SHEIN takes the security of our products
and businesses as the most important issue. We've committed ourselves
to protect our users' interests. We invite every white hat to report the
security vulnerabilities of SHEIN and contribute to increasing security
of SHEIN products and businesses.
1. Vulnerability reporting and processing flow
1.1 Registration
Please
register SHEIN SRC account with your own email. Your email will be
requested while retrieve the password, please make sure it is valid.
1.2 Reporting
Fill
out the information of the security vulnerability and submit the
report. (Please describe the issue as detailed as possible. Do not
release or spread the information without SHEIN's authorization.)
1.3 Processing
SHEIN
SRC will assess the reported vulnerability in 1-2 business days since
the reported is submitted (Status: under review/ confirmed/ fixed/
ignored):
a) Under review: SHEIN SRC will assess the issue reported in 1-2 business days;
b) Confirmed: the vulnerability is confirmed exists, SHEIN SRC will fix and rate it within 3 business days.
c) Fixed: the reported issue is fixed. We may need the reporter's assistance to confirm it.
d)
Ignored: The security vulnerability doesn't exist or has been
reported. We'll reject the report and inform the reason.
1.4 Rewards
SHEIN
SRC will reward the reporter according to the rank of the vulnerability
reported. (please refer to "vulnerability assessment criteria").
2. Applicable Range
At this site(security.shein.com) we do not accept related low - and medium-level vulnerabilities.
*.shein.com(Except security.shein.com)
*.shein.in
*.shein.tw
*.shein.se
*.shein.com.hk
*.shein.com.vn
*.shein.com.mx
*.shein.co.uk
*.romwe.com
*.romwe.co.in
3. Basic Principles
We hope you could follow the principles while running vulnerability testing:
3.1
Please do not exploit security vulnerabilities without minimum
verification or out of the range of vulnerability testing requirements.
3.2 Denial of service (DoS or DDoS) tests are not allowed.
3.3 Physical tests, social engineering tests and other non-technical tests are not allowed.
3.4
Please avoid accessing data in our information system unless necessary.
Please stop testing and contact us if you gain access to the following
information:
a) Personal identification information
b) Financial information (credit information or bank account information, etc.)
c) Enterprise property information or business secrets
3.5 Please do not reveal any information acquired in vulnerability testing under any circumstances.
3.6
Please do not publicly disclose or reveal any details of the security
vulnerabilities unless you have our written authorization. If you are
unable to determine if you can continue testing, please contact us.
3.7
SHEIN opposes and condemns all activities that exploit security
vulnerabilities to damage users' interests in the name of vulnerability
testing. SHEIN will reserve the right to take further legal action
against such activities.
4. Vulnerability Assessment Criteria
SHEIN
SRC will give reporters Security Coins and Points according to the risk
rank and exploitability of the reported vulnerability (Points represent
for the degree of contribution to our site).
Assessment Criteria is as follows:
Ranking | Security Coin | Point |
Critical | 151-250 | 151-250 |
High-Risk | 71-150 | 71-150 |
Medium-Risk | 20-70 | 20-70 |
Low-Risk | 1-19 | 1-19 |
*Security Coins could be exchanged into cash or gifts in gift center.
*Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of SHEIN.
5. Vulnerability Ranking Standard
SHEIN SRC divides security vulnerabilities into 5 rank: Critical、High-risk, Medium-risk, Low-risk, No-effect.
Ranking standards are as follows:
5.1 Critical
●Vulnerabilities that lead to serious sensitive information leakage, including but not limited to SQL injection containing important databases of highly sensitive data, allow attackers to obtain a large number of interface issues of highly sensitive data, such as the identity information of core users and core business information.
●Vulnerabilities that allow an attacker to obtain system permissions (server or user), including but not limited to arbitrary command execution, webshell uploading, and arbitrary code execution.
●Intelligence on impending or ongoing serious security threats that could result in significant losses, paralysis, or impact on a company's core business.
5.2 High-risk
●Vulnerabilities
cause leakage of highly sensitive data, include but not limited to SQL
injections which allow an attacker to gain access to crucial data (the
one includes key code such as user's account and pass word) or
read/download arbitrary files (e.g. the ones include key code).
●Critical
logic flaws, include but not limited to vulnerabilities which allow an
attacker to log in arbitrary accounts, reset the passwords, avoid
payment or conduct any sensitive activities anonymously.
●Vulnerabilities
which allows an attacker to gain system privilege (server side or user
side), include but not limited to remote code execution, webshell
uploading, buffer overflow, SQL injections, etc.
●Vulnerabilities cause massive effect, include but not limited to exploitable storage - type XSS, CSRF, etc.
●High-impact
vulnerabilities that leak sensitive information, include but not
limited to leakage of exploitable source codes, SQL injections which
allow an attacker to obtain general data, read or download arbitrary
files.
●Unauthorized
access to sensitive information, include but not limited to
vulnerabilities which allow unauthorized direct access to admin panel,
visit weak password accounts, or other service featuring weak password,
which contains information of highly sensitivity or have actual
permissions .
5.3 Medium-risk
●Vulnerabilities
requiring user interactions that permit obtaining users' credentials.
Include but not limited to JSON Hijacking, CSRF, stored XSS in normal
applications.
●Leakage
of general information, include but not limited to SQL injections which
cause small amount of low-impact information leakage, SQL injections
that is hard to exploit, common unauthorized operation and design or
process flaws.
●Vulnerabilities that may cause resource abuse or harassment to users, include but not limited to SMS bomb, email bombs, etc.
5.4 Low-risk
●Include
but not limited to reflected cross-site scripting (reflected DOM-based
XSS), small amount of low-impact information leakage, full path
disclosure, leakage of source code without sensitive information,
leakage of PHPINFO、SVN, etc.
●Open redirectors, clients' password stored as plain text, and password transmitted in plain text.
●Confirmed potential risks that are hard to exploit.
5.5 No-effect
●Vulnerabilities that can not affect users, include but limited to Self-XSS.
●Vulnerabilities that can not be exploited, include but not limited to the version is out of date.
●Bugs without potential risk, include but not limited to function failure, encoding of the page, application compatibility, etc.
●CSRF with no or low practical meaning.
●Clickjacking on pages with no sensitive actions
●Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
●Attacks requiring MITM or physical access to a user's device.
●Previously known vulnerable libraries without a working Proof of Concept.
●Comma Separated Values (CSV) injection without demonstrating a vulnerability.
●Missing best practices in SSL/TLS configuration.
●Any activity that could lead to the disruption of our service (DoS).
●Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
●Rate limiting or bruteforce issues on non-authentication endpoints
●Missing best practices in Content Security Policy.
●Missing HttpOnly or Secure flags on cookies
●Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
●Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
●Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
●Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
●Tabnabbing
●Open redirect - unless an additional security impact can be demonstrated
●Issues that require unlikely user interaction
●Vulnerabilities that cause local denial of service, include but not limited to local denial of service on users' end (crush down caused by format of parsed file or Internet protocol)
6. Reward rules
6.1
Rewards are only face to the white hats who report security
vulnerabilities to SHEIN SRC or SHEIN SRC email src@shein.com.
6.2
Rewards are only specific to the information which threat SHEIN's
products and businesses. The threat which does not affect SHEIN products
and businesses will not be included.
6.3 For a same
vulnerability, the reward will be given to the first person who submit
the report, others will not be rewarded.
6.4 Security vulnerabilities that have been revealed to the public will not be rewarded.
6.5 the reward will be offered if the vulnerability is disclosed before fixed.
7. Supplement
7.1 Malicious reporters will be banned from our site.
7.2 Ranking will change according to the importance of different business system.
7.3 SHEIN SRC reserves the right of interpretation of the rewarding system.
8. Dispute Resolution Policy
During
the processing of security vulnerability, if the reporter has any
objection to the processing, assessment, ranking, etc., please contact
SHEIN SRC by email src@shein.com. SHEIN SRC will handle it based on the
principle of the priority interests of the reporters. A common ruling
from the third party may get involved if necessary.