Security Policy

Last updated: August 26, 2025

At myrobotdoll.com, we take the security and privacy of our customers seriously. If you discover a vulnerability in our website, services, or infrastructure, we appreciate your help in responsibly disclosing it to us.

How to Report

Email [email protected] with the following:

  • The affected asset or URL
  • Clear steps to reproduce
  • Expected behavior versus actual behavior
  • A minimal proof of concept
  • The security impact

Please avoid sharing personal or customer data. Redacted evidence is preferred.

Scope

In scope: Internet-accessible assets that we own and operate, including https://www.myrobotdoll.com/ and first-party subdomains we operate.

Out of scope: Third-party services and vendors such as payment processors, shipping carriers, CDNs or WAF, email or marketing platforms, and analytics providers. Employee personal accounts and anything not expressly listed as in scope are also out of scope.

Rules of Engagement (Good-Faith Research)

  • Only perform non-destructive testing.
  • Use your own accounts and data only. Do not access, modify, or exfiltrate customer or employee data. If you unintentionally access personal data, stop, capture minimal evidence, and report immediately.
  • Do not perform denial of service or volumetric tests, spam or automated form submissions, brute force or credential stuffing, social engineering or phishing, physical attempts, fraudulent orders or charge tests, scanning that degrades service, or testing of third-party providers.
  • Stay within scope and applicable law and respect rate limits.

Our Commitments

  • No bug bounty: We do not offer monetary rewards. Eligible, validated reports may receive recognition on our Hall of Fame.
  • Timelines: We aim to acknowledge reports within 3 business days, provide a status update within 10 business days, and prioritize remediation based on impact and severity.
  • Coordinated disclosure: Please do not disclose publicly without our written permission. Our default disclosure window is 90 days from acknowledgment and can be extended by mutual agreement.
  • Data handling: We treat reports confidentially and may request additional details needed to reproduce and fix the issue.

Safe Harbor

If you follow this policy and act in good faith, we authorize your testing of in-scope assets and will not pursue legal action or refer to law enforcement for accidental, good-faith violations of this policy. This includes claims under our Terms of Service and anti-circumvention laws, provided you:

  • Make a good-faith effort to avoid privacy violations, service degradation, or destruction of data
  • Do not access or exfiltrate more data than necessary to demonstrate the issue
  • Promptly report the vulnerability and its impact
  • Give us a reasonable time to fix the issue before disclosure

This Safe Harbor does not apply to actions that are malicious, out of scope, or that risk harm.

Exclusions / Low-Impact Findings

We generally will not consider reports without clear security impact, including:

  • Missing or non-blocking security headers
  • Clickjacking on non-sensitive pages
  • Best-practice hardening suggestions without an exploitation path
  • Reports from un-tuned automated scans without demonstrated impact
  • Version or banner disclosure
  • SPF, DMARC, or SMTP configuration suggestions without demonstrated abuse
  • TLS cipher or preference complaints without exploitability

Recognition

With your consent, we will add your name and date to our Hall of Fame for unique, valid reports after remediation. Let us know if you prefer to remain anonymous.

Shopping Cart
Scroll to Top