Latest updates – A.S. Watson Microblog

In this microblog we will keep you updated on the latest changes/ additions to our public bounty program. For a detailed scope, please see the bottom of our policy page.

• 19th of Jul - We added the subdomains of The Perfume Shop to our tier 3 bounty table!

• 14th of Jul - A redesigned version of PARKnSHOP website/app has been released and in Tier 1 now! The new version is still on SAP Hybris but the frontend technology for the website is based on the spartacus framework (angular).

• 4th of Jul - New Asset: Mobile app retail (Android and iOS) of PARKnSHOP, Watsons, MoneyBack and Fortress in the bounty table!

• 22th of Jun - A redesigned version of Superdrug website/app has been released! The new version is still on SAP Hybris but the frontend technology for the website is based on the spartacus framework (angular).

• 26th of May - Latest IOS and Android mobile builds of Watsons have been updated!

• 24th of May - We have upgraded our Promotional Tier to our Hacker Achievements awards!

• 23rd of May - We revised the scope of the program. Watsons and Marionnaud have been moved in Tier1 list!

• 5th of May - We are now accepting reports on Subdomains for ICI Paris XL (Tier 3)!

• 20th of Apr - New Asset: MoneyBack in the Tier 1 bounty table and Watsons in the Tier 2 bounty table!

• 6th of Apr - We are now accepting reports for Marionnaud perfumeries. We added as well into scope kruidvat.be subdomains and removed country restrictions for ICIParisXL and Kruidvat.

• 8th of Mar - We are now accepting reports for subdomains on Kruidvat and Superdrug according to our tier 3 bounty table!

• 16th of Feb - Fortress is now in Promotion Tier!

• 2nd of Nov - ParknShop is now in Promotion Tier!

• 27th of Oct - Latest IOS build of Fortress mobile apps has been updated!

• 5th of Oct - Fortress is now in Promotion Tier!

• 4th of Oct - We added Custom Header feature into our policy page!

• 28th of Sep - Superdrug assets are now in Promotion Tier until the end of October where we are offering increased bounties!

• 20th of Sep - We are now accepting reports on our Kruidvat retail mobile app!

• 18th of Aug - Kruidvat & ICI Paris XL NL are now in Tier 1!

• 18th of Aug - We now offer 3K bounties for the critical reports on tier 2 assets!

• 22nd of July - Our Dutch perfumery website, ICI Paris XL NL has been added to our Tier 2 scope!

• 28th of May - We added our ParkNShopMobile application to our scope as Tier 2 rewards!

• 26th of May - We added our Dutch Kruidvat website to our scope. We also restructured our bounty model, to a tiered version. Superdrug and ThePerfumeShop are now eligible for Tier 1 rewards!

• 24th of March Let us know how we doing - https://forms.gle/TrocgqV9dETbG4hu7

The A.S. Watson Bug Bounty Program

The A.S. Watson Group is the world's largest health and beauty retail group, with over 15,700 stores in 25 markets worldwide serving over 28 million customers per week, and over 3 billion customers and members.

A.S. Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe. As we operate in many different countries, we will be rolling out our bug bounty program in phases. Our main focus within this rollout, is our retail websites (and in the near future, mobile apps on both Android and IOS).

Over the course of the next months, we will be adding more websites to our Hacker0ne scope. In our Microblog at the top of this page, you can see when we have added our latest assets. A more detailed scope can be found at the bottom of this page.

Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (If this is the case, it will be displayed in the asset description). These findings will be regarded and treated as a single issue.

Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these.

Hacker Achievements

• We invite our community to participate in our special achievements, with the below awards and bonuses up for grabs!

• Once you've accomplished one of the achievements, make sure to let us know so we can review and award the necessary bonuses! We're relying on you to tell us!

• Multiple hackers can earn each achievement, and hackers can earn each achievement once.

• Reports submitted after 24th May 2022 will be eligible for the awards.

| Achievement | Bonus | Hacker |

|---|---|---|

| Deep Focus - Submit 5 valid reports on one asset | $555 | TBA |

| X$$$$$$ - Submit 6 valid cross-site scripting vulnerabilities | $666 | TBA |

| Lucky 7s - Submit 7 consecutive valid reports | $777 | TBA |

| OR report=valid - Submit one valid SQL Injection | $888 | TBA |

| Distant Detonation - Submit one valid Remote Code Execution | $999 | TBA |

| Your Data is My Data - Submit one valid Mass Customer Exfiltration Data vulnerability | $1111 | @Alp |

Response Targets

A.S. Watson Group will make a best effort to meet the following response targets for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response | 2 days |

| Time to Triage | 2 days |

| Time to Bounty | 14 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.

• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• Submit one vulnerability per the report, unless you need to chain vulnerabilities to provide impact.

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

• Avoid sending more requests than required to prove a vulnerability (e.g. no need for multiple one-time passwords).

Vulnerability guidelines

| | Vulnerability | Severity Range |

| -- | ------------- | ------------- |

| 1 | Remote Code Execution | Critical |

| 2 | SQL Injection | High - Critical |

| 3 | XXE | High - Critical |

| 4 | XSS | Medium - High |

| 5 | Server-Side Request Forgery | Low - Critical |

| 6 | Authentication/Authorization Bypass (Broken Access Control) | High |

| 7 | Privilege Escalation | High |

| 8 | Insecure Direct Object Reference | Medium - Critical |

| 9 | Misconfiguration | Low - High |

| 10 | Web Cache Deception | Low - High |

| 11 | CORS Misconfiguration | Low - Medium |

| 12 | Cross Site Request Forgery | Low - High |

| 13 | Open Redirect | Low - Medium |

| 14 | Information Disclosure | Low - High |

| 15 | Mixed Content | Low |

Vulnerabilities not in the above list will be evaluated case by case.

Custom header reward:

There is a possibility that traffic generated by researchers can be categorized as malicious. Providing additional information allows us to identify your traffic. Researchers who are willing to put this information in their test traffic and provide it in a report will be taken into consideration for a small reward. This can be done by adding the following header to your requests/tools:

X-HackerOne-Research: username

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug.

The following issues are considered out of scope:

• Any activity that could lead to the disruption of our service (DoS).

• Ratelimit on OTP Request. Avoid sending high number of OTP Requests

• Clickjacking on pages with no sensitive actions.

• Unauthenticated/logout/login CSRF.

• CSRF issues that do not lead to account theft (e.g. adding products to a cart/wishlist is out of scope).

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Comma Separated Values (CSV) injection without demonstrating a vulnerability.

• Missing best practices in SSL/TLS configuration.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• User enumeration (Through Account creation, account update, authentication, newsletter subscriptions & forgotten password)

• Brute force on Login, E-gift cards, Promo codes, Vouchers, user account registration

• Forgot password token requests being leaked to third parties

Out of scope vulnerabilities (mobile-specific):

• Exported components without permissions

• Sensitive information in memory dump as clear text

• Insecure data storage (Exception: Bounty cap for low if contains password data)

• No session timeout

• Lack of Root Protection

• SSL certificate pinning related things

• Ability to copy information to the pasteboard

• Insecure WebView Implementation (javascript) (Exception: Unless an exploit is found)

• Excessive Application Permission (Exception: Unless exploitable)

• Sensitive Information Included in Snapshots

• Lack of Code Obfuscation

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep A.S. Watson Group and our customers safe!