Colruyt is a family business from Lembeek, in the province of Flemish Brabant, and was founded more than 80 years ago. Today, the small company has developed into a family of companies: the Colruyt Group. A flourishing player, active in 4 countries with numerous retail formulas.
Initially, the supermarket Colruyt was the parent company for all the new store formulas (DreamLand, OKay, Bio-Planet, etc.). As these companies also grew into mature companies in the course of time, they felt the need to become self-sufficient. Colruyt is no longer the supporting cradle, but a sister amongst sisters. And Colruyt Group is today a family of equal sister companies.IMPORTANT: The websites Colruyt, Dreamland, Dreambaby and Collishop partially share the same codebase. They can contain common issues. If a specific issue has already been found in another one of these websites it will be treated as a duplicate for this one.
We do not accept any kind of brute-forcing attacks on forms.
All XTRA services are out of scope in this project
The XSS in the search bar on colruyt.be is a known issue, please don't report this, since this will be marked as duplicate.
General Best practices concerns Highly speculative reports about theoretical damage. Proof it and be concrete. DDoS or any kind of Brute Forcing Attacks Publicly accessible login panels Reports that state that software is out of date/vulnerable without proven exploitable risks Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue in the context of our tool * Physical or social engineering attempts (this includes phishing attacks against employees)
Infrastructure Open ports without an accompanying proof-of-concept demonstrating vulnerability Recently disclosed 0 day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues. Weak SSL configurations and SSL/TLS scan reports (this means output from sites such as SSL Labs) Missing SPF, DCIM or DMARC records
All our rewards are impact based, therefore we kindly ask you to carefully evaluate a vulnerability's impact when picking a severity rating. To give you an idea of what kind of bugs belong in a certain severity rating we've put some examples below. Note that depending on the impact a bug can sometimes be given a higher/lower severity rating.
We have knowledge about the self-XSS in the searchbar on colruyt.be, please don't report this
Guidelines Provide detailed but to-the point reproduction steps Include a clear attack scenario, a step by step guide in the PoC is highly appreciated Abide with the "Colruyt Policy for investigation of security problems" set of rules. Please do NOT discuss bugs before they are fixed (including PoC's on youtube and vimeo)
Contact us if you want more information.