Here at Costco, we have a very straightforward but important mission: to continually provide our members with quality goods and services at the lowest possible prices.
We respect and care deeply about the data security and privacy of our members, employees and partners. We welcome the security researcher community to share details of any suspected vulnerabilities in our systems and e-commerce platforms in a responsible manner.
If you believe you have found a qualifying security vulnerability in our in-scope e-commerce platform or systems, please submit a report in accordance with the HackerOne's Vulnerability Disclosure Guidelines. We value the positive impact of your work and thank you in advance for your contribution.
Costco makes a best effort to meet the following response targets for hackers participating in our program:
| Type of Response | SLA in business days |
| ------------- | ------------- |
| First Response | 1 day |
| Time to Triage | 10 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Costco.
Follow HackerOne's vulnerability disclosure guidelines.
Provide as much information as possible about the potential issue you have discovered. The more information you provide, the quicker Costco will be able to validate the issue.
Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.
All of the following conduct is prohibited:
Any attack that could harm our services, including launching any denial of service attacks (DDoS), Spam, pyramid schemes, or deployment or use any other malicious software or technology.
Access, download, or modification of data residing in an account that does not belong to you. Test accounts under your control are permitted. Testing must not disrupt or compromise any data or data access that is not yours.
Non-technical attacks such as social engineering or phishing.
Access to Costco’s infrastructure.
Attack, in any way, our end users, or engage in trade of stolen user credentials or other information.
Automated/scripted testing of web forms, including "Contact Us" forms that are designed for customers to contact our support team.
Social engineering (e.g. phishing, vishing, smishing).
signin.costco.com
All of the following activities are out of the scope of this program:
Testing third-party applications, websites, or services that integrate with or link to Costco properties.
Physical security of Costco facilities, employees, equipment, etc.
Attacks requiring physical access to a user's device.
API keys found in our mobile applications.
Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
Login/logout CSRF.
Password and account recovery policies, such as reset link expiration or password complexity.
Missing security headers which do not lead directly to a vulnerability.
Clickjacking without an impact.
Content spoofing / reflection/ injection (on 404 page, search result page etc.) unless executes code.
Known-vulnerable library (without evidence of exploitability).
Certain reports of spam.
Certain SPF and DKIM issues.
Low impact host header issues.
Hard to exploit SSL/TLS protocol vulnerabilities.
Best practice concerns will be reviewed, but in general we require evidence of a vulnerability.
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
Brute force of promo code.
Reflected file download.
CSV formula injection.
Email enumeration.
Cookie and logout policies.
We do not intend to assert claims under computer abuse laws for activities conducted in a manner consistent with this policy. We cannot bind third parties or authorize activities on third party products, but if legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Costco and our members safe!
Scope Type | Scope Name |
---|---|
android_application | com.costco.app.android |
ios_application | 535509415 |
web_application | *.costco.com |
web_application | *.costcobusinessdelivery.com |
web_application | *.costcobusinesscentre.ca |
web_application | *.costco.ca |
web_application | *.costcotravel.com |
web_application | *.costcotravel.ca |
Scope Type | Scope Name |
---|---|
web_application | signin.costco.com |
This policy crawled by Onyphe on the 2022-01-20 is sorted as bounty.
FireBounty © 2015-2024