Report Security Issues

At Museum Toy Store, we take the security of our website and customer data seriously. If you discover a potential security vulnerability affecting our website or services, we encourage you to report it to us as soon as possible. We carefully review all legitimate reports and work promptly to investigate and resolve confirmed security issues.

Before submitting a report, please review the guidelines below, including our responsible disclosure principles, vulnerability reward program, and reporting requirements.

Responsible Disclosure Principles

If you follow the guidelines below when reporting a security issue to Museum Toy Store, we will not pursue legal action or initiate enforcement proceedings against you solely for your good-faith security research.

We ask that you:

  1. Allow us a reasonable amount of time to investigate and resolve the reported vulnerability before publicly disclosing it.
  2. Do not access, modify, or interfere with another user's account or data without their explicit permission.
  3. Make every effort to avoid privacy violations, data loss, service disruption, or damage to our systems.
  4. Do not exploit any vulnerability beyond what is necessary to demonstrate its existence. This includes attempting to access sensitive information or compromising additional systems.
  5. Comply with all applicable laws and regulations while conducting your security research.

Vulnerability Reward Program

We appreciate the efforts of security researchers who help improve the safety of our services by responsibly reporting vulnerabilities.

Monetary rewards may be offered at the sole discretion of Museum Toy Store, based on factors such as the severity, impact, exploitability, and quality of the report.

To be considered for a reward, you must:

  1. Follow the Responsible Disclosure Principles outlined above.
  2. Report a genuine security vulnerability that presents a security or privacy risk to our website or infrastructure.
  3. Submit a detailed report through our designated security contact. Please do not contact individual employees regarding security issues.
  4. Disclose any accidental access to confidential information or service disruptions that occurred during your testing.
  5. Provide sufficient technical details and reproducible steps to allow our team to verify the issue.
  6. Understand that all reports are reviewed and prioritized according to their potential impact. Response times may vary depending on the volume and severity of reports received.
  7. Acknowledge that Museum Toy Store reserves the right to publish resolved vulnerability reports where appropriate.

Reward Guidelines

Rewards are determined based on the overall impact and severity of the reported vulnerability. The amounts listed below represent the maximum reward available for each severity level. Final reward decisions remain at our sole discretion.

Critical Severity — Up to $200

Critical vulnerabilities may include issues that allow complete compromise of our platform or customer data.

Examples include:

  • Remote Code Execution (RCE)
  • Remote Command or Shell Execution
  • Privilege Escalation to Administrator
  • SQL Injection resulting in unauthorized data disclosure
  • Full account takeover
  • Financial theft or unauthorized transactions

High Severity — Up to $100

High-impact vulnerabilities affecting the security of our platform or users.

Examples include:

  • Authentication bypass
  • Disclosure of sensitive internal information
  • Stored Cross-Site Scripting (Stored XSS)
  • Local File Inclusion (LFI)
  • Insecure handling of authentication cookies

Medium Severity — Up to $50

Issues affecting multiple users that require minimal user interaction.

Examples include:

  • Business logic flaws
  • Insecure Direct Object References (IDOR)
  • Authorization weaknesses

Low Severity

Issues with limited impact that typically require significant user interaction or specific conditions.

Examples include:

  • Open Redirect
  • Reflected Cross-Site Scripting (Reflected XSS)
  • Low-risk information disclosure

Reporting a Security Issue

If you believe you have identified a security vulnerability affecting Museum Toy Store, please submit a detailed report including:

  • A description of the vulnerability.
  • Steps to reproduce the issue.
  • The affected pages, systems, or functionality.
  • Any supporting screenshots, proof of concept, or technical information.
  • Your contact details so our security team can communicate with you if additional information is required.

We appreciate the efforts of the security research community and are committed to maintaining a secure experience for all Museum Toy Store customers.