KeystoneKeystone
Responsible Disclosure

Security & Responsible Disclosure

Security is foundational to how we build software for Shopify merchants. If you believe you have found a vulnerability in one of our products, we want to hear from you — and we want to credit your work.

Last updated: 22 May 2026

Shop Circle Holdings Ltd (trading as Keystone), One Kingdom Street, Paddington Central, London W2 6BD, United Kingdom ("we," "us," "Keystone" and "our") operates a Responsible Disclosure Program for security researchers who help us identify and resolve vulnerabilities in our production applications.

The program is recognition-based: we do not currently offer monetary rewards, but we will publicly credit valid reporters in our Hall of Fame. Please review the scope and rules below before submitting a report — submissions that follow these guidelines will be triaged faster and have a higher chance of being accepted.

Target Assets

Where to look — and where not to.

In Scope

  • Production environments of our official Shopify applications listed in the Keystone apps portfolio.
  • Core application logic, APIs, and integrations powering those production apps.
  • Authentication flows used by merchants to install and configure Keystone apps.

Out of Scope

  • Marketing and corporate websites where no merchant or customer data is processed.
  • Staging, development, or QA environments.
  • Third-party services we rely on, including Shopify, Stripe, analytics providers, and support tools such as Zendesk and Intercom.
  • The Shopify platform itself. Issues affecting the Shopify core platform should be reported to Shopify directly.

Vulnerability Scope

The categories we actively accept and prioritise — and those we consider out of scope.

In-Scope Categories

Remote Code Execution & Path Traversal

LFI, OS command injection, unsafe deserialization, and similar critical execution flaws.

Authentication & Authorization Flaws

Privilege escalation, IDOR, broken session handling, and OAuth or SSO misconfiguration.

Server-Side Request Forgery (SSRF)

Requests that reach internal infrastructure or sensitive metadata endpoints.

Injection Attacks

SQL, NoSQL, GraphQL, and Server-Side Template Injection (SSTI).

Cross-Site Scripting (XSS)

Stored, reflected, and DOM-based XSS with a realistic exploitation path.

Sensitive Data Exposure

Leakage of merchant or customer PII, hardcoded secrets, and exposed API keys.

Cryptographic Weaknesses

Broken encryption, predictable tokens, and weak random number generation.

Business Logic Flaws

Workflow abuse, pricing manipulation, and subscription or billing bypass.

Out-of-Scope Categories

Infrastructure attacks

DoS, DDoS, volumetric or load-based testing, and physical security.

Social engineering

Phishing or vishing targeting Keystone employees, contractors, or merchants.

Third-party vulnerabilities

Issues in Shopify, Stripe, or other upstream platforms we integrate with.

Email configuration

SPF, DKIM, and DMARC findings without a demonstrated exploit.

Scanner noise & theoretical issues

Automated tool output without a proven impact or working proof of concept.

Missing best practices

Headers, cookie flags, or version banners without demonstrated impact.

Self-exploitation

Self-XSS or attacks requiring unrealistic user interaction.

Authentication UX issues

Logout CSRF, account enumeration, and brute-force without rate-limit bypass.

Resolution Process

From report to recognition — here's how a submission moves through our team.

  1. 01

    Submit your report

    Email a detailed write-up to support@key-stone.app including affected assets, reproduction steps, payloads, and any supporting screenshots or proof-of-concept material.

  2. 02

    Acknowledgement

    We aim to acknowledge every valid submission within two business days and assign a tracking reference for ongoing communication.

  3. 03

    Triage & validation

    Our security team reproduces the issue, assigns a CVSS v3.1 score, and confirms whether the report falls within scope.

  4. 04

    Remediation

    We target fixes within seven days for Critical and High severity findings, and within 30 to 90 days for Medium and Low severity issues.

  5. 05

    Coordinated disclosure

    We follow a 90-day embargo from the date of acknowledgement before any public discussion of the issue.

  6. 06

    Recognition

    With the researcher's consent, we publish their name, an optional link, and the severity of the finding in our Hall of Fame.

Researcher Guidelines

We ask all researchers to act in good faith. Following these principles keeps your report eligible and our merchants safe.

  • Use only your own test stores, accounts, or data. Do not access another merchant's or customer's information.
  • Stop as soon as you have demonstrated impact. Do not exfiltrate, modify, or delete data beyond what is strictly required to prove the finding.
  • Avoid actions that would degrade service for merchants or their shoppers. No automated load, brute force, or destructive testing.
  • Give us a reasonable window to remediate before any public disclosure. Do not extort or threaten public release.
  • Comply with all applicable laws while conducting your research.

Hall of Fame

We publicly credit researchers whose reports lead to a confirmed fix. Want to be the first name on this list?

Our Hall of Fame is just getting started.

Submit a valid vulnerability and we'll credit you here with your name, an optional link, and the severity of your finding.

Rewards

This is a recognition-only program. We do not currently offer monetary rewards or bounty payments. Researchers participate in the program for credit in our Hall of Fame and to help us keep Shopify merchants safe.

Legal Safe Harbour

We consider research conducted in line with this policy to be authorised research. We will not pursue or support legal action against researchers who, in good faith, comply with the rules of this program, including the scope and researcher guidelines set out above.

If legal action is initiated by a third party against a researcher who has complied with this policy, we will make it known that the activity was authorised. This safe harbour does not apply to research that violates applicable law or that falls outside of this policy.

Changes

We may update this policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We encourage you to review this policy periodically.

Governing Law

This policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have non-exclusive jurisdiction.

Contact

For all security-related communication, including vulnerability reports and questions about this policy, reach out to our team directly.

For privacy or data-subject requests, see our Privacy Policy.