Skip to main content
Public disclosure policy

Security & Responsible Disclosure

If you've found a security issue on SoseCore, this page tells you exactly how to report it and what to expect back from us.

How to report

  • Email: security@sosecore.com
  • Response time: We acknowledge reports within 48 hours (usually sooner).
  • Encryption: PGP key available on request — for now, plain text email is fine.
  • Languages: English or Russian.
Machine-readable version: /.well-known/security.txt (RFC 9116).

What's in scope

In scope
  • The marketplace (sosecore.com)
  • User & vendor accounts
  • Authentication and session handling
  • Payment integration with Paddle
  • File upload & download flows
  • Admin panel (if you have a way in — that itself is a finding)
Out of scope
  • DoS / DDoS attacks
  • Brute force or rate-limit probing
  • Social engineering of staff or vendors
  • Physical attacks
  • Spam / phishing of users
  • Bugs in third-party services (Paddle, Cloudflare, etc.) — report to them
  • Reports without a reproducer (steps + payload)

Safe harbor

We won't pursue legal action against researchers who:

  • Test only on accounts they own (or have explicit written permission to test).
  • Don't access, modify, or destroy other users' data.
  • Don't degrade service for others — no DoS, no load tests, no log spam.
  • Report vulnerabilities privately first and don't disclose publicly before we ship a fix (give us reasonable time — typically 90 days).

What we'll do

  1. Acknowledge your report within 48 hours.
  2. Triage the issue and assign a severity (critical / high / medium / low).
  3. Provide regular status updates as we investigate and patch.
  4. Credit you in our Hall of Fame below (only with your consent — anonymous reports are welcome too).
  5. Notify you when the fix ships, so you can verify it.

Hall of Fame

No confirmed reports yet — the page is fresh. Be the first and we'll list you here with whatever attribution you like (handle, real name, link, or just "Anonymous").

About paid rewards
SoseCore is an indie marketplace launched in 2026. We don't have a paid bug bounty program yet — for now, our Hall of Fame credit and genuine appreciation is what we offer. If the marketplace grows, we'll revisit this and announce it here.

Your Cart

We use cookies

We use cookies to operate the Marketplace and, with your consent, to measure traffic (Google Analytics) and personalize ads (Facebook Pixel). Read our Privacy Policy.

Cookie preferences

Choose which cookie categories you accept. Necessary cookies are always on because the Marketplace cannot operate without them. You can change these settings any time via the "Cookie preferences" link in the footer.

Necessary
Always on

Session, login, CSRF protection, cart contents. Required for the site to function.

Functional

Language preference, theme, recently viewed items.

Analytics

Google Analytics 4 — anonymized traffic and usage statistics. Helps us improve the Marketplace.

Marketing

Facebook Pixel — conversion tracking for advertising campaigns on Facebook and Instagram.