Responsible Disclosure Policy

This policy outlines the guidelines for investigating and reporting security vulnerabilities to Fourthwall.

How can I report a Website Security Vulnerability?

Timeframe for Reporting:

Provide Fourthwall with sufficient time to investigate and address the vulnerabilities you report before publicizing them or sharing details with others.

Prohibited Actions:

• Do not exploit any discovered security vulnerabilities. This includes refraining from demonstrating additional risks by exploiting vulnerabilities.
• Do not access or modify data belonging to other users without their consent. You may create new accounts for testing purposes.
• Ensure that your actions do not negatively impact Fourthwall users' experience, such as causing service interruptions or data destruction.

Valid Targets for Investigation:

The Fourthwall website and its associated services, including storefronts and checkouts hosted by Fourthwall, are valid targets for security testing. If you find a vulnerability at our storefront, you can just avoid duplicated submissions if they relate to multiple domains.

Examples of Valid Vulnerabilities:

• Vulnerabilities listed in the OWASP Top 10.
• Remote code execution vulnerabilities.
• Issues related to authentication and authorization.
• We only consider DoS issues that a single user with a request can trigger.
• We only consider DoS issues that cause significant disruption to the entire service, not just an individual shop or instance

Known Issues

The following issues or behaviors are intentional or already known to Fourthwall. Submitting reports that fall into these categories will be marked as Not Applicable:

Ineligible Vulnerability Types

The following issues are explicitly out of scope and will be immediately closed as Not Applicable:

• Enumeration of random identifiers: Without a corresponding proof of concept.
• Tab Nabbing
• Vulnerability Scanner False Positives: Issues reported by automated scanners that are not verifiable or exploitable by humans.
• Social Engineering: Any issue requiring social engineering tactics, such as phishing or impersonating a Fourthwall employee. This includes contacting Fourthwall Support under false pretenses.
• Reports of Broken Links or Unclaimed Social Media Accounts: Unless combined with an impactful exploit.
• Content Spoofing.
• Bypassing HTML Sanitization to Make External HTTP Requests on the storefront level by a privileged user.
• Distributed Denial of Service (DDoS)
• Exploiting Behaviors in Outdated Browsers
• Issues with SPF, DKIM, DMARC, CAA, TLSA or DNS Sec Records: On fourthwall.com or other Fourthwall domains (often reported as email spoofing).

• CSV or Formula Injection.
• Hyperlink Injection is done on the storefront level by a privileged user.
• Insecure Cookie Handling for Account Identifying Cookies.
• Perceived Permission Issues: Without impact on data integrity or confidentiality (e.g., changing admin view settings).
• Theoretical Subdomain Takeovers: Without supporting evidence.
• Generic Host Header Attacks: Without evidence of targeting a remote victim.
• Reports Related to CVV Validation During Payment: CVV validation rules may vary across regions, and we implement other controls to prevent fraud.
• Disclosure of Server or Software Version Numbers
• Spam/Flooding: Email flooding, SMS flooding, or other flooding attacks.
• Reports Related to Permitted Password Strength
• Missing HttpOnly Flags, Secure Flags, and Browser Cache Vulnerabilities
• Outputs from Automated Tools: Without a corresponding proof of concept.
• General Configuration or Policy Suggestions: These are not vulnerabilities.
• Flaws Specific to Outdated Browsers or Plugins.
• Slow Requests: These eventually complete successfully without rendering the service unavailable to others.
• Usability or UI Issues
• Third-Party Security Flaws: If one of our partners (e.g., TikTok, Stripe, etc.) were to expose their databases with unencrypted personally identifiable information (PII).

Even though we do not recognize some requests as belonging to our platform, we will escalate them to our partners through the available channels.

Staff Member Permissions

Fourthwall offers a comprehensive set of granular permissions within our admin interface, as documented in our official guidelines.

We consider the following categories to be relevant to staff member permissions. If your observed behavior does not fit into these categories, please carefully assess the practical impact before submitting a report, as it may be closed as Not Applicable.

Direct Financial Impact on the Store (the action must directly result in financial impact):

• Valid: Reducing the price of an existing product available on sales channels without proper authorization.
• Invalid: Adding new product variants at a lower price but not making them available on sales channels.

Unauthorized Privilege Escalation to Sensitive Permissions (e.g., Manage Settings, Manage Payment Settings, and Themes):

• Valid: A staff member with only order permissions can perform actions reserved for those with Manage Settings permissions.
• Invalid: A staff member with Manage Settings permissions performs an action not explicitly listed in the public documentation.

Unauthorized Access to Buyer Personally Identifiable Information (PII):

• Valid: Staff members accessing or modifying buyer PII without proper authorization.
• Invalid: Staff members with order permissions accessing basic buyer information.

Cross-Site Scripting (XSS)

At Fourthwall, we allow creators to use HTML in their store descriptions, product details, and other content fields. This is by design and is not considered a vulnerability.

The following types of XSS are explicitly out of scope for this program:

• XSS via Set Header: Any issue requiring full control over an HTTP header, such as Referer, Host, etc.
• XSS via Inspect Element/Console: Any issue that necessitates using browser developer tools to execute JavaScript.
• Self-XSS: Any issue lacking a plausible attack scenario. Generally, we accept reports when no more than two steps are required. For example, pasting a malicious payload into an editor and then clicking "Preview" would be two steps.
• XSS in Storefront: Any situation where a store owner or staff member can inject JavaScript into the storefront area of their own store (including any *-shop.fourthwall.com domains).
• XSS via iFrames: Issues related to the storefront being displayed within an <iframe> in the admin area, such as in the Theme Editor.
• XSS in Fourthwall Checkout: Any case where a store staff member can inject JavaScript into the checkout area of their own store (including any *-shop.fourthwall.com domains).
• XSS in Rich Text Editor: Problems concerning the execution of JavaScript in legacy Rich Text Editors within the Blogs and Pages sections of the Fourthwall admin by a privileged user.

Subdomain Takeovers

Reports concerning dangling domain records will be assessed individually for potential bounty eligibility, considering factors such as:

• Purpose of the Domain: If it can be inferred (e.g., a test application).
• Likelihood of Successful Takeover: Whether the specific IP address or service can be readily acquired by someone else.
• Probability of Traffic: The chance that traffic would be directed to the specific fully qualified domain name (FQDN) during normal operations.

Most of these reports will result in a CVSS score of 0 and will not qualify for a bounty. If you believe you have identified a dangling domain record susceptible to takeover and likely to receive traffic, please provide a detailed methodology and supporting evidence in your report.

Fourthwall Hosted Stores

Several commonly reported false positives in Fourthwall-hosted (*.fourthwall.com) stores are not considered vulnerabilities. The following types of issues will be closed as Not Applicable:

• Staff Access to Administrative Endpoints
• Password Reset Tokens Not Expiring Upon Email Change
• Insecure "Coming Soon" Password
• Staff Members with "Edit Permissions" Removing Permissions They Do Not Possess
• Intended Public Files
• Lack of Domain Verification When Adding a Custom Domain
• Email Addresses Not Requiring Verification Upon Signup
• User or Store Name Enumeration

Cross-Site Request Forgery (CSRF)

The following CSRF issues are explicitly out of scope:

• CSRF for Login or Logout: Vulnerabilities affecting login or logout actions, unless combined with another vulnerability to demonstrate significant impact.
• CSRF for Cart Modification: Any CSRF that allows shopping cart modification.

Content Delivery Network (CDN)

At Fourthwall, we encourage creators to use our CDN (e.g., static.fourthwall.com, cdn.fourthwall.com, and other storage domains) to host any files they wish. This is intentional and not considered a vulnerability, as this content operates in a separate context and cannot directly affect our platform.

The following CDN-related issues are explicitly out of scope and will be closed as Not Applicable:

• CDN - Arbitrary File Upload: Any scenario where a store staff member can upload arbitrary files to our CDN.
• CDN - Sensitive Data Disclosure: All files on the Content Delivery Network (cdn.fourthwall.com) are intentionally public.
• CDN - Stored XSS: Any case where a store staff member can upload files to our CDN and execute JavaScript within the context of a CDN domain (e.g., static.fourthwall.com and cdn.fourthwall.com) unless chained with other weakness/vulnerability that would provide a real case scenario.

Mobile Applications

Several commonly reported false positives in Fourthwall's mobile applications are not considered vulnerabilities. The following types of issues will be closed as Not Applicable:

• Issues Exploitable Only on Emulated Devices
• Physical Access to the Device: Issues exploitable only on rooted or jailbroken devices, require debug access, or depend on operating system vulnerabilities.
• Mobile Application Biometric Bypass
• Absence of Mobile Application Encryption
• Lack of Mobile Binary Protection or SSL Pinning

Potential Ineligible Vulnerability Types

Fourthwall does not consider the following issues to be eligible for this program. These reports will typically be closed as Not Applicable:

• Race Conditions: Must be exploitable and allow access to sensitive information. Race conditions leading to unauthorized access to paid features on ineligible plans (e.g., bypassing staff member limits) are not eligible.
• Server-Side Request Forgery (SSRF): Simple HTTP/DNS interactions alone are not considered vulnerabilities. We have measures to detect and prevent SSRF attacks.
• Open Redirects: Any scenario where a user can be redirected to an arbitrary URL without user interaction unless combined with another vulnerability to demonstrate significant impact.
• HTML Injection in Emails: Issues allowing a store owner or staff member to inject arbitrary HTML into emails unless chained with another eligible vulnerability.
• Perceived Security Weaknesses: Without evidence of the ability to target a remote victim (e.g., credentials transmitted in POST body as plain text, missing rate limits, brute-forcing without demonstrated impact).

Bounty rules:

Depending on the severity of the issue, we offer payments ranging from $50 to $1500 for high-impact and critical vulnerabilities. Due to our small and growing company, we can sometimes reward reporters with a place in the Hall of Fame and unique swag available only to security researchers. Each report needs to be evaluated by our security team, which will assess it and assign the bounty value according to that assessment. We will not issue a bounty for duplicate reports or issues previously reported by other researchers.

Contact for Security Researchers:

If you identify a general security vulnerability on the Fourthwall website, please report your findings by emailing csirt@fourthwall.com.

Due to the limited capacity and a large volume of submissions, our response times may vary. While we strive to respond as quickly as possible, in some cases, it may take up to three months to provide a complete response. However, please be assured that we value every report and will address your submission as soon as possible.

‍