Overview

The Vulnerability Disclosure Program provides a method for the security research community to engage with GameStop to identify and remediate discovered critical, high, and significant vulnerabilities in our systems. We look forward to working with these highly trained researchers to keep our resources and information secure. This disclosure policy protects both GameStop and researchers while providing a method to reduce vulnerabilities across GameStop.

Scope

All assets owned by GameStop are in scope for this program. This includes all of the GameStop owned entities, such as: GameInformer.com, Micromania.fr, EBGames and the GameStop international brand

Discovered vulnerabilities are evaluated based on their known or demonstrated criticality and risk to GameStop. The following vulnerabilities are considered out of scope.

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Any activity that could lead to the disruption of our service (DoS).

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Rate limiting or bruteforce issues on non-authentication endpoints

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 versions behind the latest released stable version]

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Tabnabbing

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

• Social engineering

• Interaction with stores, store assets, store associates, or customer care associates

Program Guidelines

To participate in this program and submit vulnerabilities you must adhere to the following:

• Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the vulnerability it may not be considered.

• Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only consider the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

• Social engineering (e.g., phishing, vishing, smishing) is prohibited.

• Stores, store assets, store associates, and customer care associates should not be leveraged as part of a vulnerability or proof of concept.

• Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

• Respect privacy and make a good faith effort not to access or destroy another user's data.

• Be patient and make a good faith effort to clarify and support their reports upon request.

• Do no harm. Act for the common good through the prompt reporting of all found vulnerabilities. Never willfully exploit others without their permission.

GameStop Commitment

• Prioritize security and make a good faith effort to resolve reported security issues in a prompt and transparent manner.

• Respect researchers and give them public recognition for their contributions.

• Do no harm and do not take unreasonable punitive actions against researchers, like making unwarranted legal threats or improperly referring matters to law enforcement. Build trust, not division.

Acknowledgement

Activities that are compliant with this program/policy will not result in unwarranted legal action against you by GameStop. If legal action is initiated by a third party against you in connection with activities conducted under this policy, GameStop will take steps to make it known, as applicable and appropriate, whether your actions were conducted in compliance with this policy. Actions taken outside the scope of this program are excluded from this acknowledgement.