At Hatown, we take the security of our customers and platform seriously.
If you believe you have discovered a security vulnerability, we encourage you to report it responsibly.

We appreciate the efforts of security researchers who help us maintain a safe shopping environment.

Scope

This policy applies only to assets owned and operated by Hatown, including:

Third-party services, hosting providers, payment processors, or external platforms are out of scope.

Our Commitment (Safe Harbor)

If you act in good faith and follow this policy:

  • We will not pursue legal action against you.
  • We will not refer the matter to law enforcement.
  • We will work with you to understand and resolve the issue.

This applies only if you:

  • Avoid accessing data beyond what is necessary to demonstrate the vulnerability.
  • Do not exploit the issue for personal gain.
  • Do not disrupt services or compromise user privacy.
  • Comply with all applicable laws and regulations.

How to Report

Please email your report to:

📧 security@hatown.com
(If unavailable, you may use contact@hatown.com)

Your report should include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The affected URL(s) or page(s)
  • Screenshots or proof of concept (if possible)
  • The potential impact

Incomplete or non-reproducible reports may not be eligible for a reward.

We aim to acknowledge reports within 5 business days.

Bounty Program

We may offer discretionary rewards for valid security findings based on:

  • Severity
  • Impact
  • Exploitability
  • Report quality

The first valid report of an issue is eligible for a reward.

Severity is evaluated using industry standards such as CVSS and OWASP guidelines.

Reward Tiers (Maximum Amounts)

Critical – Up to £200

  • Remote Code Execution
  • Full account takeover
  • SQL Injection exposing sensitive data
  • Vertical authentication bypass

High – Up to £100

  • Stored XSS affecting other users
  • Sensitive internal data exposure
  • Authentication bypass (lateral)
  • Local file inclusion

Medium – Up to £50

  • Business logic flaws
  • Insecure object references

Low – Recognition Only

  • Open redirects
  • Reflected XSS
  • Low-sensitivity information leaks

We reserve the right to determine eligibility and reward amounts at our discretion.

Non-Reportable Issues

The following are not eligible for bounty:

  • Self-XSS
  • Missing security headers without exploit
  • Clickjacking without demonstrated impact
  • Rate limiting issues without proof of abuse
  • Theoretical vulnerabilities without proof of concept
  • Spam or brute-force without bypass
  • Social engineering attacks
  • Physical security findings
  • Third-party service vulnerabilities
  • Duplicate reports

Responsible Disclosure

Please allow us reasonable time to investigate and resolve the issue before disclosing it publicly.

We may publish resolved vulnerability reports and credit the researcher unless anonymity is requested.

Contact Information

Hatown
15 Anglesey Rd
Burton-on-Trent
DE14 3PP
United Kingdom

📧 security@hatown.com
📞 +44 7367047025