DPD encourages the responsible disclosure of security vulnerabilities through our Security Reports Email Address.

Rules

Rules for You

• Do not attempt to gain access to another user’s account or data.

• Do not attempt to attack our services or data. DDoS/spam attacks are not allowed.

• Do not publicly disclose the bug before it has been fixed.

• Do not use scanners or automated tools.

• Do not attempt to use social engineering or other non-technical attacks.

• In your submission please give us steps to reproduce and how the bug could be exploited.

Rules for Us

• We will respond as quick as possible.

• We will keep you updated as we work to fix the bug.

• We will not take legal action against you as long as you play by the rules.

Exclusions

• Bugs in third party services that we do not operate. This includes the help desk and other services we integrate with.

• Bugs that affect legacy browsers, browser plugins, or unlikely user interaction.

• Scripting, automating, or other brute force attacks.

• Vulnerabilities that we determine are an acceptable risk.

• Missing security headers which do not lead directly to a vulnerability.

• Self-XSS (we require evidence on how the XSS can be used to attack another DPD user).

• XSS on any site other than *.getdpd.com. For example, the help desk (dpd.zendesk.com and support.getdpd.com) and the chat window are out of scope.

• XSS on *.dpdcart.com originating from vendor input. (The vendor has full control over their cart and is allowed to include JavaScript.)

• Reports from automated tools or scans.

• Missing cookie flags on non-sensitive cookies.

• Lack of CSRF tokens on insensitive forms.

• Password, email and account policies, such as email id verification, reset link expiration, password complexity.

• Missing best practices that do not directly lead to a security vulnerability.

As a Thanks

For valid issues that have not been previously reported we will list you below in our “hall of fame” for security reports.

We may also, at our discretion, give out cash bounties for severe security issues that are responsibly reported.

Acknowledgements

DPD would like to thank the following for responsibly disclosing a security vulnerability in the website.

These people followed the above rules and were the first to responsibly report a vulnerability.

• Adeel Imtiaz @adeelimtiaz90

• Deepanker Chawla @deepankerchawla

• Abdul Haq Khokhar @Abdulhaqkhokhar

• Manikandan Rajakumar @Mani22cars

• Nicodemo Gawronski

• Roman Mironov @snow_crash_

• Jayvardhan Singh @Silent_Screamr

• Nitin Goplani @nitingoplani88

• Hadji Samir @vuln_lab

• Muhammad Uwais