Sell.app (SellApp) Bug Bounty: $5,000 Each Validated Critical — Full Scope, Kill Chain Required

SellApp concentrates money movement, digital goods entitlement, reseller APIs, ticketing, storefront SEO routes, webhook-driven automation, SaaS SSO to merchant teams, CDN edge caching, cron-like invoice lifecycles — fertile ground for payments fraud, persistence through mis-scoped JWT/API keys, and cross-merchant data bleed if isolation fails. This playbook rewards only highest-impact, fully demonstrated criticals — each earns $5,000.

In scope materially: every HTTP host, websocket, worker runtime, Postgres row served by SellApp infra, storefront renderer, markdown/static deploy paths, webhook signing secrets in their custody, partner SDK loaders, Grafana/Sentry ingestion they administer, phishing-resistant admin surfaces, reseller white-label apex domains delegated to SellApp infra, ephemeral preview deploys flagged as SellApp-hosted, CDN cache poisoning surfaces where they originate HTML/JS bundles. Skip unrelated payment processors unless your chain weaponizes SellApp integrations they actually operate — but their own checkout glue is fair game universally.
Civil exclusions only: blackmail, mass customer harassment, brute forcing unrelated Stripe accounts wholly outside SellApp SSO context. Those bans are societal — not SKU-level scope fences.

There is exactly one bounty amount that maps to payouts on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows must exhibit (a) attacker-readable kill-chain storytelling and (b) objective proofs of successful exploitation replayable by SellApp responders (Burp transcripts, scripted API sequences, SSRF egress captures, JWT mutation evidence, webhook replay PCAPs…).

These rows do not impose limits — they're shorthand for tagging reports. Anything SellApp hosts, signs, proxies, proxies-for-merchant, caches, parses, verifies, webhook-delivers counts as bounty ground even if undocumented here. Treat “not listed” ≠ “out-of-scope”: default stance is open scope across SellApp.

This playbook refuses “only these SKU endpoints” folklore. Sandbox clusters, reseller preview shards, mirrored EU tenants, ephemeral feature flags, Grafana boards, anomaly detection exporters, SMTP bridges, Zapier-esque automation hooks patched by SellApp — all bounty eligible when critical impact is reproducible.

• Every apex / vanity domain routing through SellApp edge unless proven otherwise — claim evidence in-chain write-up.
• Open + private repos / infrastructure-as-code repos SellApp merges
• Third-party WASM/edge workers they sign & inject into storefront bundles
• Partner marketplace plugins gated by SellApp OAuth consent screens

1. Prove exploitation success. Dry essays fail — ship artefacts that third parties rerun: scripted curl sequences against APIs, deterministic Burp/XML exports, SSRF egress packet captures, reproducible JWT tamper scripts, webhook replay PCAPs showing forged fulfillment.
2. Articulate kill chain granularity. Number each hop: auth boundary → abused endpoint → escalation → monetizable damage (merchant fund movement, counterfeit license issuance, SSRF egress, etc.).
3. Responsible blast radius documentation. Quantify merchant payouts or customer entitlement exposure even if exercised only on staging clones that mirror SellApp routing + auth.
4. Encrypt & ship privately. Use sanctioned intake (security mail / advisories — see submit section) prior to tweeting exploits.
5. Honor duplicate fairness. First fully qualifying chain + reproducible exploitation wins treasury on equal severity collisions.

Email security@sell.app (encrypted if available) plus any advisory link published on sell.app. Verify the live security contact — vendors rotate addresses. Mandatory sections mirror below.

# Title
[Critical][Exploit-Proven] <tight title>

# Executive summary — impact in one paragraph

# Severity self-classification → must map to SellApp critical definitions above

## Attack chain narrative (numbered, no gaps)
1. Preconditions (API key scopes, SSO session assumptions, storefront slug)
2. Entry primitive — exact HTTP verb/path/query/body or embed origin line
3. Pivot(s) chaining trust escalation
4. Final hop → merchant fund redirection / forged delivery / infra takeover equivalent

## Successful exploitation evidence
• Replayable CLI/curl/Python script dumping HTTP status + truncated bodies proving impact
• HAR / Burp project with matched responses showing unauthorized state change
• Webhook/trace logs illustrating attacker-controlled callback success

## Reproduction package
Commands + fixture download links + pinned commit SHAs


## Disclosure ack
Responsible channel only until SellApp clears publication coordination

Pseudocode illustrating an IDOR webhook replay — meaningless without attaching HAR/logs proving an unauthorized webhook changes invoice state inside SellApp.

// BUGGY: verifies only shared secret macro, skips invoice ownership bind
import express from 'express';
const app = express();
app.use(express.json());

app.post('/webhooks/order', (req, res) => {
  if (req.header('X-Sellapp-Signature') !== process.env.SHARED_STUB) return res.sendStatus(401);
  // MISSING: correlate body.invoice.id with merchant tenant / HMAC-bound metadata
  fulfilDigitalGoods(req.body); // attacker cycles arbitrary IDs → counterfeit fulfillment
  res.sendStatus(200);
});