Company

At Decathlon, we are convinced that sport is a source of pleasure and well-being! We are sportsmen and sportswomen, passionate about giving the best service to you. In store or online, we have the same goal : to supply the best products for the lowest prices.

Program Rules

Decathlon Digital Team believes that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology.

If you believe you have found a security bug in our products or services, we appreciate your help in disclosing it to us in a responsible manner. We will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Any type of denial of service attacks is strictly forbidden.

Context and instructions for your research

Please read carefully the list of non-qualifying vulnerabilities before starting your research. We won't reward any out of scope vulnerability in this program by default. Instead, you may submit it in our vulnerability disclosure program located here.

B2C eCommerce solution

At Decathlon, we use multiple B2C eCommerce solutions:

• the first one is deployed in the majority of in-scope country domain, and is a complex application with monolithic parts, several back-office APIs and a Svelte-based front part. While the structure is the same for each of our international websites, some contents may vary depending on local business needs and requirements.
• the second one (and the most recent) is deployed in 4 countries. This solution is composed of 3 front-end applications that interact with new back-end APIs.

Rule for E-Commerce: Since a bug in the E-Commerce solution may be present in multiple domains, we may count those as informative if reported on several domains of the same scope.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Decathlon. However, please note that only those that meet the following eligibility requirements may receive a monetary reward :

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability.
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through YesWeHack platform.
• Any vulnerability found Out-Of-Scope will not be rewarded.
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about 50 requests per second and 500 requests per minute).
• You must not leak, manipulate, or destroy any user data.
• You must not be a former or current employee of Decathlon or one of its contractor.
• Reports about vulnerabilities are examined by our analysts.
• Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
• No vulnerability disclosure, including partial is allowed for the moment.

Some assets under surveillance in our program rely on the same code base. If you find the exact same vulnerability on multiple webpages of the same kind (ex: store..), please report them once and all in a single report. We will, on a case-to-case basis, consider increasing the amount of the bounty accordingly.