Security is a top priority at Items.com, LLC ("Items.com"). Items.com welcome the disclosure of any potential vulnerabilities in Items.com’ systems.
This document is intended to inform you of our guidelines for disclosing any discovered medium and high severity vulnerabilities in our systems, including but not limited to, the rules for testing the vulnerabilities as well as the locations where we are receptive to learning about any of these medium-to-high-security vulnerabilities.
Levels of Severity
Items.com are currently accepting medium severity and higher vulnerabilities in the listed focus areas. At this time, Items.com is not currently seeking any informational or low severity vulnerability disclosures.
Do not upload, link to, transmit, post, send, or transfer any malware to Items.com or Items.com’ website properties, users, partners, vendors, customers, data centers, service providers, etc.
Do not perform any attacks against end-users of Items.com’ services. All testing must be conducted using accounts created by Items.com created for the sole purpose of testing the vulnerabilities of Items.com’ systems.
Do not send vulnerabilities that only impact outdated or browsers that are not widely used by Items.com' users.
Do not engage in any physical or phishing attacks against Items.com website properties, users, partners, vendors, customers, data centers, service providers, etc.
Do not use tools that perform automatic scans, as we will not accept, and will not respond to, any reports from automated tools.
Do not pursue any vulnerabilities that cause unauthorized messages or unsolicited bulk messages (spam) to be sent.
Do not send Items.com any advice, including but not limited to, best practice, policy, or configuration suggestions.
Do not send vulnerabilities that are considered self-XSS issues.
Do not perform any attacks that cause service outages to cause any degradation of Items.com’ services or cause any impact on Items.com’ users' experiences.
Vulnerabilities Already Known to Items.com
Unless they reveal any sensitive information or any of Items.com’ source code, Items.com is not seeking vulnerability disclosures for any HTTP 404 or other error codes and pages;
Versions and banner disclosures are already known by Items.com; and
The presence of common public files that are standard in the industry.
Items.com do not currently offer any rewards for any vulnerability disclosures, regardless of the severity of the issue that is disclosed.
How to Submit a Vulnerability Disclosure?
You can submit disclosures by emailing us at support@Items.com
Please submit each of the below details when submitting a vulnerability disclosure:
A clear description of the vulnerability;
A description of an attack scenario;
Sufficient details and examples to allow Items.com to recreate the presence of the vulnerability;
Detailed reproduction steps that demonstrate the presence of the vulnerability; and
Recommendations on how Items.com can fix the vulnerability, or improve security to prevent any risk to Items.com’ users.