Sola The Sola Marketplace

Security & Responsible Disclosure

Helping us keep Sola secure

Last Updated: October 19, 2025

Our Commitment to Security

At Sola, we take the security of our platform and the privacy of our users seriously. We appreciate the security research community's efforts to help us maintain a safe and secure platform.

This page outlines our security practices and how security researchers can responsibly report vulnerabilities to us.

Responsible Disclosure Policy

We encourage security researchers to report security vulnerabilities to us privately before disclosing them publicly. This gives us time to fix issues and protect our users.

How to Report a Vulnerability

Email: security@thesolamarketplace.com

For sensitive information, you may request our PGP key.

Response Time: We aim to acknowledge all security reports within 48 hours.

What to Include in Your Report

Please provide as much information as possible:

  • Type of vulnerability (XSS, CSRF, SQL injection, etc.)
  • Full URL(s) of the affected page(s)
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept code or screenshots (if applicable)
  • Potential impact of the vulnerability
  • Suggested remediation (optional)
  • Your name and contact information (for credit and follow-up)

Our Response Process

1

Acknowledgment

We'll acknowledge your report within 48 hours

2

Initial Assessment

We'll assess the severity and impact within 5 business days

3

Validation & Fix

We'll validate the issue and develop a fix

4

Deployment

We'll deploy the fix and notify you

5

Public Disclosure

We'll coordinate with you on public disclosure timing

Testing Guidelines

To avoid disrupting our service or violating laws, please follow these guidelines when testing:

✓ Permitted Activities

  • Testing against your own account only
  • Testing in a non-destructive manner
  • Limited automated scanning (no brute force attacks)
  • Social engineering tests against security@thesolamarketplace.com only

✗ Prohibited Activities

  • Accessing other users' accounts or data
  • Performing denial-of-service (DoS) attacks
  • Spamming or flooding our systems
  • Testing physical security
  • Social engineering against staff or users
  • Destroying or modifying data
  • Publicly disclosing vulnerabilities before we've fixed them

Scope

In Scope

The following are in scope for security testing:

  • *.sola.com domains
  • All web applications hosted on our platform
  • API endpoints
  • Mobile applications (if applicable)

Out of Scope

The following are NOT in scope:

  • Third-party services we use (report to the vendor)
  • Creator-uploaded content or products
  • Social media profiles
  • Email delivery providers
  • Attacks requiring physical access to our offices

Vulnerability Severity

We use the following severity levels to prioritize fixes:

🔴 Critical

Remote code execution, SQL injection, authentication bypass

Target Fix: 24-48 hours

🟠 High

XSS, CSRF, sensitive data exposure, privilege escalation

Target Fix: 7 days

🟡 Medium

Information disclosure, broken access control

Target Fix: 30 days

🔵 Low

Security misconfigurations, weak encryption

Target Fix: 90 days

Recognition

We deeply appreciate the work of security researchers. To show our gratitude:

  • Hall of Fame: We maintain a public security researchers hall of fame (with your permission)
  • Public Credit: We'll credit you in our security advisories when vulnerabilities are disclosed
  • Swag: Researchers who report valid critical or high-severity issues may receive Sola merchandise

Note: We currently do not offer a bug bounty program, but we may introduce one in the future.

Safe Harbor

We commit to the following:

  • We will not pursue legal action against security researchers who comply with this policy
  • We will work with you to understand and resolve the issue quickly
  • We will recognize your contribution publicly (with your permission)
  • We will not disclose your identity without your permission

If legal action is initiated by a third party against you based on your research activities conducted in accordance with this policy, we will make it known that your actions were conducted in compliance with our security policy.

Our Security Measures

We implement industry-standard security practices, including:

  • AES-256-GCM encryption for sensitive personal data
  • HTTPS/TLS for all data in transit
  • CSRF token protection on all state-changing operations
  • Rate limiting to prevent brute force attacks
  • Input validation and sanitization
  • Security headers (Helmet.js)
  • Session fixation prevention
  • Regular security audits and updates
  • Error monitoring with Rollbar

Questions?

If you have questions about our security practices or this disclosure policy, please contact us:

Email: security@thesolamarketplace.com

Thank You!

We appreciate the security community's efforts to keep Sola safe for everyone. Your responsible disclosure helps us protect our users and maintain their trust.