Report a Vulnerability

Help us keep Hasaki safe for everyone.

Our Commitment to Security

At Hasaki, the security of our website, mobile applications, and customer data is a top priority. We work continuously to protect our platforms and the personal information you trust us with. Despite our best efforts, no system is completely free of vulnerabilities — and that is where the security community can help.

If you are a security researcher, developer, or customer who has discovered a potential security issue with any of our services, we want to hear from you. Your report helps us fix issues quickly and protect millions of customers.

What to Report

We are interested in receiving reports about security issues that could affect Hasaki customers or systems, such as:

• Vulnerabilities that could allow unauthorized access to customer accounts or personal data.

• Cross-site scripting (XSS), SQL injection, or other application-layer vulnerabilities.

• Authentication or authorization flaws.

• Payment, checkout, or order-related security issues.

• Sensitive information disclosure (data leaks, exposed credentials, misconfigured systems).

• Vulnerabilities in our mobile applications (iOS or Android).

Out of Scope

The following types of reports are generally not considered security vulnerabilities and may not receive a response:

• Reports based on automated scanner output without demonstrated impact.

• Spam, phishing, or social engineering attempts directed at our employees or customers.

• Issues that require physical access to a device or that depend on outdated browser versions.

• Best-practice recommendations without a concrete security impact (e.g., missing HTTP security headers on non-sensitive pages).

• Denial-of-service (DoS) attempts or testing that could disrupt our services for real customers.

How to Report

To report a security vulnerability, please send an email to our customer service team with the subject line "Security Vulnerability Report."

Email: support@hasaki.com

Subject Line: Security Vulnerability Report

For sensitive findings, we encourage you to encrypt your report. Our PGP public key is available on request, or via the link on this page. Please do not transmit live exploit payloads or real customer data in plain text.

In your report, please include as much of the following information as you can to help us investigate efficiently:

• Description: A clear summary of the vulnerability and its potential impact.

• Steps to reproduce: Detailed steps that allow our team to reproduce the issue.

• Affected URL or feature: The specific page, endpoint, or feature where the issue occurs.

• Proof of concept: Screenshots, video, or code that demonstrates the vulnerability (do not include real customer data).

• Your contact details: An email address or other channel where we can reach you with follow-up questions.

What Happens Next

• After we receive your report, our team will acknowledge it, investigate and validate the issue, work on remediation, and coordinate with you on disclosure where appropriate.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and fix the issue. Responsible, coordinated disclosure protects our customers and is something we deeply appreciate.

Responsible Testing — Please Do Not

To keep our customers safe, please do not engage in the following activities while researching:

• Access, modify, or delete data that does not belong to you.

• Disrupt or degrade our services or the experience of other users.

• Perform denial-of-service (DoS) testing or any high-volume automated scanning.

• Use social engineering, phishing, or physical attacks against our employees, contractors, or facilities.

• Violate any applicable law or the privacy of our customers.

Our Promise to You

If you act in good faith, follow the guidelines on this page, and give us a reasonable opportunity to respond before any public disclosure, we will:

• Treat your report confidentially.

• Not, to the extent permitted by applicable law, take legal action against you for your good-faith security research conducted in accordance with this policy.

• Acknowledge your contribution, with your permission, if your report leads to a meaningful security improvement.

Please note that this policy does not, and cannot, waive any rights or protections of third parties, nor does it authorize conduct that is unlawful under applicable U.S. federal or state law. If your research inadvertently affects parties other than Hasaki, this policy does not extend to those parties.

Other Concerns

This page is for security vulnerability reports only. If you have a different issue, please use one of the following channels with email: support@hasaki.com

• Account or order issues: Contact our Customer Service team through the regular Help Center.

• Privacy or data protection requests.

• Product safety concerns.

• General inquiries.

Legal Note: This page describes Hasaki's process for receiving security vulnerability reports. It is not a bug bounty program, and Hasaki does not offer monetary rewards at this time. Submission of a vulnerability report does not create a contractual relationship between you and Hasaki. Hasaki reserves the right to update this page at any time. Nothing on this page authorizes activities that would violate applicable law or the terms of the Hasaki Privacy Policy or Terms of Use. This policy is governed by the laws of the United States. Good-faith security research conducted consistent with this policy is intended to be considered authorized access under the Computer Fraud and Abuse Act (CFAA) and comparable state laws.