Last updated: June 21, 2026
We welcome reports from security researchers and take them seriously. If you believe you have found a security vulnerability in Returner, please email [email protected] (or [email protected]) with enough detail to reproduce the issue: affected URL or endpoint, steps, and any proof-of-concept. Our machine- readable contact is published at /.well-known/security.txt.
In scope: the Returner application and dashboard (app.returner.me), the
customer return portal, our public API (/api/v1), and the marketing site. Out of
scope: third-party services we rely on (Shopify, our hosting provider, payment and email
processors — report those to the respective vendor), volumetric denial-of-service, and
findings that require physical access or a compromised end-user device.
We will not pursue or support legal action against researchers who act in good faith, avoid privacy violations and service degradation, do not access or modify data that is not their own, and give us a reasonable opportunity to remediate before public disclosure. Do not run automated scanners that generate destructive load, and never access, download, or retain another user's personal data — a single record demonstrating access is sufficient proof; stop there and tell us.
Security: [email protected]
Operated by Friros AB, Sweden — see our Privacy Policy and Terms.