Vulnerability Disclosure Program

Hy-Vee, Inc.(“Hy-Vee”) is a Midwestern grocery retailer with more than 275 stores across Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.

Hy-Vee’s Security Team is committed to protecting our users and their personal information.

We encourage security researchers to work with us to find and mitigate security vulnerabilities in order to keep our businesses and customers safe. If you think you've found a vulnerability in one of our on our web sites or within our mobile apps, we kindly ask you that you disclose it to us as soon as possible in a responsible manner consistent with this Vulnerability Disclosure Program. We will investigate your report and respond to you as soon as possible. We look forward to working with you to resolve the issue.

Our Ask

• Report the suspected vulnerability as soon as it is discovered.

• Provide detailed reports with reproducible steps.

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

• Do not disclose the vulnerability to others until it has been resolved and until Hy-Vee has provided its express consent to the disclosure.

• Do not exploit or abuse the vulnerability discovered.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Our Commitment

• We will promptly acknowledge the receipt of your vulnerability report

• We will provide an estimate when the issue will be fixed.

• We will notify you when the issue has been remediated.

• We will publicly acknowledge your responsible disclosure only after the issue is resolved if you provide consent.

Out of Scope Vulnerabilities and Attacks

• Social engineering (e.g. phishing, vishing, smishing)

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Rate limiting or bruteforce issues on non-authentication endpoints

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

Thank you for helping keep Hy-Vee and our users safe!