PlyDirect is a UK-based e-commerce platform selling plywood, sheet materials, and building supplies at plydirect.co.uk. The site handles customer accounts, order management, payment processing, admin backoffice panels, CMS content management, and file upload workflows for product imagery and documents — fertile ground for admin access escalation, shell/RCE, XSS-to-file-upload chains, and database extraction if any boundary slips.

In scope materially: every HTTP(S) origin answering for plydirect.co.uk and delegated subdomains, admin and staff portals, CMS and product management interfaces, customer database and order records, checkout and payment processing flows, file upload endpoints, API integrations with shipping and payment providers, staging or preview environments they operate.
Civil exclusions only: mass harassment, ransomware against unrelated third parties, laundering. Not product carve-outs.

One flat tier. Every critical submission that meets the evidence bar pays $5,000. Lower severities are not cash-rewarded under this playbook — escalate impact or accept acknowledgement. Multiple criticals from the same researcher are paid independently.

Everything PlyDirect operates at plydirect.co.uk and its subdomains. No narrow carve-outs.

• Admin and staff backoffice panels — authentication bypass, privilege escalation, session hijacking
• File upload endpoints — unrestricted upload, path traversal, web shell deployment via image/document uploads
• XSS vectors — stored, reflected, and DOM-based XSS that chain to session theft or admin credential capture
• Shell/RCE — command injection, template injection, deserialization attacks, SSRF-to-RCE
• Customer database — SQL injection, NoSQL injection, direct data extraction of PII and order records
• Checkout and payment flows — price manipulation, order tampering, payment gateway bypass
• CMS and product management — content injection, media library abuse, privilege escalation from editor to admin
• API endpoints — REST and GraphQL surfaces, authentication flaws, mass assignment, IDOR
• Staging / dev environments — any subdomain or path prefixed dev-, staging-, test-, or equivalent

PlyDirect operates a no-exclusions bounty policy for the surfaces described above. Every endpoint, parameter, file upload handler, and admin interface PlyDirect runs or delegates is eligible when a critical impact is reproducible.

• Every apex / vanity hostname routing through PlyDirect edge — claim routing evidence in your chain write-up
• Third-party integrations PlyDirect embeds (shipping calculators, payment iframes, chat widgets) when the vulnerability originates from PlyDirect's implementation
• Edge caches or CDN config PlyDirect controls that can be abused for cache poisoning or web shell delivery
• Admin and staff subdomains — hone in on admin, dashboard, staff, backoffice paths

1. Prove exploitation success. Ship artefacts third parties rerun: scripted curl flows, Burp/HAR exports, SSRF egress captures, web shell access logs with command execution proof.
2. Articulate kill chain granularity. Number each hop: initial vector (XSS, SQLi, file upload) → privilege escalation → admin access → data exfiltration / shell / sustained compromise.
3. Responsible blast radius documentation. Quantify users or records affected even when exercised only on staging mirrors that mirror routing + auth faithfully.
4. Encrypt & ship privately. Use sanctioned intake on plydirect.co.uk (see submit section) before broadcasting exploit details.
5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on collisions.

Start from the security / disclosure contact publicly listed on plydirect.co.uk (security@plydirect.co.uk is a common pattern — verify on the vendor site before sending). Mandatory sections mirror below.

# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — impact in one paragraph
# Severity self-classification → must map to PlyDirect critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session / API key / org context)
2. Entry primitive — exact HTTP verb/path/query/body
3. Pivot(s) chaining trust escalation
4. Final hop → admin access / data exfiltration / shell / file upload compromise equivalent
## Successful exploitation evidence
• Replayable script + truncated responses showing impact
• HAR / Burp with unauthorized state change
• Web shell access logs or file upload proof
## Reproduction package
Commands + fixtures + pinned SHAs
## Disclosure ack
Responsible channel only until PlyDirect clears publication coordination

Pseudocode for product image upload accepting .php files — useless without traces proving the uploaded file is reachable and executes on the server.

// BUGGY: no extension validation, no MIME check, file stored in webroot
<?php
if (isset($_FILES['product_image'])) {
    $target = 'uploads/' . $_FILES['product_image']['name'];
    move_uploaded_file(
        $_FILES['product_image']['tmp_name'],
        $target
    );
    echo "File saved: " . $target;
}
?>