MediaMarktSaturn Retail Group looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Please report us, if you find a security bug in the scope of our program in accordance with the rules below. Thank you in advance for your contribution!
MediaMarktSaturn Retail Group will make a best effort to meet the following
Response Targets for hackers participating in our program:
• Time to first response (from report submit) - 5 business days
• Time to triage (from report submit) - 10 business days
We’ll try to keep you informed about our progress throughout the process.
Before you take any action in order to discover any security bug please note that, testing our systems may be seen as a criminal offence by the competent authorities. You should therefore keep in mind that our rules do not supersede any applicable laws. However, we are not going to report you to the authorities, if you obey the following rules and in case we are not required to do so by applicable laws. Although we appreciate your effort in improving our security we do not want our customers to be affected by any of your actions. In particular we want you to strictly comply with the following Do’s and Don’ts:
• Please provide detailed reports with reproducible steps.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• Violate any laws (including at least German and European law and any laws
applicable in your country).
• Access or change accounts of other MediaMarkt/Saturn customers;
• Change or create more accounts on MediaMarkt.de than necessary for the test;
• Damage or change our systems;
• Compromise the availability of our services (e.g. Denial of Service);
• Run automated scanning
• Scan the infrastructure of our host-provider “Nexinto”
• Scan any other mediamarkt domains, despite the both German domains listed explicity bellow;
• Scan any Subdomains of the scope-domains (e.g. fotoservice.saturn.de, gws.mediamarkt.de, int1-handytarife.saturn.de, etc.);
• Use any social engineering techniques to access our systems or reach to MediaMarktSaturn employees;
• Test of the integrated White Label Shops of our partners, which include:
Juke.com / Juke.de; mypeaq.de; redblue.de;
• Reveal any private data to third parties or to the public;
• MediaMarktSaturn does not permit reports to be publicly disclosed;
When reporting vulnerabilities, please consider (1) attack scenario /
exploitability, and (2) security impact of the bug. The following issues are
considered out of scope:
• Clickjacking on pages with no sensitive actions.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Please report vulnerabilities for these domains only
• www.mediamarkt.de __
• www.mediamarkt.at __
• www.mediamarkt.com.tr __
• www.mediamarkt.be __
• www.mediamarkt.es __
• www.mediamarkt.gr __
• www.saturn.de __
• www.saturn.at __
• www.ibood.com __
MediaMarktSaturn run a Vulnerability Disclosure Program and will reward
researchers with reputation points for valid vulnerabilities. We may modify
the terms of this program or terminate this program at any time. We won’t
apply any changes we make to these program terms retroactively.
Thank you for helping keep MediaMarktSaturn Retail Group and our users safe!
Contact us if you want more information.