If you think you have found security vulnerabilities on Shoeboxed, we encourage you to let us know right away. Provided that you have followed these rules of responsible disclosure, we will, at our discretion, publicly credit you for your findings. At this time, we do not offer a monetary bounty.

Rules of Responsible Disclosure

While trying to find security vulnerabilities, you…
  • should not attempt to gain access to another user’s data
  • should not use automated tools, including scanners or DDoS attacks
  • should not disclose any bugs found to the public until they have been fixed
  • should only work with your own account and data
  • should only look for technical vulnerabilities, not phishing or social engineering attacks
  • should email us if in doubt about anything
We will respond as quickly as possible to your reports, and work with you to ensure that any open bugs are fixed. We will not pursue legal action against you so long as you abide by the above rules.


The following people have helped make Shoeboxed better by responsibly disclosing potential vulnerabilities.