.2 Ranking will change according to the importance of different business system.
7.3 SHEIN SRC reserves the right of interpretation of the rewarding system.
8. Dispute Resolution Policy
During the processing of security vulnerability, if the reporter has any objection to the processing, assessment, ranking, etc., please contact SHEIN SRC by email src@shein.com. SHEIN SRC will handle it based on the principle of the priority interests of the reporters. A common ruling from the third party may get involved if necessary.