Security Policy
Last updated: June 5, 2026
Reporting a Vulnerability
We take the security of 3DPrintMe seriously. If you believe you have found a security vulnerability, please report it to us privately so we can investigate and remediate before any public disclosure.
Email: security@3dprintme.com
Please do not use the public bug-report form for security issues — that flow is visible to anyone with admin access and is not appropriate for sensitive disclosures.
What to Include
- A clear description of the vulnerability.
- Steps to reproduce, including URLs, payloads, and request/response samples where applicable.
- The impact you believe the issue could have.
- Any proof-of-concept code, screenshots, or videos.
- Whether you would like to be credited publicly if/when we publish an advisory.
Our Commitments
- 3DPrintMe aims to acknowledge reports promptly, generally within 5 business days.
- We will keep you informed as we investigate and remediate.
- 3DPrintMe will not pursue legal action against good-faith researchers who comply with the Safe Harbor provisions below.
- With your permission, we will credit you in any public advisory we publish.
Scope
In scope:
- 3dprintme.com
- www.3dprintme.com
- api.3dprintme.com
Out of scope:
- Third-party services (Stripe, Shippo, Azure, GoDaddy, etc.) — please report those directly to the respective vendor.
- Issues that require physical access to a victim's device.
- Social engineering of staff or customers.
- Denial-of-service that requires a high volume of traffic.
- Self-XSS that requires a victim to paste a payload into their own console.
- Reports based purely on automated scanner output without a working proof-of-concept.
Safe Harbor
3DPrintMe considers security research conducted in accordance with this policy to be authorized access to the Platform under applicable computer-fraud and computer-trespass laws, and authorizes circumvention of technological measures to the extent necessary to conduct good-faith research under applicable copyright law. 3DPrintMe will not pursue civil or criminal action against researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, and service interruption.
- Only interact with accounts they own or have explicit permission to test.
- Do not exploit a vulnerability beyond what is necessary to confirm it.
- Report findings privately and give us reasonable time to remediate before public disclosure.
Bug Bounty
3DPrintMe does not currently operate a paid bug bounty program. 3DPrintMe may recognize and credit researchers in security advisories with their permission, and may, in 3DPrintMe's sole discretion, offer thanks in the form of swag or store credit. Any such recognition or token is gratuitous and is not consideration for the report, does not create any obligation by 3DPrintMe to provide future recognition or compensation, and may be discontinued at any time.
Public Disclosure
Please coordinate disclosure with us. We ask that you wait until we have remediated the issue and confirmed the fix in production before publishing any details. We will work with you in good faith to set a reasonable disclosure timeline.
Machine-Readable Policy
A machine-readable contact for security researchers is published at /.well-known/security.txt per RFC 9116.