EN 中文
< 返回
[SHEIN-SRC-2021-11]SHEIN SRC's Vulnerability Processing Flow and Assessment Criteria V2.0
2022/12/09

SHEIN takes the security of our products and businesses as the most important issue. We've committed ourselves to protect our users' interests. We invite every white hat to report the security vulnerabilities of SHEIN and contribute to increasing security of SHEIN products and businesses.

1. Vulnerability reporting and processing flow
    1.1 Registration 
    Please register SHEIN SRC account with your own email. Your email will be requested while retrieve the password, please make sure it is valid.
    1.2 Reporting
    Fill out the information of the security vulnerability and submit the report. (Please describe the issue as detailed as possible. Do not release or spread the information without SHEIN's authorization.)
    1.3 Processing
    SHEIN SRC will assess the reported vulnerability in 1-2 business days since the reported is submitted (Status: under review/ confirmed/ fixed/ ignored):
        a)  Under review: SHEIN SRC will assess the issue reported in 1-2 business days;
        b)  Confirmed: the vulnerability is confirmed exists, SHEIN SRC will fix and rate it within 3 business days.
        c)  Fixed:  the reported issue is fixed. We may need the reporter's assistance to confirm it.
        d)   Ignored: The security vulnerability doesn't exist or has been reported. We'll reject the report and inform the reason. 
    1.4 Rewards
    SHEIN SRC will reward the reporter according to the rank of the vulnerability reported. (please refer to "vulnerability assessment criteria").

2. Applicable Range
    At this site(security.shein.com) we do not accept related low - and medium-level vulnerabilities.
    *.shein.com(Except security.shein.com)
    *.shein.in
    *.shein.tw
    *.shein.se
    *.shein.com.hk
    *.shein.com.vn
    *.shein.com.mx
    *.shein.co.uk
    *.romwe.com
    *.romwe.co.in

3. Basic Principles
    We hope you could follow the principles while running vulnerability testing:
    3.1 Please do not exploit security vulnerabilities without minimum verification or out of the range of vulnerability testing requirements.  
    3.2 Denial of service (DoS or DDoS) tests are not allowed.
    3.3 Physical tests, social engineering tests and other non-technical tests are not allowed.
    3.4 Please avoid accessing data in our information system unless necessary. Please stop testing and contact us if you gain access to the following information:
        a) Personal identification information
        b) Financial information (credit information or bank account information, etc.)
        c) Enterprise property information or business secrets
    3.5 Please do not reveal any information acquired in vulnerability testing under any circumstances.
    3.6 Please do not publicly disclose or reveal any details of the security vulnerabilities unless you have our written authorization. If you are unable to determine if you can continue testing, please contact us.
    3.7 SHEIN opposes and condemns all activities that exploit security vulnerabilities to damage users' interests in the name of vulnerability testing. SHEIN will reserve the right to take further legal action against such activities. 

4. Vulnerability Assessment Criteria
    SHEIN SRC will give reporters Security Coins and Points according to the risk rank and exploitability of the reported vulnerability (Points represent for the degree of contribution to our site).
    Assessment Criteria is as follows:

Ranking

Security Coin

Point

High-Risk

71-150

71-150

Medium-Risk

20-70

20-70

Low-Risk

1-19

1-19

    *Security Coins could be exchanged into cash or gifts in gift center.  

    *Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of SHEIN.

5. Vulnerability Ranking Standard
    SHEIN SRC divides security vulnerabilities into 4 rank: High-risk, Medium-risk, Low-risk, No-effect.
    Ranking standards are as follows:
    5.1 High-risk
        ●Vulnerabilities cause leakage of highly sensitive data, include but not limited to SQL injections which allow an attacker to gain access to crucial data (the one includes key code such as user's account and pass word) or read/download arbitrary files (e.g. the ones include key code).  
        Critical logic flaws, include but not limited to vulnerabilities which allow an attacker to log in arbitrary accounts, reset the passwords, avoid payment or conduct any sensitive activities anonymously.
        Vulnerabilities which allows an attacker to gain system privilege (server side or user side), include but not limited to remote code execution, webshell uploading, buffer overflow, SQL injections, etc.
        Vulnerabilities cause massive effect, include but not limited to exploitable storage - type XSS, CSRF, etc.
        High-impact vulnerabilities that leak sensitive information, include but not limited to leakage of exploitable source codes, SQL injections which allow an attacker to obtain general data, read or download arbitrary files.
        Unauthorized access to sensitive information, include but not limited to vulnerabilities which allow unauthorized direct access to admin panel, visit weak password accounts, or other service featuring weak password, which contains information of highly sensitivity or have actual permissions . 
    5.2 Medium-risk
        Vulnerabilities requiring user interactions that permit obtaining users' credentials. Include but not limited to JSON Hijacking, CSRF, stored XSS in normal applications.
        Leakage of general information, include but not limited to SQL injections which cause small amount of low-impact information leakage, SQL injections that is hard to exploit, common unauthorized operation and design or process flaws.
        Vulnerabilities that may cause resource abuse or harassment to users, include but not limited to SMS bomb, email bombs, etc.
    5.3 Low-risk
        Include but not limited to reflected cross-site scripting (reflected DOM-based XSS), small amount of low-impact information leakage, full path disclosure, leakage of source code without sensitive information, leakage of PHPINFO、SVN, etc. 
        Open redirectors, clients' password stored as plain text, and password transmitted in plain text.
        Confirmed potential risks that are hard to exploit.
    5.4 No-effect
        Vulnerabilities that can not affect users, include but limited to Self-XSS.

         ●Vulnerabilities that can not be exploited, include but not limited to the version is out of date.

         ●Bugs without potential risk, include but not limited to function failure, encoding of the page, application compatibility, etc.

        CSRF with no or low practical meaning. 

        Clickjacking on pages with no sensitive actions

        Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

        Attacks requiring MITM or physical access to a user's device.

        Previously known vulnerable libraries without a working Proof of Concept.

        Comma Separated Values (CSV) injection without demonstrating a vulnerability.

        Missing best practices in SSL/TLS configuration.

        Any activity that could lead to the disruption of our service (DoS).

        Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

        Rate limiting or bruteforce issues on non-authentication endpoints

        Missing best practices in Content Security Policy.

        Missing HttpOnly or Secure flags on cookies

        Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

        Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

        Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

        Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

        Tabnabbing

        Open redirect - unless an additional security impact can be demonstrated

        Issues that require unlikely user interaction

        Vulnerabilities that cause local denial of service, include but not limited to local denial of service on users' end (crush down caused by format of parsed file or Internet protocol).

6. Reward rules
    6.1 Rewards are only face to the white hats who report security vulnerabilities to SHEIN SRC or SHEIN SRC email src@shein.com.
    6.2 Rewards are only specific to the information which threat SHEIN's products and businesses. The threat which does not affect SHEIN products and businesses will not be included. 
    6.3 For a same vulnerability, the reward will be given to the first person who submit the report, others will not be rewarded. 
    6.4 Security vulnerabilities that have been revealed to the public will not be rewarded.
    6.5 the reward will be offered if the vulnerability is disclosed before fixed.

7. Supplement
    7.1 Malicious reporters will be banned from our site.
    7.2 Ranking will change according to the importance of different business system.
    7.3 SHEIN SRC reserves the right of interpretation of the rewarding system.

8. Dispute Resolution Policy
    During the processing of security vulnerability, if the reporter has any objection to the processing, assessment, ranking, etc., please contact SHEIN SRC by email src@shein.com.  SHEIN SRC will handle it based on the principle of the priority interests of the reporters. A common ruling from the third party may get involved if necessary.