Report Security Issue

Last Updated: April 2026

If you've found a security vulnerability on popcobs.com, we encourage you to contact us immediately. We review all legitimate reports and aim to resolve issues quickly. Before reporting, please review this document — including our fundamentals, bounty program, reward guidelines, and non-reportable issues.

Fundamentals

If you follow the principles below when reporting a security issue to popcobs.com, we will not initiate legal action or enforcement investigations against you in response to your report.

We ask that:

• You give us reasonable time to review and fix the issue before disclosing it publicly or sharing it with others.
• You do not interact with or access private accounts without the account owner's consent.
• You make a good-faith effort to avoid privacy violations, service disruptions, or data destruction.
• You do not exploit the issue for any reason, including to demonstrate further risks or access sensitive data.
• You comply with all applicable laws and regulations.

Bounty Program

We recognize and reward security researchers who help protect our platform by reporting vulnerabilities. Bounties are awarded at popcobs.com's discretion, based on risk, impact, and report quality.

To potentially qualify for a bounty, you must:

• Follow the fundamentals listed above.
• Report a valid security bug that poses a risk to privacy or security.
• Submit your report by emailing Contact@popcobs.com with the subject line: Security Vulnerability Report. Please do not contact employees directly.
• Disclose any accidental privacy violations or disruptions in your report.
• Understand that while we investigate all valid reports, priority is based on risk. A response may take some time.
• Agree that all reports are kept confidential until the issue has been fully resolved.

Scope

The following are considered in scope for security reports:

• popcobs.com website and storefront
• Customer account and login system
• Checkout and payment flow
• Order management and personal data handling

The following are out of scope:

• Third-party plugins or services we have no control over
• Denial of service attacks
• Social engineering or phishing attempts
• Physical security issues

Rewards

Rewards are based on the impact and severity of the vulnerability. Please provide detailed and reproducible steps in your report. If the issue cannot be reproduced, it is not eligible for a bounty.

• The first valid report of an issue receives the bounty.
• Multiple bugs caused by a single underlying issue are treated as one report.
• We assess rewards based on impact, exploitability, and report quality.

Critical Severity – $200

Includes major issues like:

• Remote Code Execution
• Remote Shell or Command Execution
• Vertical Authentication Bypass
• SQL Injection that leaks targeted data
• Full account access

High Severity – $100

Includes issues such as:

• Lateral authentication bypass
• Disclosure of sensitive internal data
• Stored XSS affecting other users
• Local file inclusion
• Insecure handling of authentication cookies

Medium Severity – $50

Examples include:

• Logic or business process flaws
• Insecure object references

Low Severity – Recognition Only

Examples include:

• Open redirects
• Reflected XSS
• Low-sensitivity information leaks

Contact Information

To report a security vulnerability, email us with the subject line Security Vulnerability Report.

📍 Address: 1948 Pecos Hwy, Loving, NM 88256, USA

✆ Phone: +1 (575) 210-4009

✉ Email: Contact@popcobs.com