Shop Circle Holdings Ltd (trading as Keystone), One Kingdom Street, Paddington Central, London W2 6BD, United Kingdom ("we," "us," "Keystone" and "our") operates a Responsible Disclosure Program for security researchers who help us identify and resolve vulnerabilities in our production applications.
The program is recognition-based: we do not currently offer monetary rewards, but we will publicly credit valid reporters in our Hall of Fame. Please review the scope and rules below before submitting a report — submissions that follow these guidelines will be triaged faster and have a higher chance of being accepted.
Target Assets
Where to look — and where not to.
In Scope
- Production environments of our official Shopify applications listed in the Keystone apps portfolio.
- Core application logic, APIs, and integrations powering those production apps.
- Authentication flows used by merchants to install and configure Keystone apps.
Out of Scope
- Marketing and corporate websites where no merchant or customer data is processed.
- Staging, development, or QA environments.
- Third-party services we rely on, including Shopify, Stripe, analytics providers, and support tools such as Zendesk and Intercom.
- The Shopify platform itself. Issues affecting the Shopify core platform should be reported to Shopify directly.
Vulnerability Scope
The categories we actively accept and prioritise — and those we consider out of scope.
In-Scope Categories
Remote Code Execution & Path Traversal
LFI, OS command injection, unsafe deserialization, and similar critical execution flaws.
Authentication & Authorization Flaws
Privilege escalation, IDOR, broken session handling, and OAuth or SSO misconfiguration.
Server-Side Request Forgery (SSRF)
Requests that reach internal infrastructure or sensitive metadata endpoints.
Injection Attacks
SQL, NoSQL, GraphQL, and Server-Side Template Injection (SSTI).
Cross-Site Scripting (XSS)
Stored, reflected, and DOM-based XSS with a realistic exploitation path.
Sensitive Data Exposure
Leakage of merchant or customer PII, hardcoded secrets, and exposed API keys.
Cryptographic Weaknesses
Broken encryption, predictable tokens, and weak random number generation.
Business Logic Flaws
Workflow abuse, pricing manipulation, and subscription or billing bypass.
Out-of-Scope Categories
Infrastructure attacks
DoS, DDoS, volumetric or load-based testing, and physical security.
Social engineering
Phishing or vishing targeting Keystone employees, contractors, or merchants.
Third-party vulnerabilities
Issues in Shopify, Stripe, or other upstream platforms we integrate with.
Email configuration
SPF, DKIM, and DMARC findings without a demonstrated exploit.
Scanner noise & theoretical issues
Automated tool output without a proven impact or working proof of concept.
Missing best practices
Headers, cookie flags, or version banners without demonstrated impact.
Self-exploitation
Self-XSS or attacks requiring unrealistic user interaction.
Authentication UX issues
Logout CSRF, account enumeration, and brute-force without rate-limit bypass.
Resolution Process
From report to recognition — here's how a submission moves through our team.
- 01
Submit your report
Email a detailed write-up to support@key-stone.app including affected assets, reproduction steps, payloads, and any supporting screenshots or proof-of-concept material.
- 02
Acknowledgement
We aim to acknowledge every valid submission within two business days and assign a tracking reference for ongoing communication.
- 03
Triage & validation
Our security team reproduces the issue, assigns a CVSS v3.1 score, and confirms whether the report falls within scope.
- 04
Remediation
We target fixes within seven days for Critical and High severity findings, and within 30 to 90 days for Medium and Low severity issues.
- 05
Coordinated disclosure
We follow a 90-day embargo from the date of acknowledgement before any public discussion of the issue.
- 06
Recognition
With the researcher's consent, we publish their name, an optional link, and the severity of the finding in our Hall of Fame.
Researcher Guidelines
We ask all researchers to act in good faith. Following these principles keeps your report eligible and our merchants safe.
- Use only your own test stores, accounts, or data. Do not access another merchant's or customer's information.
- Stop as soon as you have demonstrated impact. Do not exfiltrate, modify, or delete data beyond what is strictly required to prove the finding.
- Avoid actions that would degrade service for merchants or their shoppers. No automated load, brute force, or destructive testing.
- Give us a reasonable window to remediate before any public disclosure. Do not extort or threaten public release.
- Comply with all applicable laws while conducting your research.
Hall of Fame
We publicly credit researchers whose reports lead to a confirmed fix. Want to be the first name on this list?
Our Hall of Fame is just getting started.
Submit a valid vulnerability and we'll credit you here with your name, an optional link, and the severity of your finding.
Rewards
This is a recognition-only program. We do not currently offer monetary rewards or bounty payments. Researchers participate in the program for credit in our Hall of Fame and to help us keep Shopify merchants safe.
Legal Safe Harbour
We consider research conducted in line with this policy to be authorised research. We will not pursue or support legal action against researchers who, in good faith, comply with the rules of this program, including the scope and researcher guidelines set out above.
If legal action is initiated by a third party against a researcher who has complied with this policy, we will make it known that the activity was authorised. This safe harbour does not apply to research that violates applicable law or that falls outside of this policy.
Changes
We may update this policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. We encourage you to review this policy periodically.
Governing Law
This policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The courts of England and Wales shall have non-exclusive jurisdiction.
Contact
For all security-related communication, including vulnerability reports and questions about this policy, reach out to our team directly.
Contact email
support@key-stone.appFor privacy or data-subject requests, see our Privacy Policy.