Effective date: 2026-06-06 (GA launch)
Anchored: 2026-05-19 · v1.0
Contact: AssetShopCo@gmail.com (primary) · AssetShopCo@gmail.com (until DNS verified)
Our commitment
AssetShop welcomes good-faith security research. We commit to:
- Acknowledge your report within 48 hours
- Triage and respond within 5 business days
- Coordinate a disclosure timeline that works for both parties
- Acknowledge your contribution publicly (with your consent)
- Pursue no legal action against researchers acting in good faith per this policy
This is a commitment, not aspirational language. Test it.
Reporting
Preferred channel: email AssetShopCo@gmail.com (until DNS live: AssetShopCo@gmail.com)
PGP key: published at /.well-known/security-pgp.asc on trust.enterprise.assetshop.eth
Include:
- Description of the vulnerability
- Steps to reproduce (clear, replicable)
- Potential impact (CVSS-style if you can)
- Your name and contact (or pseudonym + how to reach you)
- Whether you want public acknowledgment (default: yes, with your name)
Do not:
- Disclose publicly until we've agreed on timing
- Access customer data (test against your own test account if possible)
- Perform DoS or DDoS testing
- Use automated scanners against production at high rate (please coordinate)
- Social-engineer AssetShop staff or customers
- Test physical security at AssetShop offices (we don't have any yet, but still)
Scope · in-scope
| Asset | Notes |
|---|---|
*.assetshop.eth (5 IPFS sites) | enterprise / sco / platform / demo / trust |
*.assetshop.com (when DNS live) | All marketing + product surfaces |
api.assetshop.com (when deployed) | Backend API endpoints |
@assetshop/verify-cli (npm) | Verification CLI tool |
| AssetShop SCO product (post-GA) | Customer-facing product surfaces |
AssetShopAnchor.sol on Base L2 | Anchor contract (specific deployment address) |
Scope · out-of-scope
| Asset | Why |
|---|---|
| Customer ERP systems | Belong to the customer; we don't authorize testing |
| AWS / GCP / Azure | Report to the cloud provider directly |
| Base L2 chain itself | Coinbase / Optimism Foundation handles |
| Open-source libraries we depend on | Report upstream first; we'll patch when they do |
| AssetShop staff personal accounts | Personal scope only |
| Marketing-only surfaces with no auth | Cosmetic issues without security impact |
What we'll pay
Currently: Public acknowledgment + swag + a thank-you call from the founder.
Post-funding (target Q1 2027): Cash bounties via HackerOne or Bugcrowd, scaled by severity.
Indicative future ranges (when bounty program launches):
| Severity | CVSS | Bounty |
|---|---|---|
| Critical | 9.0-10.0 | $5,000-$15,000 |
| High | 7.0-8.9 | $1,500-$5,000 |
| Medium | 4.0-6.9 | $500-$1,500 |
| Low | 0.1-3.9 | $100-$500 |
| Informational | - | $50 + swag |
Today we don't pay cash - but we will name you in the hall of fame, give you a written letter for your CV, and the founder will personally thank you and discuss your finding.
Hall of Fame
The first 10 researchers to report a valid vulnerability (any severity) receive permanent listing at /hall-of-fame on trust.enterprise.assetshop.eth, plus a signed certificate. The Hall of Fame is launched at GA.
Triage process
- You report → we acknowledge within 48 hours
- We assign severity (CVSS) and internal ticket
- We confirm/dispute reproducibility within 5 business days
- We provide patch timeline based on severity:
- Critical: 7 days
- High: 30 days
- Medium: 90 days
- Low: roadmap
- We patch
- We notify you of patch + ask about coordinated disclosure timing
- We publish a public advisory (with your acknowledgment, if you consent)
- We add you to Hall of Fame
Coordinated disclosure
We respect the reporter's timeline. Default disclosure is:
- 90 days from report for Critical/High (or sooner if reporter prefers)
- 180 days for Medium
- Reporter discretion for Low
If we cannot agree, we will not retaliate. We'll let you publish on your timeline; we'll publish our advisory on ours. Coordinated disclosure is the goal but not the only path.
What we'll never do
- Threaten legal action against good-faith researchers
- Demand researchers sign NDAs as a condition of submission
- Delay disclosure to avoid embarrassment (we ship calibration ledger entries about our own vulnerabilities)
- Retaliate against employers, schools, or institutions of researchers
- Refuse credit to researchers who want it
What we expect from researchers
- Good faith: research, not exploitation
- No accessing customer data beyond proof-of-concept minimum
- No exfiltration of data; demonstrate access via metadata only
- Patient triage cycle (5 business days)
- Coordinated public disclosure
- Compliance with all applicable laws
If you act in good faith per this policy, we will not pursue legal action regardless of outcome.
Edge cases
"I found something but it's only theoretical." Report it anyway. We'll triage and respond.
"I found something but it requires admin access I already have." That's not a vulnerability; that's authorized use. But if your access path includes an unintended escalation, do report.
"I found a vulnerability in an AssetShop customer's ERP through AssetShop." Stop, do not access customer data, and report immediately. We'll coordinate with the customer.
"I'm a competitor." Doesn't matter. Good-faith reports are welcome from anyone.
"I want to remain anonymous." Fine. Use a pseudonym + ProtonMail; we'll still respond.
Calibration discipline
Every confirmed vulnerability becomes a calibration ledger row: CLM_YYYY_QN_VULN_NNN. Severity, patch timeline, and remediation status are public (vulnerability details remain confidential until coordinated disclosure date).
This means AssetShop publicly tracks its own vulnerabilities. The calibration discipline does not exempt our own product from honest disclosure.
Updates
This policy is reviewed annually. Material changes are versioned (this is v1.0).
Bottom line: if you find something, tell us. We will treat you well. We will fix what you found. We will give you credit. We will not sue you.