The A.S. Watson Group is the world's largest health and beauty retail group, with over 15,700 stores in 25 markets worldwide serving over 28 million customers per week, and over 3 billion customers and members.
A.S. Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe. As we operate in many different countries, we will be rolling out our bug bounty program in phases. Our main focus within this rollout, are our retail websites (and in the near future, mobile apps on both Android and IOS).
We are currently starting out with including one of our most popular online retail website, Superdrug. Over the course of the next months, we will be adding more websites to our Hacker0ne scope. At the bottom of this page you can see which websites are currently in scope.
Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues which are found on one asset, might also apply on another asset (If this is the case, it will be displayed in the asset description). These findings will be regarded and treated as a single issue.
Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these.
A.S. Watson Group will make a best effort to meet the following response targets for hackers participating in our program:
Type of Response | SLA in business days
First Response | 2 days
Time to Triage | 2 days
Time to Bounty | 14 days
Time to Resolution | depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.
• Please do not discuss this program or any vulnerabilities (even resolved
ones) outside of the program without express consent from us. Disclosure of
reports within Hacker0ne can be discussed.
• Follow HackerOne's disclosure guidelines.
• Please provide detailed reports with reproducible steps. If the report is
not detailed enough to reproduce the issue, the issue will not be eligible for
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Avoid sending more requests than required to proof a vulnerability (e.g. no need for multiple one-time-passwords).
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug.
The following issues are considered out of scope:
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout/login CSRF.
• CSRF issues that do not lead to account theft (e.g. adding products to a cart/wishlist is out of scope).
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• User enumeration (Through Account creation, account update, authentication, newsletter subscriptions & forgotten password)
• Brute force on Login, E-giftCards, Promo codes, Vouchers, user account registration
• Forgot password token requests being leaked to third parties
• Exported components without permissions
• Sensitive information in memory dump as clear text
• Insecure data storage (Exception: Bounty cap for low if contains password data)
• No session timeout
• Lack of Root Protection
• SSL certificate pinning related things
• Ability to copy information to the pasteboard
• Excessive Application Permission (Exception: Unless exploitable)
• Sensitive Information Included in Snapshots
• Lack of Code Obfuscation
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep A.S. Watson Group and our customers safe!
|Scope Type||Scope Name|
|Scope Type||Scope Name|
This policy crawled by Onyphe on the 2020-07-29 is sorted as bounty.