If you believe you've found a security issue, please contact us through one of the following methods:

• Using GitHub security advisories: https://github.com/saleor/<repository-name>/security/advisories (replace <repository-name>)
• Alternatively, through our mailing list: security@saleor.io

Whichever method you choose, you will be credited as the reporter once the announcement is published.

A report must include:

• A clear description of the issue
• Reproduction steps that allow us to verify the behavior
• Affected version(s) and environment details (versions, OS, tools, configurations)
• Let us know if you are willing to review the patches before their publication

Reports that lack these elements may be considered incomplete and may be closed without follow-up, reports may also be closed if the submitter does not engage to follow-ups.

We do not accept:

• Low-effort or automatically generated reports (including AI-generated content)
• Reports that are bulk-submitted without context or verification
• Reports that are not addressing feedback or questions

You should:

• Clearly disclose if you used AI to create the vulnerability report. This ensures transparency and accountability.
• Explicitly confirm that you manually verified the findings and the contents. Reports that were not manually verified may be get rejected without follow-ups.

We do not have a bounty program in place, so we cannot offer monetary rewards for any reported problems.