About

Decathlon

At Decathlon, we are convinced that sport is a source of pleasure and well-being! We are sportsmen and sportswomen, passionate about giving the best service to you. In store or online, we have the same goal : to supply the best products for the lowest prices.

Decathlon Digital Team believes that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology.

Program Rules

Testing Policy, Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Make sure to apply hunting requirements policy.
• Denial of service (DoS) attacks on Decathlon applications, servers, networks or infrastructure are strictly forbidden.
• Avoid tests that could cause degradation or interruption of our services.
• Do not use automated scanners or tools that generate large amount of network traffic
• Do not leak, copy, manipulate, or destroy any user data or files in any of our applications/servers.
• No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security of Decathlon, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• The report must contain the following elements:
  • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Decathlon, and remediation advice on fixing the vulnerability
  • Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
  • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
• You must not break any of the testing policy rules listed above
• You must not be a former or current employee of Decathlon or one of its contractors.

Reward amounts are based on:

• Reward grid of the report's scope
• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Complements about our scopes

Decathlon Scope

Since a bug in the web application may be present in multiple domains, we may count those as informative if reported on several domains of the same scope.

Context and instructions for your research

Please read carefully the list of non-qualifying vulnerabilities before starting your research. We won't reward any out of scope vulnerability in this program by default. Instead, you may submit it in our vulnerability disclosure program located here.

B2C eCommerce solution

At Decathlon, we use multiple B2C web application solutions:

• The first one is still active in 5 in-scope country domains, and is a complex application with monolithic parts, several back-office APIs and a Svelte-based front part. While the structure is the same for each of our international websites, some contents may vary depending on local business needs and requirements.
• The second one (and the most recent) is deployed in multiple countries. This solution is composed of 3 Svelte-based front-end applications that interact with new back-end APIs.

Decathlon Shopping App

The Android and IOS apps come with several APIs that are also designed as back for front servers (BFF). You will find the list of new scopes below:

Advice for IOS app: please make sure you are testing the right application as there are other IOS Shopping apps managed by other countries.

Some assets under surveillance in our program rely on the same code base. If you find the exact same vulnerability on multiple webpages of the same kind (ex: store..), please report them once and all in a single report. We will, on a case-to-case basis, consider increasing the amount of the bounty accordingly.