[{"id":3733596,"new_policy":"# Summer Special Campaign\n- From 29/07/2024 to 15/08/2024\n\n## Summer Special Campaign conditions.\n\nWe are excited to announce our special summer bug bounty campaign, where we will be offering up to 2x payouts for Critical and High severity vulnerabilities. To clarify, during this special summer campaign, **only the following vulnerability categories are included**:\n\n### Critical Vulnerabilities categories x2 (Up to 10K):\n\n- Remote Code Execution (RCE)\n- SQL Injection (SQLi)\n- Any other vulnerabilities that result in massive exposure of user Personally Identifiable Information (PII) within our platform.\n\n### High Severity Vulnerabilities categories x2 (Up to 4k):\n\n- One-Click, One-User Account Takeover (ATO)\n- Payment Bypass\n\nThank you for your continued support and participation\n\n#Brand Promise\n\nThe safety and security of our customers, suppliers and employees’ data and any sensitive information, as well as the reliability of the IT services we use to manufacture and market our products, are of utmost importance to the Inditex Group (hereinafter, “**Inditex**”). It is our compromise to deter any action directed against the confidentiality, integrity and availability of our computer systems, networks, and computer data as well as the misuse of such systems, networks and data for fraudulent activities, cybercrime offences or against the safety and security of our customers, suppliers, and employees. \n\nAn effective fight against these matters requires, on the one hand, to collaborate with institutions and authorities to try to assist in order to mitigate the commission of cybercrimes or illegal actions; on the other, to design and implement this Vulnerability Disclosure Policy (hereinafter, “Policy”), which describes the Inditex’s terms and conditions with regard to any unsolicited report related to potential IT vulnerabilities which can be exploited by threat actors against us, our customers, suppliers or employees.\n\nInditex cares deeply about maintaining trust and confidence and strongly believes that close collaboration with researchers and reporters improves security. If you are a security researcher or a reporter who has found a vulnerability in an Inditex service, we would like to hear from you.\n\nAccording to the ENISA definition, vulnerability is ‘flaws’ or ‘mistakes’ in computer-based systems that may be exploited to compromise the network and information security of affected systems.\n\nReporters must review, understand, and abide by the following terms and conditions included in the Policy before conducting any research or testing. In addition, Inditex encourages reporters to act in a responsible way in the reporting process.\n\nReporter compliance with terms and conditions of this Policy will be considered by Inditex as an authorized conduct in accordance with regulations included in national laws. Failure to abide terms and conditions will result in the loss of being considered a security researcher or reporter under the Policy.\n\nInditex reserves all legal rights in the event of any non-compliance with this Policy or in case of non-compliance with local laws.\n\n## Company\n\nInditex is one of the world's largest fashion retailers, with seven brands (Zara, Pull\u0026Bear, Massimo Dutti, Bershka, Stradivarius, Oysho, Lefties and Zara Home) selling in 202 markets through its online platform or its over 7,000 stores in 96 markets.\n\n## Mission\n\nSecurity is one of Inditex's core values and we want you to help us to improve the security of our technical infrastructure.\n\nIn return, we will pay you with a monetary reward. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report.\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis and any report that results in a fix, would be rewarded.\n\nTo qualify for a reward, you must:\n\n- Report a qualifying vulnerability that belongs to the scope (see below).\n- Be the first person to report it.\n- Communicate with our security team exclusively through this platform.\n- Comply with all the terms and conditions detailed below.\n\nCustomers, users, researchers, partners, and any other person that interacts with Inditex’s IT services may voluntarily report in good faith any potential security vulnerabilities to us. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Inditex will deem the submission as noncompliant with this Policy.\n\nInditex do not accept, review, or consider any unsolicited ideas, works, materials, proposals, suggestions, or the like, including for products, services, technologies, product enhancements, processes, marketing strategies, product names, content, or creative materials (all the foregoing “**unsolicited idea submissions**”). Do not send or provide any unsolicited idea submissions in any form to Inditex. Should you ignore our request and you still submit them, then regardless of what your correspondence says, you agree that: (1) your unsolicited idea submissions and their contents along with related intellectual property rights will automatically become the property of Inditex, without any compensation to you; (2) Inditex may use or redistribute the unsolicited idea submissions and their contents for any purpose and in any way on an unrestricted basis; (3) there is no obligation for Inditex to review the submissions; and (4) there is no obligation to keep any submissions confidential.\n\n#Rewards\n\n* Rewards are based on severity per CVSS (the [Common Vulnerability Scoring Standard](https://docs.hackerone.com/hackers/severity.html?))\n* All bounty amounts will be at the discretion of the Inditex Bounty Bug Bounty team.\n* Reports submitted using methods that violate policy rules will not be eligible for a reward.\n* To be eligible for a reward, the report must be for bounty eligible assets as defined in the scope section of our policy.\n* Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites, as the duplicates will be closed, and the issue will be treated as one report.\n* While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.\n* Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as how the decision was made.\n\n#Scope exclusions\n\n* Inditex Bounty reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.\n* Clickjacking/UI redressing\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Logout and other instances of low-severity Cross-Site Request Forgery (e.g. add to cart)\n* Add or remove users from newsletters\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests\n* Brute force oracle attacks against unauthenticated endpoints\n* Missing best practices in Content Security Policy\n* Missing HTTP Only or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)\n* Tabnabbing\n* Issues that require unlikely user interaction by the victim\n* Any issues regarding single session features/management\n* Any hypothetical flaw or best practice without exploitable POC\n* Any hypothetical flaw or best practice where you are not able to achieve something that you shouldn't be able to do\n* Non-critical/high information disclosure\n* User enumeration\n* Stack traces or path disclosure\n* Missing autocomplete attributes\n* Customer leaked credentials\n* Weak CAPTCHA\n* **Self**-Client-side injection (XSS, Angular, Vue, HTML...)\n* Lack of rate-limit/anti-automation\n* Findings related to outdated swagger version and related vulnerabilities\n* Open redirect: unless an additional security impact can be demonstrated (other than social engineering)\n\n# Severity \n\nWe base the severity of the reports on CVSS v3.1 (the Common Vulnerability Scoring Standard). Also, our rewards are based on severity, so we pay more when the severity is proven to be more critical. Please note these are general guidelines, and reward decisions are up to the discretion of Inditex.\n\nAny report's severity can be escalated before and after its creation if necessary and proven (e.g., XSS to ATO, HTMLi to XSS, etc...). Any escalation path must be genuine. Different reports using the same escalation path will be treated as the base case (severity without escalation), and only the first will be considered escalated on severity. \nOnly if the new escalation path ends in a bigger severity than the original one will be considered as valid (despite of sharing some base path with other reports)\n\nThe base score for a reflected XSS in the ecommerce will be 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). We assume that you will be able to access information inside session context (e.g., address, name, email, etc...), and you will be able to modify some data from the user or the DOM. Regarding Scope (S) in CVSS vector, despite being classified in some sites as \"changed\", we consider that the true impact of XSS lies in access to the user's session, and, therefore, affects a resource managed by the same security authority.\n\nAny report that requires special conditions beyond the attacker's control will have Attack Complexity (AC) as High (H) such as, but not exclusively, XSS when need special user interaction (onmouseover, onclick, etc...), any report that requires special uncommon conditions from the victim.\n\n#Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. Inditex Bounty reserves all legal rights in the event of noncompliance with this policy.\n\n#Program Eligibility\n\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Publically-known Zero-day/One-day vulnerabilities will not be considered for eligibility until more than:\n  * 48h have passed since patch availability on Critical vulnerabilities.\n  * 5 days have passed since patch availability on Hight vulnerabilities.\n  * 60 days have passed since patch availability on Medium/Low vulnerabilities.\n* Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.\n* Inditex employees and third-party assets employees are not eligible for participation in this program.\n\n#Program Rules \n\n*Do*\n* Read and abide by the program policy.\n* Please append to your user-agent header the following value: '-inSec-CrowdPowered'.\n* Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.\n* Exercise caution when testing to avoid negative impact to customers and the services they depend on. \n* STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.\n* Avoid further exploitation after a vulnerability it's found, just required to produce a functional PoC, for instance:\n  - For RCE PoC would be enough to perform whoami ; uname, no need to compromise the entire OS.\n  - For SQLi, it would be enough to print the DB banner or show the DB name, username, table names, but no need to dump the entire DB...\n  - Other techniques and procedures for lateral movement, post-exploitation or establishing persistence through back-doors are completely forbidden.\n\n\n*Do NOT:*\n* Do not Brute force credentials or guess credentials to gain access to systems.\n* Do not participate in denial-of-service attacks.\n* Do not upload shells or create a backdoor of any kind.\n* Do not engage in any form of social engineering for Inditex employees, customers, or vendors.\n* Do not engage or target any Inditex employee, customer, or vendor during your testing.\n* Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.\n* Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change the password of an account you did not register yourself or an account that was not provided to you, stop, and report the finding immediately.\n* Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder.\n\n#Disclosure Policy\n\nThe following principles are considered key aspects of this Policy:\n\n* Good faith.\n* Lawfulness of activity.\n* Data Protection.\n* Security of information.\n* No extortion nor bribery.\n* Security improvement: don’t leave any system more vulnerable than before the test.\n* Third party ownership: don’t disturb, compromise, or damage data or property owned by third parties.\n\nInditex encourages to not do harm and not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability. Avoid accessing the content of any communication, data or info transiting or stored on Inditex domains and info systems mentioned above except to the extent that is directly related to a vulnerability.\n\nOnce the reporter finds vulnerability or encounters sensitive data must stop testing and notify the findings to Inditex.\n\nYou may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside the program without express consent from the organization. If you are interested in sharing any information about your testing methodology related to an Inditex report, you must request permission on your report, and you must receive written approval from an Inditex team member.\n\n## Your Commitment\n\nBy making a report to Inditex using the form on this page, or otherwise communicating a report to Inditex, regarding vulnerabilities, you agree to the following terms:\n\n* Respect our privacy. Specifically:\n  * If you access anyone else’s data, personal, or otherwise in the course of your research, please **contact us immediately so we can investigate**. This includes usernames, passwords, and other credentials. The mentioned data is confidential. Please report to us what data was accessed and delete the data. You must not save, copy, download, transfer, disclose or broadcast this information. \n  * You agree not to process any personal data to which you, directly or indirectly, have incidental access and/or may know information which implies access to personal data except for the purpose of communicating it to Inditex. In this case, it will be done with the utmost confidentiality, in compliance with the principles established in the data protection laws and regulations, and solely for the purposes set forth in this Policy, and in particular the storage limitation and integrity and applying the necessary technical and organizational security measures. \n* Act in good faith. You should report the vulnerability to us with no conditions attached.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* You have not exploited or used in any manner and will not exploit or use in any manner (other than for the purposes of reporting to Inditex), the discovered vulnerabilities.\n* You have not engaged, and will not engage, in testing/research of systems with the intention of harming Inditex, its customers, employees, partners or suppliers.\n* You have not used, misused, deleted, altered, or destroyed, and will not use, misuse, delete, alter, or destroy, any data that you have accessed or may be able to access in relation to the vulnerability discovered.\n* You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service, or resource-exhaustion attacks or unsolicited mail.\n* You are not authorized to attack any device or account other than your own.\n* You have not tested, and will not test, the physical security of any property, building, plant, or factory of Inditex.\n* You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Inditex product or service that led to your report.\n* You agree not to disclose to any third party any information related to your report, the vulnerabilities reported, nor the fact that a vulnerability has been reported to Inditex.\n* You agree not to test in a manner that would degrade or affect the operation of any Inditex systems or compromise the privacy and security of our customers. You shall not test disturbing or corrupting Inditex operations or services.\n* You agree not to post, transmit, upload, link to, send, or store any malicious software.\n* You agree not to breach third party intellectual property rights.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* Inditex does not guarantee that you will receive any response from Inditex related to your report. Inditex will only contact you regarding your report if Inditex deems it necessary.\n* You agree not to disclosure any vulnerability without written express consent from Inditex.\n* You agree to submit vulnerabilities using the form included in this website.\n* You agree not to use your relationship with Inditex for marketing or financing activities.\n* You agree to destroy/delete any information regarding vulnerability once communicated to Inditex.\n* Inditex may use your report for any purpose deemed relevant by Inditex, including without limitation, for the purpose of correcting any vulnerabilities that are reported and that Inditex deems to exist and to require correction. Should you propose any changes and/or improvements to an Inditex product or service in your report, you agree that you are submitting an “unsolicited idea submission” which shall be subject to the specific terms and conditions described in the Scope section of this Policy.\n* Inditex reserves all its legal rights in the event of noncompliance with this Policy, but in accordance with safe harbor policy it does not intend to pursue legal civil or criminal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy\n* You know and agree that Inditex does not take any responsibility nor liability as regards any participation of any other party (if applicable) that could happen as part of the process of verification or related in any manner whatsoever with this page and its aim. Inditex is not responsible for reporters’ liabilities coming from actions performed on third parties. Inditex cannot authorize any activity on third parties’ products or guarantee they will not pursue legal actions against reporters.\n* You represent and warrant that the unsolicited idea submissions and the reports you deliver to us do not infringe upon any third parties’ rights, including, without limitation, intellectual property rights.\n\n## How to report Vulnerabilities\n\nWe encourage security researchers and reporters to share the details of any suspected vulnerabilities with Inditex. Your submission will be reviewed and validated to determine if the finding is valid and has not been previously reported. The preferred method for contacting Inditex regarding such vulnerabilities is by using the form present on this page. The form prevents reporters from having to spend valuable time and resources looking for appropriate contact. By submitting it you confirm that you have read, understand, and agree with the terms and conditions of this Policy.\n\nWe require security researchers to include detailed information with steps for us to reproduce the vulnerability. If you identify a valid security vulnerability in compliance with this Policy, Inditex commits to working with you to understand and validate the issue and address the risk (if deemed appropriate by Inditex).\n\nInditex highly appreciates the efforts made by the reporting party in identifying the vulnerability. Reporting of such vulnerabilities as soon as possible are detected will contribute to improving the security and reliability of our services. \n\n* Supplying your contact information with your report is entirely voluntary and at your discretion.\n* Inditex will make use of all reports that are submitted; both those submitted anonymously and those with contact information.\n* If you do submit your contact information, the data controller will be _Industria de Diseño Textil, S.A. (Inditex, S.A.)_, with postal address _Avda. de la Diputación, Edificio Inditex, 15143, Arteixo (A Coruña), España_, which will only use such information to contact you regarding clarifying the details of your report, if that is necessary, and for any other kind of managements related to the report. The legal basis for the data processing is the execution of the conditions established in this Policy. We may share your contact information with service providers and collaborators that give us support with the management and the execution of this Policy. You may contact the data protection officer through the email address dataprotection@inditex.com, and contact the data controller in the same email address to exercise your data protection rights, including the reference “Vulnerability Disclosure Policy”, and for further information about the processing of your personal data. Your contact information will be stored until it is necessary for the above-mentioned purpose and for the compliance of legal obligations. Likewise, we inform you that you have the right to file a claim before the responsible data protection regulatory authority (https://www.agpd.es/portalwebAGPD/index-ides-idphp.php).\n\nApart from the above and as part of your disclosure please provide the following information:\n\n* Solid and adequate evidence to prove the existence of the vulnerability (screenshot, link, etc.)\n* Timeline or some information about the moment the vulnerability was discovered.\n* Any type of information deemed necessary to identify, locate and resolve the vulnerability in the fastest and most efficient way possible.\n\n#Legal\n\nInditex reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. You can [subscribe](https://docs.hackerone.com/hackers/manage-notifications.html#program-notifications) to receive email notifications when this policy is updated.\n\n#F.A.Q.\n\n1. Can I get Inditex swag?\n*Inditex Bounty does not currently offer swag*\n\n1. What language can I use for my report?\nFeel free to write your report in (ES) 🇪🇸 / (ENG) 🇬🇧.\n\n2. Can Inditex provide me with a pre-configured test account?\n*This program does not provide credentials or any special access*\n\n3. [What is required when submitting a report](https://docs.hackerone.com/hackers/submitting-reports.html)?\n\n4. [How do I make my report great?](https://docs.hackerone.com/hackers/quality-reports.html)\n\n5. [I submitted a report. Now what? I have questions.](https://www.hackerone.com/blog/how-bug-bounty-reports-work)\n\n6. [What causes a report to be closed as Informative, Duplicate, N/A, or Spam?](https://docs.hackerone.com/hackers/report-states.html)\n\n7. What is an example of an accepted vulnerability?\n*Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-07-24T09:36:12.172Z"},{"id":3722294,"new_policy":"#Brand Promise\n\nThe safety and security of our customers, suppliers and employees’ data and any sensitive information, as well as the reliability of the IT services we use to manufacture and market our products, are of utmost importance to the Inditex Group (hereinafter, “**Inditex**”). It is our compromise to deter any action directed against the confidentiality, integrity and availability of our computer systems, networks, and computer data as well as the misuse of such systems, networks and data for fraudulent activities, cybercrime offences or against the safety and security of our customers, suppliers, and employees. \n\nAn effective fight against these matters requires, on the one hand, to collaborate with institutions and authorities to try to assist in order to mitigate the commission of cybercrimes or illegal actions; on the other, to design and implement this Vulnerability Disclosure Policy (hereinafter, “Policy”), which describes the Inditex’s terms and conditions with regard to any unsolicited report related to potential IT vulnerabilities which can be exploited by threat actors against us, our customers, suppliers or employees.\n\nInditex cares deeply about maintaining trust and confidence and strongly believes that close collaboration with researchers and reporters improves security. If you are a security researcher or a reporter who has found a vulnerability in an Inditex service, we would like to hear from you.\n\nAccording to the ENISA definition, vulnerability is ‘flaws’ or ‘mistakes’ in computer-based systems that may be exploited to compromise the network and information security of affected systems.\n\nReporters must review, understand, and abide by the following terms and conditions included in the Policy before conducting any research or testing. In addition, Inditex encourages reporters to act in a responsible way in the reporting process.\n\nReporter compliance with terms and conditions of this Policy will be considered by Inditex as an authorized conduct in accordance with regulations included in national laws. Failure to abide terms and conditions will result in the loss of being considered a security researcher or reporter under the Policy.\n\nInditex reserves all legal rights in the event of any non-compliance with this Policy or in case of non-compliance with local laws.\n\n## Company\n\nInditex is one of the world's largest fashion retailers, with seven brands (Zara, Pull\u0026Bear, Massimo Dutti, Bershka, Stradivarius, Oysho, Lefties and Zara Home) selling in 202 markets through its online platform or its over 7,000 stores in 96 markets.\n\n## Mission\n\nSecurity is one of Inditex's core values and we want you to help us to improve the security of our technical infrastructure.\n\nIn return, we will pay you with a monetary reward. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report.\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis and any report that results in a fix, would be rewarded.\n\nTo qualify for a reward, you must:\n\n- Report a qualifying vulnerability that belongs to the scope (see below).\n- Be the first person to report it.\n- Communicate with our security team exclusively through this platform.\n- Comply with all the terms and conditions detailed below.\n\nCustomers, users, researchers, partners, and any other person that interacts with Inditex’s IT services may voluntarily report in good faith any potential security vulnerabilities to us. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Inditex will deem the submission as noncompliant with this Policy.\n\nInditex do not accept, review, or consider any unsolicited ideas, works, materials, proposals, suggestions, or the like, including for products, services, technologies, product enhancements, processes, marketing strategies, product names, content, or creative materials (all the foregoing “**unsolicited idea submissions**”). Do not send or provide any unsolicited idea submissions in any form to Inditex. Should you ignore our request and you still submit them, then regardless of what your correspondence says, you agree that: (1) your unsolicited idea submissions and their contents along with related intellectual property rights will automatically become the property of Inditex, without any compensation to you; (2) Inditex may use or redistribute the unsolicited idea submissions and their contents for any purpose and in any way on an unrestricted basis; (3) there is no obligation for Inditex to review the submissions; and (4) there is no obligation to keep any submissions confidential.\n\n#Rewards\n\n* Rewards are based on severity per CVSS (the [Common Vulnerability Scoring Standard](https://docs.hackerone.com/hackers/severity.html?))\n* All bounty amounts will be at the discretion of the Inditex Bounty Bug Bounty team.\n* Reports submitted using methods that violate policy rules will not be eligible for a reward.\n* To be eligible for a reward, the report must be for bounty eligible assets as defined in the scope section of our policy.\n* Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites, as the duplicates will be closed, and the issue will be treated as one report.\n* While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.\n* Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as how the decision was made.\n\n#Scope exclusions\n\n* Inditex Bounty reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.\n* Clickjacking/UI redressing\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Logout and other instances of low-severity Cross-Site Request Forgery (e.g. add to cart)\n* Add or remove users from newsletters\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests\n* Brute force oracle attacks against unauthenticated endpoints\n* Missing best practices in Content Security Policy\n* Missing HTTP Only or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)\n* Tabnabbing\n* Issues that require unlikely user interaction by the victim\n* Any issues regarding single session features/management\n* Any hypothetical flaw or best practice without exploitable POC\n* Any hypothetical flaw or best practice where you are not able to achieve something that you shouldn't be able to do\n* Non-critical/high information disclosure\n* User enumeration\n* Stack traces or path disclosure\n* Missing autocomplete attributes\n* Customer leaked credentials\n* Weak CAPTCHA\n* **Self**-Client-side injection (XSS, Angular, Vue, HTML...)\n* Lack of rate-limit/anti-automation\n* Findings related to outdated swagger version and related vulnerabilities\n* Open redirect: unless an additional security impact can be demonstrated (other than social engineering)\n\n# Severity \n\nWe base the severity of the reports on CVSS v3.1 (the Common Vulnerability Scoring Standard). Also, our rewards are based on severity, so we pay more when the severity is proven to be more critical. Please note these are general guidelines, and reward decisions are up to the discretion of Inditex.\n\nAny report's severity can be escalated before and after its creation if necessary and proven (e.g., XSS to ATO, HTMLi to XSS, etc...). Any escalation path must be genuine. Different reports using the same escalation path will be treated as the base case (severity without escalation), and only the first will be considered escalated on severity. \nOnly if the new escalation path ends in a bigger severity than the original one will be considered as valid (despite of sharing some base path with other reports)\n\nThe base score for a reflected XSS in the ecommerce will be 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). We assume that you will be able to access information inside session context (e.g., address, name, email, etc...), and you will be able to modify some data from the user or the DOM. Regarding Scope (S) in CVSS vector, despite being classified in some sites as \"changed\", we consider that the true impact of XSS lies in access to the user's session, and, therefore, affects a resource managed by the same security authority.\n\nAny report that requires special conditions beyond the attacker's control will have Attack Complexity (AC) as High (H) such as, but not exclusively, XSS when need special user interaction (onmouseover, onclick, etc...), any report that requires special uncommon conditions from the victim.\n\n#Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. Inditex Bounty reserves all legal rights in the event of noncompliance with this policy.\n\n#Program Eligibility\n\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Publically-known Zero-day/One-day vulnerabilities will not be considered for eligibility until more than:\n  * 48h have passed since patch availability on Critical vulnerabilities.\n  * 5 days have passed since patch availability on Hight vulnerabilities.\n  * 60 days have passed since patch availability on Medium/Low vulnerabilities.\n* Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.\n* Inditex employees and third-party assets employees are not eligible for participation in this program.\n\n#Program Rules \n\n*Do*\n* Read and abide by the program policy.\n* Please append to your user-agent header the following value: '-inSec-CrowdPowered'.\n* Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.\n* Exercise caution when testing to avoid negative impact to customers and the services they depend on. \n* STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.\n* Avoid further exploitation after a vulnerability it's found, just required to produce a functional PoC, for instance:\n  - For RCE PoC would be enough to perform whoami ; uname, no need to compromise the entire OS.\n  - For SQLi, it would be enough to print the DB banner or show the DB name, username, table names, but no need to dump the entire DB...\n  - Other techniques and procedures for lateral movement, post-exploitation or establishing persistence through back-doors are completely forbidden.\n\n\n*Do NOT:*\n* Do not Brute force credentials or guess credentials to gain access to systems.\n* Do not participate in denial-of-service attacks.\n* Do not upload shells or create a backdoor of any kind.\n* Do not engage in any form of social engineering for Inditex employees, customers, or vendors.\n* Do not engage or target any Inditex employee, customer, or vendor during your testing.\n* Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.\n* Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change the password of an account you did not register yourself or an account that was not provided to you, stop, and report the finding immediately.\n* Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder.\n\n#Disclosure Policy\n\nThe following principles are considered key aspects of this Policy:\n\n* Good faith.\n* Lawfulness of activity.\n* Data Protection.\n* Security of information.\n* No extortion nor bribery.\n* Security improvement: don’t leave any system more vulnerable than before the test.\n* Third party ownership: don’t disturb, compromise, or damage data or property owned by third parties.\n\nInditex encourages to not do harm and not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability. Avoid accessing the content of any communication, data or info transiting or stored on Inditex domains and info systems mentioned above except to the extent that is directly related to a vulnerability.\n\nOnce the reporter finds vulnerability or encounters sensitive data must stop testing and notify the findings to Inditex.\n\nYou may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside the program without express consent from the organization. If you are interested in sharing any information about your testing methodology related to an Inditex report, you must request permission on your report, and you must receive written approval from an Inditex team member.\n\n## Your Commitment\n\nBy making a report to Inditex using the form on this page, or otherwise communicating a report to Inditex, regarding vulnerabilities, you agree to the following terms:\n\n* Respect our privacy. Specifically:\n  * If you access anyone else’s data, personal, or otherwise in the course of your research, please **contact us immediately so we can investigate**. This includes usernames, passwords, and other credentials. The mentioned data is confidential. Please report to us what data was accessed and delete the data. You must not save, copy, download, transfer, disclose or broadcast this information. \n  * You agree not to process any personal data to which you, directly or indirectly, have incidental access and/or may know information which implies access to personal data except for the purpose of communicating it to Inditex. In this case, it will be done with the utmost confidentiality, in compliance with the principles established in the data protection laws and regulations, and solely for the purposes set forth in this Policy, and in particular the storage limitation and integrity and applying the necessary technical and organizational security measures. \n* Act in good faith. You should report the vulnerability to us with no conditions attached.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* You have not exploited or used in any manner and will not exploit or use in any manner (other than for the purposes of reporting to Inditex), the discovered vulnerabilities.\n* You have not engaged, and will not engage, in testing/research of systems with the intention of harming Inditex, its customers, employees, partners or suppliers.\n* You have not used, misused, deleted, altered, or destroyed, and will not use, misuse, delete, alter, or destroy, any data that you have accessed or may be able to access in relation to the vulnerability discovered.\n* You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service, or resource-exhaustion attacks or unsolicited mail.\n* You are not authorized to attack any device or account other than your own.\n* You have not tested, and will not test, the physical security of any property, building, plant, or factory of Inditex.\n* You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Inditex product or service that led to your report.\n* You agree not to disclose to any third party any information related to your report, the vulnerabilities reported, nor the fact that a vulnerability has been reported to Inditex.\n* You agree not to test in a manner that would degrade or affect the operation of any Inditex systems or compromise the privacy and security of our customers. You shall not test disturbing or corrupting Inditex operations or services.\n* You agree not to post, transmit, upload, link to, send, or store any malicious software.\n* You agree not to breach third party intellectual property rights.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* Inditex does not guarantee that you will receive any response from Inditex related to your report. Inditex will only contact you regarding your report if Inditex deems it necessary.\n* You agree not to disclosure any vulnerability without written express consent from Inditex.\n* You agree to submit vulnerabilities using the form included in this website.\n* You agree not to use your relationship with Inditex for marketing or financing activities.\n* You agree to destroy/delete any information regarding vulnerability once communicated to Inditex.\n* Inditex may use your report for any purpose deemed relevant by Inditex, including without limitation, for the purpose of correcting any vulnerabilities that are reported and that Inditex deems to exist and to require correction. Should you propose any changes and/or improvements to an Inditex product or service in your report, you agree that you are submitting an “unsolicited idea submission” which shall be subject to the specific terms and conditions described in the Scope section of this Policy.\n* Inditex reserves all its legal rights in the event of noncompliance with this Policy, but in accordance with safe harbor policy it does not intend to pursue legal civil or criminal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy\n* You know and agree that Inditex does not take any responsibility nor liability as regards any participation of any other party (if applicable) that could happen as part of the process of verification or related in any manner whatsoever with this page and its aim. Inditex is not responsible for reporters’ liabilities coming from actions performed on third parties. Inditex cannot authorize any activity on third parties’ products or guarantee they will not pursue legal actions against reporters.\n* You represent and warrant that the unsolicited idea submissions and the reports you deliver to us do not infringe upon any third parties’ rights, including, without limitation, intellectual property rights.\n\n## How to report Vulnerabilities\n\nWe encourage security researchers and reporters to share the details of any suspected vulnerabilities with Inditex. Your submission will be reviewed and validated to determine if the finding is valid and has not been previously reported. The preferred method for contacting Inditex regarding such vulnerabilities is by using the form present on this page. The form prevents reporters from having to spend valuable time and resources looking for appropriate contact. By submitting it you confirm that you have read, understand, and agree with the terms and conditions of this Policy.\n\nWe require security researchers to include detailed information with steps for us to reproduce the vulnerability. If you identify a valid security vulnerability in compliance with this Policy, Inditex commits to working with you to understand and validate the issue and address the risk (if deemed appropriate by Inditex).\n\nInditex highly appreciates the efforts made by the reporting party in identifying the vulnerability. Reporting of such vulnerabilities as soon as possible are detected will contribute to improving the security and reliability of our services. \n\n* Supplying your contact information with your report is entirely voluntary and at your discretion.\n* Inditex will make use of all reports that are submitted; both those submitted anonymously and those with contact information.\n* If you do submit your contact information, the data controller will be _Industria de Diseño Textil, S.A. (Inditex, S.A.)_, with postal address _Avda. de la Diputación, Edificio Inditex, 15143, Arteixo (A Coruña), España_, which will only use such information to contact you regarding clarifying the details of your report, if that is necessary, and for any other kind of managements related to the report. The legal basis for the data processing is the execution of the conditions established in this Policy. We may share your contact information with service providers and collaborators that give us support with the management and the execution of this Policy. You may contact the data protection officer through the email address dataprotection@inditex.com, and contact the data controller in the same email address to exercise your data protection rights, including the reference “Vulnerability Disclosure Policy”, and for further information about the processing of your personal data. Your contact information will be stored until it is necessary for the above-mentioned purpose and for the compliance of legal obligations. Likewise, we inform you that you have the right to file a claim before the responsible data protection regulatory authority (https://www.agpd.es/portalwebAGPD/index-ides-idphp.php).\n\nApart from the above and as part of your disclosure please provide the following information:\n\n* Solid and adequate evidence to prove the existence of the vulnerability (screenshot, link, etc.)\n* Timeline or some information about the moment the vulnerability was discovered.\n* Any type of information deemed necessary to identify, locate and resolve the vulnerability in the fastest and most efficient way possible.\n\n#Legal\n\nInditex reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. You can [subscribe](https://docs.hackerone.com/hackers/manage-notifications.html#program-notifications) to receive email notifications when this policy is updated.\n\n#F.A.Q.\n\n1. Can I get Inditex swag?\n*Inditex Bounty does not currently offer swag*\n\n1. What language can I use for my report?\nFeel free to write your report in (ES) 🇪🇸 / (ENG) 🇬🇧.\n\n2. Can Inditex provide me with a pre-configured test account?\n*This program does not provide credentials or any special access*\n\n3. [What is required when submitting a report](https://docs.hackerone.com/hackers/submitting-reports.html)?\n\n4. [How do I make my report great?](https://docs.hackerone.com/hackers/quality-reports.html)\n\n5. [I submitted a report. Now what? I have questions.](https://www.hackerone.com/blog/how-bug-bounty-reports-work)\n\n6. [What causes a report to be closed as Informative, Duplicate, N/A, or Spam?](https://docs.hackerone.com/hackers/report-states.html)\n\n7. What is an example of an accepted vulnerability?\n*Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-02T07:37:15.253Z"},{"id":3703829,"new_policy":"#Brand Promise\n\nThe safety and security of our customers, suppliers and employees’ data and any sensitive information, as well as the reliability of the IT services we use to manufacture and market our products, are of utmost importance to the Inditex Group (hereinafter, “**Inditex**”). It is our compromise to deter any action directed against the confidentiality, integrity and availability of our computer systems, networks, and computer data as well as the misuse of such systems, networks and data for fraudulent activities, cybercrime offences or against the safety and security of our customers, suppliers, and employees. \n\nAn effective fight against these matters requires, on the one hand, to collaborate with institutions and authorities to try to assist in order to mitigate the commission of cybercrimes or illegal actions; on the other, to design and implement this Vulnerability Disclosure Policy (hereinafter, “Policy”), which describes the Inditex’s terms and conditions with regard to any unsolicited report related to potential IT vulnerabilities which can be exploited by threat actors against us, our customers, suppliers or employees.\n\nInditex cares deeply about maintaining trust and confidence and strongly believes that close collaboration with researchers and reporters improves security. If you are a security researcher or a reporter who has found a vulnerability in an Inditex service, we would like to hear from you.\n\nAccording to the ENISA definition, vulnerability is ‘flaws’ or ‘mistakes’ in computer-based systems that may be exploited to compromise the network and information security of affected systems.\n\nReporters must review, understand, and abide by the following terms and conditions included in the Policy before conducting any research or testing. In addition, Inditex encourages reporters to act in a responsible way in the reporting process.\n\nReporter compliance with terms and conditions of this Policy will be considered by Inditex as an authorized conduct in accordance with regulations included in national laws. Failure to abide terms and conditions will result in the loss of being considered a security researcher or reporter under the Policy.\n\nInditex reserves all legal rights in the event of any non-compliance with this Policy or in case of non-compliance with local laws.\n\n## Company\n\nInditex is one of the world's largest fashion retailers, with seven brands (Zara, Pull\u0026Bear, Massimo Dutti, Bershka, Stradivarius, Oysho, Lefties and Zara Home) selling in 202 markets through its online platform or its over 7,000 stores in 96 markets.\n\n## Mission\n\nSecurity is one of Inditex's core values and we want you to help us to improve the security of our technical infrastructure.\n\nIn return, we will pay you with a monetary reward. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report.\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis and any report that results in a fix, would be rewarded.\n\nTo qualify for a reward, you must:\n\n- Report a qualifying vulnerability that belongs to the scope (see below).\n- Be the first person to report it.\n- Communicate with our security team exclusively through this platform.\n- Comply with all the terms and conditions detailed below.\n\nCustomers, users, researchers, partners, and any other person that interacts with Inditex’s IT services may voluntarily report in good faith any potential security vulnerabilities to us. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Inditex will deem the submission as noncompliant with this Policy.\n\nInditex do not accept, review, or consider any unsolicited ideas, works, materials, proposals, suggestions, or the like, including for products, services, technologies, product enhancements, processes, marketing strategies, product names, content, or creative materials (all the foregoing “**unsolicited idea submissions**”). Do not send or provide any unsolicited idea submissions in any form to Inditex. Should you ignore our request and you still submit them, then regardless of what your correspondence says, you agree that: (1) your unsolicited idea submissions and their contents along with related intellectual property rights will automatically become the property of Inditex, without any compensation to you; (2) Inditex may use or redistribute the unsolicited idea submissions and their contents for any purpose and in any way on an unrestricted basis; (3) there is no obligation for Inditex to review the submissions; and (4) there is no obligation to keep any submissions confidential.\n\n#Rewards\n\n* Rewards are based on severity per CVSS (the [Common Vulnerability Scoring Standard](https://docs.hackerone.com/hackers/severity.html?))\n* All bounty amounts will be at the discretion of the Inditex Bounty Bug Bounty team.\n* Reports submitted using methods that violate policy rules will not be eligible for a reward.\n* To be eligible for a reward, the report must be for bounty eligible assets as defined in the scope section of our policy.\n* Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites, as the duplicates will be closed, and the issue will be treated as one report.\n* While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.\n* Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as how the decision was made.\n\n#Scope exclusions\n\n* Inditex Bounty reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.\n* Clickjacking/UI redressing\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Logout and other instances of low-severity Cross-Site Request Forgery (e.g. add to cart)\n* Add or remove users from newsletters\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests\n* Brute force oracle attacks against unauthenticated endpoints\n* Missing best practices in Content Security Policy\n* Missing HTTP Only or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)\n* Tabnabbing\n* Issues that require unlikely user interaction by the victim\n* Any issues regarding single session features/management\n* Any hypothetical flaw or best practice without exploitable POC\n* Any hypothetical flaw or best practice where you are not able to achieve something that you shouldn't be able to do\n* Non-critical/high information disclosure\n* User enumeration\n* Stack traces or path disclosure\n* Missing autocomplete attributes\n* Customer leaked credentials\n* Weak CAPTCHA\n* **Self**-Client-side injection (XSS, Angular, Vue, HTML...)\n* Lack of rate-limit/anti-automation\n* Findings related to outdated swagger version and related vulnerabilities.\n* Open redirect: unless an additional security impact can be demonstrated\n\n# Severity \n\nWe base the severity of the reports on CVSS v3.1 (the Common Vulnerability Scoring Standard). Also, our rewards are based on severity, so we pay more when the severity is proven to be more critical. Please note these are general guidelines, and reward decisions are up to the discretion of Inditex.\n\nAny report's severity can be escalated before and after its creation if necessary and proven (e.g., XSS to ATO, HTMLi to XSS, etc...). Any escalation path must be genuine. Different reports using the same escalation path will be treated as the base case (severity without escalation), and only the first will be considered escalated on severity. \nOnly if the new escalation path ends in a bigger severity than the original one will be considered as valid (despite of sharing some base path with other reports)\n\nThe base score for a reflected XSS in the ecommerce will be 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N). We assume that you will be able to access information inside session context (e.g., address, name, email, etc...), and you will be able to modify some data from the user or the DOM. Regarding Scope (S) in CVSS vector, despite being classified in some sites as \"changed\", we consider that the true impact of XSS lies in access to the user's session, and, therefore, affects a resource managed by the same security authority.\n\nAny report that requires special conditions beyond the attacker's control will have Attack Complexity (AC) as High (H) such as, but not exclusively, XSS when need special user interaction (onmouseover, onclick, etc...), any report that requires special uncommon conditions from the victim.\n\n#Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. Inditex Bounty reserves all legal rights in the event of noncompliance with this policy.\n\n#Program Eligibility\n\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Publically-known Zero-day/One-day vulnerabilities will not be considered for eligibility until more than:\n  * 48h have passed since patch availability on Critical vulnerabilities.\n  * 5 days have passed since patch availability on Hight vulnerabilities.\n  * 60 days have passed since patch availability on Medium/Low vulnerabilities.\n* Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.\n* Inditex employees and third-party assets employees are not eligible for participation in this program.\n\n#Program Rules \n\n*Do*\n* Read and abide by the program policy.\n* Please append to your user-agent header the following value: '-inSec-CrowdPowered'.\n* Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.\n* Exercise caution when testing to avoid negative impact to customers and the services they depend on. \n* STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.\n* Avoid further exploitation after a vulnerability it's found, just required to produce a functional PoC, for instance:\n  - For RCE PoC would be enough to perform whoami ; uname, no need to compromise the entire OS.\n  - For SQLi, it would be enough to print the DB banner or show the DB name, username, table names, but no need to dump the entire DB...\n  - Other techniques and procedures for lateral movement, post-exploitation or establishing persistence through back-doors are completely forbidden.\n\n\n*Do NOT:*\n* Do not Brute force credentials or guess credentials to gain access to systems.\n* Do not participate in denial-of-service attacks.\n* Do not upload shells or create a backdoor of any kind.\n* Do not engage in any form of social engineering for Inditex employees, customers, or vendors.\n* Do not engage or target any Inditex employee, customer, or vendor during your testing.\n* Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.\n* Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change the password of an account you did not register yourself or an account that was not provided to you, stop, and report the finding immediately.\n* Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder.\n\n#Disclosure Policy\n\nThe following principles are considered key aspects of this Policy:\n\n* Good faith.\n* Lawfulness of activity.\n* Data Protection.\n* Security of information.\n* No extortion nor bribery.\n* Security improvement: don’t leave any system more vulnerable than before the test.\n* Third party ownership: don’t disturb, compromise, or damage data or property owned by third parties.\n\nInditex encourages to not do harm and not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability. Avoid accessing the content of any communication, data or info transiting or stored on Inditex domains and info systems mentioned above except to the extent that is directly related to a vulnerability.\n\nOnce the reporter finds vulnerability or encounters sensitive data must stop testing and notify the findings to Inditex.\n\nYou may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside the program without express consent from the organization. If you are interested in sharing any information about your testing methodology related to an Inditex report, you must request permission on your report, and you must receive written approval from an Inditex team member.\n\n## Your Commitment\n\nBy making a report to Inditex using the form on this page, or otherwise communicating a report to Inditex, regarding vulnerabilities, you agree to the following terms:\n\n* Respect our privacy. Specifically:\n  * If you access anyone else’s data, personal, or otherwise in the course of your research, please **contact us immediately so we can investigate**. This includes usernames, passwords, and other credentials. The mentioned data is confidential. Please report to us what data was accessed and delete the data. You must not save, copy, download, transfer, disclose or broadcast this information. \n  * You agree not to process any personal data to which you, directly or indirectly, have incidental access and/or may know information which implies access to personal data except for the purpose of communicating it to Inditex. In this case, it will be done with the utmost confidentiality, in compliance with the principles established in the data protection laws and regulations, and solely for the purposes set forth in this Policy, and in particular the storage limitation and integrity and applying the necessary technical and organizational security measures. \n* Act in good faith. You should report the vulnerability to us with no conditions attached.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* You have not exploited or used in any manner and will not exploit or use in any manner (other than for the purposes of reporting to Inditex), the discovered vulnerabilities.\n* You have not engaged, and will not engage, in testing/research of systems with the intention of harming Inditex, its customers, employees, partners or suppliers.\n* You have not used, misused, deleted, altered, or destroyed, and will not use, misuse, delete, alter, or destroy, any data that you have accessed or may be able to access in relation to the vulnerability discovered.\n* You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service, or resource-exhaustion attacks or unsolicited mail.\n* You are not authorized to attack any device or account other than your own.\n* You have not tested, and will not test, the physical security of any property, building, plant, or factory of Inditex.\n* You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Inditex product or service that led to your report.\n* You agree not to disclose to any third party any information related to your report, the vulnerabilities reported, nor the fact that a vulnerability has been reported to Inditex.\n* You agree not to test in a manner that would degrade or affect the operation of any Inditex systems or compromise the privacy and security of our customers. You shall not test disturbing or corrupting Inditex operations or services.\n* You agree not to post, transmit, upload, link to, send, or store any malicious software.\n* You agree not to breach third party intellectual property rights.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* Inditex does not guarantee that you will receive any response from Inditex related to your report. Inditex will only contact you regarding your report if Inditex deems it necessary.\n* You agree not to disclosure any vulnerability without written express consent from Inditex.\n* You agree to submit vulnerabilities using the form included in this website.\n* You agree not to use your relationship with Inditex for marketing or financing activities.\n* You agree to destroy/delete any information regarding vulnerability once communicated to Inditex.\n* Inditex may use your report for any purpose deemed relevant by Inditex, including without limitation, for the purpose of correcting any vulnerabilities that are reported and that Inditex deems to exist and to require correction. Should you propose any changes and/or improvements to an Inditex product or service in your report, you agree that you are submitting an “unsolicited idea submission” which shall be subject to the specific terms and conditions described in the Scope section of this Policy.\n* Inditex reserves all its legal rights in the event of noncompliance with this Policy, but in accordance with safe harbor policy it does not intend to pursue legal civil or criminal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy\n* You know and agree that Inditex does not take any responsibility nor liability as regards any participation of any other party (if applicable) that could happen as part of the process of verification or related in any manner whatsoever with this page and its aim. Inditex is not responsible for reporters’ liabilities coming from actions performed on third parties. Inditex cannot authorize any activity on third parties’ products or guarantee they will not pursue legal actions against reporters.\n* You represent and warrant that the unsolicited idea submissions and the reports you deliver to us do not infringe upon any third parties’ rights, including, without limitation, intellectual property rights.\n\n## How to report Vulnerabilities\n\nWe encourage security researchers and reporters to share the details of any suspected vulnerabilities with Inditex. Your submission will be reviewed and validated to determine if the finding is valid and has not been previously reported. The preferred method for contacting Inditex regarding such vulnerabilities is by using the form present on this page. The form prevents reporters from having to spend valuable time and resources looking for appropriate contact. By submitting it you confirm that you have read, understand, and agree with the terms and conditions of this Policy.\n\nWe require security researchers to include detailed information with steps for us to reproduce the vulnerability. If you identify a valid security vulnerability in compliance with this Policy, Inditex commits to working with you to understand and validate the issue and address the risk (if deemed appropriate by Inditex).\n\nInditex highly appreciates the efforts made by the reporting party in identifying the vulnerability. Reporting of such vulnerabilities as soon as possible are detected will contribute to improving the security and reliability of our services. \n\n* Supplying your contact information with your report is entirely voluntary and at your discretion.\n* Inditex will make use of all reports that are submitted; both those submitted anonymously and those with contact information.\n* If you do submit your contact information, the data controller will be _Industria de Diseño Textil, S.A. (Inditex, S.A.)_, with postal address _Avda. de la Diputación, Edificio Inditex, 15143, Arteixo (A Coruña), España_, which will only use such information to contact you regarding clarifying the details of your report, if that is necessary, and for any other kind of managements related to the report. The legal basis for the data processing is the execution of the conditions established in this Policy. We may share your contact information with service providers and collaborators that give us support with the management and the execution of this Policy. You may contact the data protection officer through the email address dataprotection@inditex.com, and contact the data controller in the same email address to exercise your data protection rights, including the reference “Vulnerability Disclosure Policy”, and for further information about the processing of your personal data. Your contact information will be stored until it is necessary for the above-mentioned purpose and for the compliance of legal obligations. Likewise, we inform you that you have the right to file a claim before the responsible data protection regulatory authority (https://www.agpd.es/portalwebAGPD/index-ides-idphp.php).\n\nApart from the above and as part of your disclosure please provide the following information:\n\n* Solid and adequate evidence to prove the existence of the vulnerability (screenshot, link, etc.)\n* Timeline or some information about the moment the vulnerability was discovered.\n* Any type of information deemed necessary to identify, locate and resolve the vulnerability in the fastest and most efficient way possible.\n\n#Legal\n\nInditex reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. You can [subscribe](https://docs.hackerone.com/hackers/manage-notifications.html#program-notifications) to receive email notifications when this policy is updated.\n\n#F.A.Q.\n\n1. Can I get Inditex swag?\n*Inditex Bounty does not currently offer swag*\n\n1. What language can I use for my report?\nFeel free to write your report in (ES) 🇪🇸 / (ENG) 🇬🇧.\n\n2. Can Inditex provide me with a pre-configured test account?\n*This program does not provide credentials or any special access*\n\n3. [What is required when submitting a report](https://docs.hackerone.com/hackers/submitting-reports.html)?\n\n4. [How do I make my report great?](https://docs.hackerone.com/hackers/quality-reports.html)\n\n5. [I submitted a report. Now what? I have questions.](https://www.hackerone.com/blog/how-bug-bounty-reports-work)\n\n6. [What causes a report to be closed as Informative, Duplicate, N/A, or Spam?](https://docs.hackerone.com/hackers/report-states.html)\n\n7. What is an example of an accepted vulnerability?\n*Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-27T07:49:57.253Z"},{"id":3701819,"new_policy":"#Brand Promise\n\nThe safety and security of our customers, suppliers and employees’ data and any sensitive information, as well as the reliability of the IT services we use to manufacture and market our products, are of utmost importance to the Inditex Group (hereinafter, “**Inditex**”). It is our compromise to deter any action directed against the confidentiality, integrity and availability of our computer systems, networks, and computer data as well as the misuse of such systems, networks and data for fraudulent activities, cybercrime offences or against the safety and security of our customers, suppliers, and employees. \n\nAn effective fight against these matters requires, on the one hand, to collaborate with institutions and authorities to try to assist in order to mitigate the commission of cybercrimes or illegal actions; on the other, to design and implement this Vulnerability Disclosure Policy (hereinafter, “Policy”), which describes the Inditex’s terms and conditions with regard to any unsolicited report related to potential IT vulnerabilities which can be exploited by threat actors against us, our customers, suppliers or employees.\n\nInditex cares deeply about maintaining trust and confidence and strongly believes that close collaboration with researchers and reporters improves security. If you are a security researcher or a reporter who has found a vulnerability in an Inditex service, we would like to hear from you.\n\nAccording to the ENISA definition, vulnerability is ‘flaws’ or ‘mistakes’ in computer-based systems that may be exploited to compromise the network and information security of affected systems.\n\nReporters must review, understand, and abide by the following terms and conditions included in the Policy before conducting any research or testing. In addition, Inditex encourages reporters to act in a responsible way in the reporting process.\n\nReporter compliance with terms and conditions of this Policy will be considered by Inditex as an authorized conduct in accordance with regulations included in national laws. Failure to abide terms and conditions will result in the loss of being considered a security researcher or reporter under the Policy.\n\nInditex reserves all legal rights in the event of any non-compliance with this Policy or in case of non-compliance with local laws.\n\n## Company\n\nInditex is one of the world's largest fashion retailers, with seven brands (Zara, Pull\u0026Bear, Massimo Dutti, Bershka, Stradivarius, Oysho, Lefties and Zara Home) selling in 202 markets through its online platform or its over 7,000 stores in 96 markets.\n\n## Mission\n\nSecurity is one of Inditex's core values and we want you to help us to improve the security of our technical infrastructure.\n\nIn return, we will pay you with a monetary reward. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report.\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis and any report that results in a fix, would be rewarded.\n\nTo qualify for a reward, you must:\n\n- Report a qualifying vulnerability that belongs to the scope (see below).\n- Be the first person to report it.\n- Communicate with our security team exclusively through this platform.\n- Comply with all the terms and conditions detailed below.\n\nCustomers, users, researchers, partners, and any other person that interacts with Inditex’s IT services may voluntarily report in good faith any potential security vulnerabilities to us. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Inditex will deem the submission as noncompliant with this Policy.\n\nInditex do not accept, review, or consider any unsolicited ideas, works, materials, proposals, suggestions, or the like, including for products, services, technologies, product enhancements, processes, marketing strategies, product names, content, or creative materials (all the foregoing “**unsolicited idea submissions**”). Do not send or provide any unsolicited idea submissions in any form to Inditex. Should you ignore our request and you still submit them, then regardless of what your correspondence says, you agree that: (1) your unsolicited idea submissions and their contents along with related intellectual property rights will automatically become the property of Inditex, without any compensation to you; (2) Inditex may use or redistribute the unsolicited idea submissions and their contents for any purpose and in any way on an unrestricted basis; (3) there is no obligation for Inditex to review the submissions; and (4) there is no obligation to keep any submissions confidential.\n\n#Rewards\n\n* Rewards are based on severity per CVSS (the [Common Vulnerability Scoring Standard](https://docs.hackerone.com/hackers/severity.html?))\n* All bounty amounts will be at the discretion of the Inditex Bounty Bug Bounty team.\n* Reports submitted using methods that violate policy rules will not be eligible for a reward.\n* To be eligible for a reward, the report must be for bounty eligible assets as defined in the scope section of our policy.\n* Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites, as the duplicates will be closed, and the issue will be treated as one report.\n* While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.\n* Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as how the decision was made.\n\n#Scope exclusions\n\n* Inditex Bounty reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.\n* Clickjacking/UI redressing\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Logout and other instances of low-severity Cross-Site Request Forgery (e.g. add to cart)\n* Add or remove users from newsletters\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests\n* Brute force oracle attacks against unauthenticated endpoints\n* Missing best practices in Content Security Policy\n* Missing HTTP Only or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)\n* Tabnabbing\n* Issues that require unlikely user interaction by the victim\n* Any issues regarding single session features/management\n* Any hypothetical flaw or best practice without exploitable POC\n* Any hypothetical flaw or best practice where you are not able to achieve something that you shouldn't be able to do\n* Non-critical/high information disclosure\n* User enumeration\n* Stack traces or path disclosure\n* Missing autocomplete attributes\n* Customer leaked credentials\n* Weak CAPTCHA\n* **Self**-Client-side injection (XSS, Angular, Vue, HTML...)\n* Lack of rate-limit/anti-automation\n* Findings related to outdated swagger version and related vulnerabilities.\n* Open redirect: unless an additional security impact can be demonstrated\n\n#Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. Inditex Bounty reserves all legal rights in the event of noncompliance with this policy.\n\n#Program Eligibility\n\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Publically-known Zero-day/One-day vulnerabilities will not be considered for eligibility until more than:\n  * 48h have passed since patch availability on Critical vulnerabilities.\n  * 5 days have passed since patch availability on Hight vulnerabilities.\n  * 60 days have passed since patch availability on Medium/Low vulnerabilities.\n* Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.\n* Inditex employees and third-party assets employees are not eligible for participation in this program.\n\n#Program Rules \n\n*Do*\n* Read and abide by the program policy.\n* Please append to your user-agent header the following value: '-inSec-CrowdPowered'.\n* Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.\n* Exercise caution when testing to avoid negative impact to customers and the services they depend on. \n* STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.\n* Avoid further exploitation after a vulnerability it's found, just required to produce a functional PoC, for instance:\n  - For RCE PoC would be enough to perform whoami ; uname, no need to compromise the entire OS.\n  - For SQLi, it would be enough to print the DB banner or show the DB name, username, table names, but no need to dump the entire DB...\n  - Other techniques and procedures for lateral movement, post-exploitation or establishing persistence through back-doors are completely forbidden.\n\n\n*Do NOT:*\n* Do not Brute force credentials or guess credentials to gain access to systems.\n* Do not participate in denial-of-service attacks.\n* Do not upload shells or create a backdoor of any kind.\n* Do not engage in any form of social engineering for Inditex employees, customers, or vendors.\n* Do not engage or target any Inditex employee, customer, or vendor during your testing.\n* Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.\n* Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change the password of an account you did not register yourself or an account that was not provided to you, stop, and report the finding immediately.\n* Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder.\n\n#Disclosure Policy\n\nThe following principles are considered key aspects of this Policy:\n\n* Good faith.\n* Lawfulness of activity.\n* Data Protection.\n* Security of information.\n* No extortion nor bribery.\n* Security improvement: don’t leave any system more vulnerable than before the test.\n* Third party ownership: don’t disturb, compromise, or damage data or property owned by third parties.\n\nInditex encourages to not do harm and not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability. Avoid accessing the content of any communication, data or info transiting or stored on Inditex domains and info systems mentioned above except to the extent that is directly related to a vulnerability.\n\nOnce the reporter finds vulnerability or encounters sensitive data must stop testing and notify the findings to Inditex.\n\nYou may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside the program without express consent from the organization. If you are interested in sharing any information about your testing methodology related to an Inditex report, you must request permission on your report, and you must receive written approval from an Inditex team member.\n\n## Your Commitment\n\nBy making a report to Inditex using the form on this page, or otherwise communicating a report to Inditex, regarding vulnerabilities, you agree to the following terms:\n\n* Respect our privacy. Specifically:\n  * If you access anyone else’s data, personal, or otherwise in the course of your research, please **contact us immediately so we can investigate**. This includes usernames, passwords, and other credentials. The mentioned data is confidential. Please report to us what data was accessed and delete the data. You must not save, copy, download, transfer, disclose or broadcast this information. \n  * You agree not to process any personal data to which you, directly or indirectly, have incidental access and/or may know information which implies access to personal data except for the purpose of communicating it to Inditex. In this case, it will be done with the utmost confidentiality, in compliance with the principles established in the data protection laws and regulations, and solely for the purposes set forth in this Policy, and in particular the storage limitation and integrity and applying the necessary technical and organizational security measures. \n* Act in good faith. You should report the vulnerability to us with no conditions attached.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* You have not exploited or used in any manner and will not exploit or use in any manner (other than for the purposes of reporting to Inditex), the discovered vulnerabilities.\n* You have not engaged, and will not engage, in testing/research of systems with the intention of harming Inditex, its customers, employees, partners or suppliers.\n* You have not used, misused, deleted, altered, or destroyed, and will not use, misuse, delete, alter, or destroy, any data that you have accessed or may be able to access in relation to the vulnerability discovered.\n* You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service, or resource-exhaustion attacks or unsolicited mail.\n* You are not authorized to attack any device or account other than your own.\n* You have not tested, and will not test, the physical security of any property, building, plant, or factory of Inditex.\n* You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Inditex product or service that led to your report.\n* You agree not to disclose to any third party any information related to your report, the vulnerabilities reported, nor the fact that a vulnerability has been reported to Inditex.\n* You agree not to test in a manner that would degrade or affect the operation of any Inditex systems or compromise the privacy and security of our customers. You shall not test disturbing or corrupting Inditex operations or services.\n* You agree not to post, transmit, upload, link to, send, or store any malicious software.\n* You agree not to breach third party intellectual property rights.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* Inditex does not guarantee that you will receive any response from Inditex related to your report. Inditex will only contact you regarding your report if Inditex deems it necessary.\n* You agree not to disclosure any vulnerability without written express consent from Inditex.\n* You agree to submit vulnerabilities using the form included in this website.\n* You agree not to use your relationship with Inditex for marketing or financing activities.\n* You agree to destroy/delete any information regarding vulnerability once communicated to Inditex.\n* Inditex may use your report for any purpose deemed relevant by Inditex, including without limitation, for the purpose of correcting any vulnerabilities that are reported and that Inditex deems to exist and to require correction. Should you propose any changes and/or improvements to an Inditex product or service in your report, you agree that you are submitting an “unsolicited idea submission” which shall be subject to the specific terms and conditions described in the Scope section of this Policy.\n* Inditex reserves all its legal rights in the event of noncompliance with this Policy, but in accordance with safe harbor policy it does not intend to pursue legal civil or criminal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy\n* You know and agree that Inditex does not take any responsibility nor liability as regards any participation of any other party (if applicable) that could happen as part of the process of verification or related in any manner whatsoever with this page and its aim. Inditex is not responsible for reporters’ liabilities coming from actions performed on third parties. Inditex cannot authorize any activity on third parties’ products or guarantee they will not pursue legal actions against reporters.\n* You represent and warrant that the unsolicited idea submissions and the reports you deliver to us do not infringe upon any third parties’ rights, including, without limitation, intellectual property rights.\n\n## How to report Vulnerabilities\n\nWe encourage security researchers and reporters to share the details of any suspected vulnerabilities with Inditex. Your submission will be reviewed and validated to determine if the finding is valid and has not been previously reported. The preferred method for contacting Inditex regarding such vulnerabilities is by using the form present on this page. The form prevents reporters from having to spend valuable time and resources looking for appropriate contact. By submitting it you confirm that you have read, understand, and agree with the terms and conditions of this Policy.\n\nWe require security researchers to include detailed information with steps for us to reproduce the vulnerability. If you identify a valid security vulnerability in compliance with this Policy, Inditex commits to working with you to understand and validate the issue and address the risk (if deemed appropriate by Inditex).\n\nInditex highly appreciates the efforts made by the reporting party in identifying the vulnerability. Reporting of such vulnerabilities as soon as possible are detected will contribute to improving the security and reliability of our services. \n\n* Supplying your contact information with your report is entirely voluntary and at your discretion.\n* Inditex will make use of all reports that are submitted; both those submitted anonymously and those with contact information.\n* If you do submit your contact information, the data controller will be _Industria de Diseño Textil, S.A. (Inditex, S.A.)_, with postal address _Avda. de la Diputación, Edificio Inditex, 15143, Arteixo (A Coruña), España_, which will only use such information to contact you regarding clarifying the details of your report, if that is necessary, and for any other kind of managements related to the report. The legal basis for the data processing is the execution of the conditions established in this Policy. We may share your contact information with service providers and collaborators that give us support with the management and the execution of this Policy. You may contact the data protection officer through the email address dataprotection@inditex.com, and contact the data controller in the same email address to exercise your data protection rights, including the reference “Vulnerability Disclosure Policy”, and for further information about the processing of your personal data. Your contact information will be stored until it is necessary for the above-mentioned purpose and for the compliance of legal obligations. Likewise, we inform you that you have the right to file a claim before the responsible data protection regulatory authority (https://www.agpd.es/portalwebAGPD/index-ides-idphp.php).\n\nApart from the above and as part of your disclosure please provide the following information:\n\n* Solid and adequate evidence to prove the existence of the vulnerability (screenshot, link, etc.)\n* Timeline or some information about the moment the vulnerability was discovered.\n* Any type of information deemed necessary to identify, locate and resolve the vulnerability in the fastest and most efficient way possible.\n\n#Legal\n\nInditex reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. You can [subscribe](https://docs.hackerone.com/hackers/manage-notifications.html#program-notifications) to receive email notifications when this policy is updated.\n\n#F.A.Q.\n\n1. Can I get Inditex swag?\n*Inditex Bounty does not currently offer swag*\n\n1. What language can I use for my report?\nFeel free to write your report in (ES) 🇪🇸 / (ENG) 🇬🇧.\n\n2. Can Inditex provide me with a pre-configured test account?\n*This program does not provide credentials or any special access*\n\n3. [What is required when submitting a report](https://docs.hackerone.com/hackers/submitting-reports.html)?\n\n4. [How do I make my report great?](https://docs.hackerone.com/hackers/quality-reports.html)\n\n5. [I submitted a report. Now what? I have questions.](https://www.hackerone.com/blog/how-bug-bounty-reports-work)\n\n6. [What causes a report to be closed as Informative, Duplicate, N/A, or Spam?](https://docs.hackerone.com/hackers/report-states.html)\n\n7. What is an example of an accepted vulnerability?\n*Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-09T17:04:35.717Z"},{"id":3701586,"new_policy":"#Brand Promise\n\nThe safety and security of our customers, suppliers and employees’ data and any sensitive information, as well as the reliability of the IT services we use to manufacture and market our products, are of utmost importance to the Inditex Group (hereinafter, “**Inditex**”). It is our compromise to deter any action directed against the confidentiality, integrity and availability of our computer systems, networks, and computer data as well as the misuse of such systems, networks and data for fraudulent activities, cybercrime offences or against the safety and security of our customers, suppliers, and employees. \n\nAn effective fight against these matters requires, on the one hand, to collaborate with institutions and authorities to try to assist in order to mitigate the commission of cybercrimes or illegal actions; on the other, to design and implement this Vulnerability Disclosure Policy (hereinafter, “Policy”), which describes the Inditex’s terms and conditions with regard to any unsolicited report related to potential IT vulnerabilities which can be exploited by threat actors against us, our customers, suppliers or employees.\n\nInditex cares deeply about maintaining trust and confidence and strongly believes that close collaboration with researchers and reporters improves security. If you are a security researcher or a reporter who has found a vulnerability in an Inditex service, we would like to hear from you.\n\nAccording to the ENISA definition, vulnerability is ‘flaws’ or ‘mistakes’ in computer-based systems that may be exploited to compromise the network and information security of affected systems.\n\nReporters must review, understand, and abide by the following terms and conditions included in the Policy before conducting any research or testing. In addition, Inditex encourages reporters to act in a responsible way in the reporting process.\n\nReporter compliance with terms and conditions of this Policy will be considered by Inditex as an authorized conduct in accordance with regulations included in national laws. Failure to abide terms and conditions will result in the loss of being considered a security researcher or reporter under the Policy.\n\nInditex reserves all legal rights in the event of any non-compliance with this Policy or in case of non-compliance with local laws.\n\n## Company\n\nInditex is one of the world's largest fashion retailers, with seven brands (Zara, Pull\u0026Bear, Massimo Dutti, Bershka, Stradivarius, Oysho, Lefties and Zara Home) selling in 202 markets through its online platform or its over 7,000 stores in 96 markets.\n\n## Mission\n\nSecurity is one of Inditex's core values and we want you to help us to improve the security of our technical infrastructure.\n\nIn return, we will pay you with a monetary reward. Reward amounts may vary depending upon the severity of the vulnerability reported and quality of the report.\n\nDepending on their impact, not all reported issues may qualify for a monetary reward. However, all reports are reviewed on a case-by-case basis and any report that results in a fix, would be rewarded.\n\nTo qualify for a reward, you must:\n\n- Report a qualifying vulnerability that belongs to the scope (see below).\n- Be the first person to report it.\n- Communicate with our security team exclusively through this platform.\n- Comply with all the terms and conditions detailed below.\n\nCustomers, users, researchers, partners, and any other person that interacts with Inditex’s IT services may voluntarily report in good faith any potential security vulnerabilities to us. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Inditex will deem the submission as noncompliant with this Policy.\n\nInditex do not accept, review, or consider any unsolicited ideas, works, materials, proposals, suggestions, or the like, including for products, services, technologies, product enhancements, processes, marketing strategies, product names, content, or creative materials (all the foregoing “**unsolicited idea submissions**”). Do not send or provide any unsolicited idea submissions in any form to Inditex. Should you ignore our request and you still submit them, then regardless of what your correspondence says, you agree that: (1) your unsolicited idea submissions and their contents along with related intellectual property rights will automatically become the property of Inditex, without any compensation to you; (2) Inditex may use or redistribute the unsolicited idea submissions and their contents for any purpose and in any way on an unrestricted basis; (3) there is no obligation for Inditex to review the submissions; and (4) there is no obligation to keep any submissions confidential.\n\n#Rewards\n\n* Rewards are based on severity per CVSS (the [Common Vulnerability Scoring Standard](https://docs.hackerone.com/hackers/severity.html?))\n* All bounty amounts will be at the discretion of the Inditex Bounty Bug Bounty team.\n* Reports submitted using methods that violate policy rules will not be eligible for a reward.\n* To be eligible for a reward, the report must be for bounty eligible assets as defined in the scope section of our policy.\n* Multiple reports describing the same vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report. Do not submit duplicate reports for the same issue across multiple sites, as the duplicates will be closed, and the issue will be treated as one report.\n* While we aim for consistency, previous reports and prior bounty amounts will not set a precedent for future report eligibility or severity.\n* Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as how the decision was made.\n\n#Scope exclusions\n\n* Inditex Bounty reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance.\n* Clickjacking/UI redressing\n* Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions\n* Logout and other instances of low-severity Cross-Site Request Forgery (p.e. add to cart)\n* Add or remove users from newsletters\n* Attacks requiring MITM or physical access to a user's device\n* Previously known vulnerable libraries without a working Proof of Concept\n* Comma Separated Values (CSV) injection without demonstrating a vulnerability\n* Missing best practices in SSL/TLS configuration\n* Any activity that could lead to the disruption of our service (DoS).\n* Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS\n* Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests\n* Brute force oracle attacks against unauthenticated endpoints\n* Missing best practices in Content Security Policy\n* Missing HTTP Only or Secure flags on cookies\n* Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)\n* Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]\n* Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)\n* Tabnabbing\n* Issues that require unlikely user interaction by the victim\n* Any issues regarding single session features/management\n* Any hypothetical flaw or best practice without exploitable POC\n* Any hypothetical flaw or best practice where you are not able to achieve something that you shouldn't be able to do\n* Non-critical/high information disclosure\n* User enumeration\n* Stack traces or path disclosure\n* Missing autocomplete attributes\n* Customer leaked credentials\n* Weak CAPTCHA\n* **Self**-Client-side injection (XSS, Angular, Vue, HTML...)\n* Lack of rate-limit/anti-automation\n* Findings related to outdated swagger version and related vulnerabilities.\n* Open redirect: unless an additional security impact can be demonstrated\n\n#Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. Inditex Bounty reserves all legal rights in the event of noncompliance with this policy.\n\n#Program Eligibility\n\n* You agree and adhere to the Program Rules and Legal terms as stated in this policy.\n* You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged.\n* You are available to supply additional information, as needed by our team, to reproduce and triage the issue.\n* Publically-known Zero-day/One-day vulnerabilities will not be considered for eligibility until more than:\n  * 48h have passed since patch availability on Critical vulnerabilities.\n  * 5 days have passed since patch availability on Hight vulnerabilities.\n  * 60 days have passed since patch availability on Medium/Low vulnerabilities.\n* Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.\n* Inditex employees and third-party assets employees are not eligible for participation in this program.\n\n#Program Rules \n\n*Do*\n* Read and abide by the program policy.\n* Please append to your user-agent header the following value: '-inSec-CrowdPowered'.\n* Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.\n* Exercise caution when testing to avoid negative impact to customers and the services they depend on. \n* STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.\n* Avoid further exploitation after a vulnerability it's found, just required to produce a functional PoC, for instance:\n  - For RCE PoC would be enough to perform whoami ; uname, no need to compromise the entire OS.\n  - For SQLi, it would be enough to print the DB banner or show the DB name, username, table names, but no need to dump the entire DB...\n  - Other techniques and procedures for lateral movement, post-exploitation or establishing persistence through back-doors are completely forbidden.\n\n\n*Do NOT:*\n* Do not Brute force credentials or guess credentials to gain access to systems.\n* Do not participate in denial-of-service attacks.\n* Do not upload shells or create a backdoor of any kind.\n* Do not engage in any form of social engineering for Inditex employees, customers, or vendors.\n* Do not engage or target any Inditex employee, customer, or vendor during your testing.\n* Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.\n* Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change the password of an account you did not register yourself or an account that was not provided to you, stop, and report the finding immediately.\n* Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder.\n\n#Disclosure Policy\n\nThe following principles are considered key aspects of this Policy:\n\n* Good faith.\n* Lawfulness of activity.\n* Data Protection.\n* Security of information.\n* No extortion nor bribery.\n* Security improvement: don’t leave any system more vulnerable than before the test.\n* Third party ownership: don’t disturb, compromise, or damage data or property owned by third parties.\n\nInditex encourages to not do harm and not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability. Avoid accessing the content of any communication, data or info transiting or stored on Inditex domains and info systems mentioned above except to the extent that is directly related to a vulnerability.\n\nOnce the reporter finds vulnerability or encounters sensitive data must stop testing and notify the findings to Inditex.\n\nYou may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside the program without express consent from the organization. If you are interested in sharing any information about your testing methodology related to an Inditex report, you must request permission on your report, and you must receive written approval from an Inditex team member.\n\n## Your Commitment\n\nBy making a report to Inditex using the form on this page, or otherwise communicating a report to Inditex, regarding vulnerabilities, you agree to the following terms:\n\n* Respect our privacy. Specifically:\n  * If you access anyone else’s data, personal, or otherwise in the course of your research, please **contact us immediately so we can investigate**. This includes usernames, passwords, and other credentials. The mentioned data is confidential. Please report to us what data was accessed and delete the data. You must not save, copy, download, transfer, disclose or broadcast this information. \n  * You agree not to process any personal data to which you, directly or indirectly, have incidental access and/or may know information which implies access to personal data except for the purpose of communicating it to Inditex. In this case, it will be done with the utmost confidentiality, in compliance with the principles established in the data protection laws and regulations, and solely for the purposes set forth in this Policy, and in particular the storage limitation and integrity and applying the necessary technical and organizational security measures. \n* Act in good faith. You should report the vulnerability to us with no conditions attached.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* You have not exploited or used in any manner and will not exploit or use in any manner (other than for the purposes of reporting to Inditex), the discovered vulnerabilities.\n* You have not engaged, and will not engage, in testing/research of systems with the intention of harming Inditex, its customers, employees, partners or suppliers.\n* You have not used, misused, deleted, altered, or destroyed, and will not use, misuse, delete, alter, or destroy, any data that you have accessed or may be able to access in relation to the vulnerability discovered.\n* You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service, or resource-exhaustion attacks or unsolicited mail.\n* You are not authorized to attack any device or account other than your own.\n* You have not tested, and will not test, the physical security of any property, building, plant, or factory of Inditex.\n* You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Inditex product or service that led to your report.\n* You agree not to disclose to any third party any information related to your report, the vulnerabilities reported, nor the fact that a vulnerability has been reported to Inditex.\n* You agree not to test in a manner that would degrade or affect the operation of any Inditex systems or compromise the privacy and security of our customers. You shall not test disturbing or corrupting Inditex operations or services.\n* You agree not to post, transmit, upload, link to, send, or store any malicious software.\n* You agree not to breach third party intellectual property rights.\n* You agree not to access, download, or modify data residing in an account that does not belong to you.\n* Inditex does not guarantee that you will receive any response from Inditex related to your report. Inditex will only contact you regarding your report if Inditex deems it necessary.\n* You agree not to disclosure any vulnerability without written express consent from Inditex.\n* You agree to submit vulnerabilities using the form included in this website.\n* You agree not to use your relationship with Inditex for marketing or financing activities.\n* You agree to destroy/delete any information regarding vulnerability once communicated to Inditex.\n* Inditex may use your report for any purpose deemed relevant by Inditex, including without limitation, for the purpose of correcting any vulnerabilities that are reported and that Inditex deems to exist and to require correction. Should you propose any changes and/or improvements to an Inditex product or service in your report, you agree that you are submitting an “unsolicited idea submission” which shall be subject to the specific terms and conditions described in the Scope section of this Policy.\n* Inditex reserves all its legal rights in the event of noncompliance with this Policy, but in accordance with safe harbor policy it does not intend to pursue legal civil or criminal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy\n* You know and agree that Inditex does not take any responsibility nor liability as regards any participation of any other party (if applicable) that could happen as part of the process of verification or related in any manner whatsoever with this page and its aim. Inditex is not responsible for reporters’ liabilities coming from actions performed on third parties. Inditex cannot authorize any activity on third parties’ products or guarantee they will not pursue legal actions against reporters.\n* You represent and warrant that the unsolicited idea submissions and the reports you deliver to us do not infringe upon any third parties’ rights, including, without limitation, intellectual property rights.\n\n## How to report Vulnerabilities\n\nWe encourage security researchers and reporters to share the details of any suspected vulnerabilities with Inditex. Your submission will be reviewed and validated to determine if the finding is valid and has not been previously reported. The preferred method for contacting Inditex regarding such vulnerabilities is by using the form present on this page. The form prevents reporters from having to spend valuable time and resources looking for appropriate contact. By submitting it you confirm that you have read, understand, and agree with the terms and conditions of this Policy.\n\nWe require security researchers to include detailed information with steps for us to reproduce the vulnerability. If you identify a valid security vulnerability in compliance with this Policy, Inditex commits to working with you to understand and validate the issue and address the risk (if deemed appropriate by Inditex).\n\nInditex highly appreciates the efforts made by the reporting party in identifying the vulnerability. Reporting of such vulnerabilities as soon as possible are detected will contribute to improving the security and reliability of our services. \n\n* Supplying your contact information with your report is entirely voluntary and at your discretion.\n* Inditex will make use of all reports that are submitted; both those submitted anonymously and those with contact information.\n* If you do submit your contact information, the data controller will be _Industria de Diseño Textil, S.A. (Inditex, S.A.)_, with postal address _Avda. de la Diputación, Edificio Inditex, 15143, Arteixo (A Coruña), España_, which will only use such information to contact you regarding clarifying the details of your report, if that is necessary, and for any other kind of managements related to the report. The legal basis for the data processing is the execution of the conditions established in this Policy. We may share your contact information with service providers and collaborators that give us support with the management and the execution of this Policy. You may contact the data protection officer through the email address dataprotection@inditex.com, and contact the data controller in the same email address to exercise your data protection rights, including the reference “Vulnerability Disclosure Policy”, and for further information about the processing of your personal data. Your contact information will be stored until it is necessary for the above-mentioned purpose and for the compliance of legal obligations. Likewise, we inform you that you have the right to file a claim before the responsible data protection regulatory authority (https://www.agpd.es/portalwebAGPD/index-ides-idphp.php).\n\nApart from the above and as part of your disclosure please provide the following information:\n\n* Solid and adequate evidence to prove the existence of the vulnerability (screenshot, link, etc.)\n* Timeline or some information about the moment the vulnerability was discovered.\n* Any type of information deemed necessary to identify, locate and resolve the vulnerability in the fastest and most efficient way possible.\n\n#Legal\n\nInditex reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. You can [subscribe](https://docs.hackerone.com/hackers/manage-notifications.html#program-notifications) to receive email notifications when this policy is updated.\n\n#F.A.Q.\n\n1. Can I get Inditex swag?\n*Inditex Bounty does not currently offer swag*\n\n1. What language can I use for my report?\nFeel free to write your report in (ES) 🇪🇸 / (ENG) 🇬🇧.\n\n2. Can Inditex provide me with a pre-configured test account?\n*This program does not provide credentials or any special access*\n\n3. [What is required when submitting a report](https://docs.hackerone.com/hackers/submitting-reports.html)?\n\n4. [How do I make my report great?](https://docs.hackerone.com/hackers/quality-reports.html)\n\n5. [I submitted a report. Now what? I have questions.](https://www.hackerone.com/blog/how-bug-bounty-reports-work)\n\n6. [What causes a report to be closed as Informative, Duplicate, N/A, or Spam?](https://docs.hackerone.com/hackers/report-states.html)\n\n7. What is an example of an accepted vulnerability?\n*Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program’s specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.*\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-09-05T15:32:06.137Z"}]