Responsible Disclosure Policy

Last updated: 18 April 2026.

SkinBox welcomes good-faith security research. This document describes how to report a vulnerability, what you can expect from us in return, and the ground rules that keep the program safe for both sides.

How to report

Email [email protected] with the subject [disclosure] short title.
Include reproduction steps, affected URL(s), and the likely impact (information disclosure, privilege escalation, money movement, etc.).
If you need to share a proof-of-concept that involves sensitive data, PGP-encrypt it — our key fingerprint is published via /.well-known/security.txt.
One finding per report. If you have a cluster, send one intake email and we'll loop in a thread.

What you can expect from us

Acknowledgment within 72 hours — a real person, not a bot, confirming the report landed.
First status update within 7 days — triage outcome, expected remediation window, and any clarifying questions.
Fix timelines: critical (account takeover, money movement) target 72h; high (data leak, auth bypass) target 14d; medium/low target 60d.
Credit: with your permission, we list your name / handle in the Hall of Fame below once the fix ships.
No legal action for good-faith research within the scope and rules on this page.

In scope

The SkinBox marketplace at skinbox.market and its API surface at /api/*.
Our browser extension (SkinBox Valuer) published on the Chrome Web Store.
Email and transactional flows (verification, password reset, 2FA, sign-in alerts, withdrawal approval).
The wallet, deposit (Stripe), withdrawal, escrow, and dispute flows.

Out of scope

Third-party dependencies — report to the vendor (Stripe, Steam, Cloudflare, unpkg).
Denial-of-service testing, traffic flooding, or volumetric attacks.
Social engineering of SkinBox staff or CSRs.
Physical intrusion into our infrastructure providers.
Automated scanner noise (missing security headers we already set, self-XSS that requires the victim to paste attacker-supplied JS into the console, etc.).
Vulnerabilities requiring access to a root'd / malware-infected user device.

Ground rules

Don't exfiltrate more data than you need to prove impact. If you stumble on another user's data, stop, document, and email us.
Don't pivot into other users' accounts, move money, or tamper with trades.
Don't publish the finding (blog post, CVE, tweet thread) until we've confirmed the fix ships — 90 days default, extendable by mutual agreement.
Use accounts you own for testing. If you need a test account with inventory, ask — we'll provision one.
Stay within the scope above; anything outside it may fall outside our safe-harbor commitment.

Rewards

We're a small team and don't run a paid bug bounty yet. What we offer: public credit, a personalized thank-you, and a SkinBox swag pack once our merch tier ships. If you find something critical (account takeover, funds movement, mass data exposure) we'll negotiate a one-off reward.

Hall of Fame

Researchers who reported a valid issue and gave us time to fix it before disclosure. Want your handle on this list? Send us a finding.

Pending our first external report.

Changes to this policy

We may update this page as the program matures. The Expires field in /.well-known/security.txt is refreshed on every review; if that date is in the past, the policy is stale and we'd still love to hear from you — email anyway.