Vulnerability Disclosure Policy (VDP)   

Coop GrouP Switzerland

Introduction and objective of the VDP

Have you discovered a vulnerability? We appreciate any reports of vulnerabilities in our digital resources! Reports from bug bounty hunters are very valuable to us and play an important role in our ongoing process of improving our security.

This Vulnerability Disclosure Policy (VDP) establishes the basic rules for transparent and trusting cooperation so that we can fix security vulnerabilities together in a responsible manner.

Scope of application

This policy applies to all publicly accessible digital systems operated, managed, or maintained by theCoop group. Please only consider the systems and resources that are within our direct control (see AS48038). 

Services and infrastructures operated by third parties, for which Coop is not directly responsible, are not covered by this policy. If you discover vulnerabilities in such systems, we encourage you to report them to the relevant provider or authority.  If reports of vulnerabilities from third-party providers are nevertheless reported via this channel, we intend to forward them to the responsible parties.

Our commitment

When working with Coop under this policy, you can expect the following: 

• A confirmation of receipt and response to your report. 

• A cooperative attitude to understand and validate your report.

• An open dialog to discuss issues. 

• A notification once the vulnerability has been fixed. 
• Recognition of your contribution for valid security vulnerabilities (e.g., invitation to private programs).
• A guarantee of legal safety for your research.

Our expectations

As part of our vulnerability reporting program, we expect you follow the rules of this policy:

• Report any discovered vulnerability immediately. 
• Maintain the confidentiality of details of discovered vulnerabilities. 
• Only use this official reporting channel to disclose vulnerabilities to us.
• Only use test accounts that you own.
• Only access the minimum amount of data required for an effective proof of concept. 
• Destroy all acquired data after completing the test.
• Do not exploit or use discovered vulnerabilities in any way except for the purpose of reporting them to us. 
• Do not violate the privacy of others, interfere with our systems, destroy data, or damage the user experience. 
• Do not publicly disclose vulnerabilities without coordinating with us.
• Do not violate any applicable laws (other than those relating to general pentesting).

Non-permitted research activities

Any actions that could adversely affect our systems, our business, our data, or our customers' data are expressly prohibited (non-exhaustive list): 

• Phishing and spam

• Unlimited brute force attacks

• Denial of service attacks (DoS/DDoS)

• Reading, modifying, or destroying data or information that does not belong to you.

• Any form of physical or electronic attack on our personnel, property, buildings, or infrastructure. 

• Social engineering against our employees, customers, or contractors. 

## Reporting process and communication protocol

If you identify a vulnerability in one of our systems, we ask you to report it via our official channels. In cooperation with Coop, YesWeHack provides an encrypted web portal for the submission of vulnerability reports.  

We ask that vulnerabilities are not communicated via public forums or social media to minimize the risk of unintentional disclosure. You should provide detailed information about the vulnerability, including a technical description, the affected service or product, and if possible, a proof-of-concept. Reports from automated tools should not be submitted without prior verification.  

Coordinated vulnerability disclosure (CVD)

Coop appreciates your efforts to identify vulnerabilities and report them responsibly so that they can be fixed. Our policy permits the disclosure of vulnerability information under the following conditions of the Coordinated Vulnerability Disclosure (CVD) policy: 

• You may not disclose the vulnerability until Coop has confirmed that the vulnerability has been fixed and has declared the disclosure acceptable. 

• No specific details of the issue may be published until Coop has reviewed and approved it. 

Legal Aspects

All activities conducted in accordance with this policy are considered authorized conduct and Coop will not take legal action against you. If a third party takes legal action against you in connection with activities conducted under this policy, we will take steps to publicize the fact that your actions were conducted in accordance with this policy.