[{"id":3773739,"new_policy":"# Disclosure Policy\n* Even though this is a **public program**, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Program Rules\nPlease provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.\n* Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.\n* When duplicates occur, we only award the first report received (provided it can be fully reproduced).\n* Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.\n* Social engineering (e.g., phishing, vishing, smishing) is prohibited.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.\n* Ask the program team before submitting vulnerabilities on unscoped subdomains.\n* Only interact with accounts you own or with the explicit permission of the account holder.\n* Reports for publicly disclosed Zero-day vulnerabilities that have had an official patch for less than one month will be accepted only on a case-by-case basis.\n* Coupang Taiwan accepts reports of leaked credentials, including authentication material for Coupang APIs and infrastructure. Duplicate or previously addressed account leak reports are marked ineligible, and all submissions must include verifiable evidence such as data sources, account samples, and account type details. Only fully validated reports with no prior response history qualify for reward, while unverifiable or already known leaks do not.\n* Please note that Coupang’s Taiwan and Korea assets **might** have overlapping backend code. Because of this overlap, vulnerabilities that require the same fix across Korea, Taiwan, iOS, or Android will be treated as a single vulnerability report, and only the first valid submission (from either host) will receive the bounty. Any subsequent submissions for that same issue on either host will be marked as duplicates.\n* Coupang reserves the right to determine a researcher's testing activity before awarding any bounty for a valid report.\n\n# Test Plan\n* Users can sign up for a free account through our website (when applicable).\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com).\n\n## Session Layer: Using HTTP Headers\nDuring testing, **researchers should add headers to their requests** to allow Coupang to identify activities and traffic related to their testing. Please ensure to include HTTP headers to your requests in the following format:\n* “X-HackerOne-Researcher: [H1 username]”\n\nThank you for helping keep Coupang Taiwan and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-05-06T00:01:25.059Z"}]