3DPrintMe

Security Policy

Last updated: May 5, 2026

Reporting a Vulnerability

We take the security of 3DPrintMe seriously. If you believe you have found a security vulnerability, please report it to us privately so we can investigate and remediate before any public disclosure.

Email: security@3dprintme.com

Please do not use the public bug-report form for security issues — that flow is visible to anyone with admin access and is not appropriate for sensitive disclosures.

What to Include

  • A clear description of the vulnerability.
  • Steps to reproduce, including URLs, payloads, and request/response samples where applicable.
  • The impact you believe the issue could have.
  • Any proof-of-concept code, screenshots, or videos.
  • Whether you would like to be credited publicly if/when we publish an advisory.

Our Commitments

  • We aim to acknowledge reports within 3 business days.
  • We will keep you informed as we investigate and remediate.
  • We will not pursue legal action against good-faith researchers who follow this policy.
  • With your permission, we will credit you in any public advisory we publish.

Scope

In scope:

  • 3dprintme.com
  • www.3dprintme.com
  • api.3dprintme.com

Out of scope:

  • Third-party services (Stripe, Shippo, Azure, GoDaddy, etc.) — please report those directly to the respective vendor.
  • Issues that require physical access to a victim's device.
  • Social engineering of staff or customers.
  • Denial-of-service that requires a high volume of traffic.
  • Self-XSS that requires a victim to paste a payload into their own console.
  • Reports based purely on automated scanner output without a working proof-of-concept.

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized. We will not pursue civil or criminal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service interruption.
  • Only interact with accounts they own or have explicit permission to test.
  • Do not exploit a vulnerability beyond what is necessary to confirm it.
  • Report findings privately and give us reasonable time to remediate before public disclosure.

Bug Bounty

We do not currently operate a paid bug bounty program. We do recognize and credit researchers in our security advisories with their permission, and may offer thanks in the form of swag or store credit at our discretion.

Public Disclosure

Please coordinate disclosure with us. We ask that you wait until we have remediated the issue and confirmed the fix in production before publishing any details. We will work with you in good faith to set a reasonable disclosure timeline.

Machine-Readable Policy

A machine-readable contact for security researchers is published at /.well-known/security.txt per RFC 9116.