Reward
Program
Hacktivity
About
Decathlon
At Decathlon, we are convinced that sport is a source of pleasure and well-being! We are sportsmen and sportswomen, passionate about giving the best service to you. In store or online, we have the same goal : to supply the best products for the lowest prices.
Decathlon Digital Team believes that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology.
Program Rules
Testing Policy, Responsible Disclosure
Please adhere to the following rules while performing research on this program:
- Make sure to apply hunting requirements policy.
- Denial of service (DoS) attacks on Decathlon applications, servers, networks or infrastructure are strictly forbidden.
- Avoid tests that could cause degradation or interruption of our services.
- Do not use automated scanners or tools that generate large amount of network traffic
- Do not leak, copy, manipulate, or destroy any user data or files in any of our applications/servers.
- No vulnerability disclosure, full, partial or otherwise, is allowed.
Reward Eligibility
We are happy to thank everyone who submits valid reports which help us improve the security of Decathlon, however only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- The report must contain the following elements:
- Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and Decathlon, and remediation advice on fixing the vulnerability
- Proof of exploitation: screenshots demonstrating the exploit was performed, and showing the final impact
- Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
- You must not break any of the testing policy rules listed above
- You must not be a former or current employee of Decathlon or one of its contractors.
Reward amounts are based on:
- Reward grid of the report's scope
- CVSS scoring and actual business impact of the vulnerability upon performing risk analysis
Complements about our scopes
Decathlon Scope
Since a bug in the web application may be present in multiple domains, we may count those as informative if reported on several domains of the same scope.
Context and instructions for your research
Please read carefully the list of non-qualifying vulnerabilities before starting your research. We won't reward any out of scope vulnerability in this program by default. Instead, you may submit it in our vulnerability disclosure program located here.
B2C eCommerce solution
At Decathlon, we use multiple B2C web application solutions:
- The first one is deployed in the majority of in-scope country domain, and is a complex application with monolithic parts, several back-office APIs and a Svelte-based front part. While the structure is the same for each of our international websites, some contents may vary depending on local business needs and requirements.
- The second one (and the most recent) is deployed in 6 countries. This solution is composed of 3 Svelte-based front-end applications that interact with new back-end APIs.
Some assets under surveillance in our program rely on the same code base. If you find the exact same vulnerability on multiple webpages of the same kind (ex: store..), please report them once and all in a single report. We will, on a case-to-case basis, consider increasing the amount of the bounty accordingly.
Reward
Asset value | CVSS | CVSS | CVSS | CVSS |
---|---|---|---|---|
€50 | €500 | €1,000 | €2,500 |
Scopes
Scope | Type | Asset value | Expand rewards grid |
---|---|---|---|
https://www.decathlon.(be|ch|es|fr|hu|pl|pt|ro|cz|com.tr)/ | Web application | ||
Low Medium High Critical | |||
https://www.decathlon.(co.uk|it|nl|de|pt|es)/ | Web application | ||
Low Medium High Critical |
Out of scopes
- All domains and subdomains not listed in-scope
Vulnerability types
Qualifying vulnerabilities
- Remote code execution (RCE)
- Code injections (SQLi, XXE..)
- Cross-Site Scripting (XSS)
- Medium or higher-severity Cross-Site Requests Forgery (CSRF) (CVSS score > 3.9)
- Open redirect
- Authentication bypass & broken authentication
- Business logic vulnerability with real security impact
- Insecure direct object references (IDOR)
- CORS with real security impact
- Horizontal and vertical privilege escalation
- Clickjacking/UI redressing
- Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
- Private or misconfigured API keys (except Woosmap API keys)
- Recently disclosed 0-day vulnerabilities
- Reports with attack scenarios requiring MITM or physical access to victim's device
- Exposed secrets, credentials or sensitive information on an asset under our control and affecting at least one of our scopes
Non-qualifying vulnerabilities
- Tabnabbing
- URL/Text injections
- Missing cookie flags
- SSL/TLS issues (e.g. expired certificates, best practices)
- Mixed content warnings
- Denial of Service attacks
- Physical or social engineering attempts of staff, contractors or customers
- Presence of autocomplete attribute on web forms
- Vulnerabilities affecting outdated browsers
- Missing security-related HTTP headers (including HSTS) which do not lead directly to a vulnerability
- Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
- Any hypothetical flaw or best practices without exploitable PoC (includes CVEs and outdated libraries)
- Unexploitable vulnerabilities (ex: host header injection, self-XSS)
- Subdomain takeover on out of scope domains (ex: test.decathlon.fr / test.decathlon.com)
- Blind SSRF without direct impact (e.g. DNS pingback)
- Password requirements policies (length / complexity / reuse)
- Invalid or missing email security records (ex: SPF/DKIM/DMARC)
- Broken Social Media Link
- Low-severity CSRF (CVSS score < 4)
- Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
- Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
- Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
- Discrepancies between the page describing delivery options and the shipping page of the order session.
- Discrepancies between the page describing a promotion and the checkout page of the order session.
Reports of leaks and exposed credentials
In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:
Hunting requirements
Account access
Self-register
Decathlon Scope
- You can self-register wherever it is allowed.
- Please use your YesWeHack email aliases which are available here for account creation.
Hunters collaboration
When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.
For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.