avatar
Bug bounty
Public

DECATHLON

Decathlon

Reward

Bounty
Hall of fame
€50
Low
€50
Medium
€500
High
€1,000
Critical
€2,500

Program

Avg reward
-
Max reward
-
Scope
1
Supported languages
English

Hacktivity

Reports
94
1st response
< 1 day
Reports last 24h
4
Reports last week
63
Reports this month
94

Company

At Decathlon, we are convinced that sport is a source of pleasure and well-being! We are sportsmen and sportswomen, passionate about giving the best service to you. In store or online, we have the same goal : to supply the best products for the lowest prices.

Program Rules

Decathlon Digital Team believes that no technology is perfect and that working with skilled security researchers across the globe is crucial in identifying weaknesses in our technology.

If you believe you have found a security bug in our products or services, we appreciate your help in disclosing it to us in a responsible manner. We will be happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Any type of denial of service attacks is strictly forbidden.

Context and instructions for your research

Please read carefully the list of non-qualifying vulnerabilities before starting your research. We won't reward any out of scope vulnerability in this program by default. Instead, you may submit it in our vulnerability disclosure program located here.

B2C eCommerce solution

At Decathlon, we use multiple B2C eCommerce solutions:

  • the first one is deployed in the majority of in-scope country domain, and is a complex application with monolithic parts, several back-office APIs and a Svelte-based front part. While the structure is the same for each of our international websites, some contents may vary depending on local business needs and requirements.
  • (COMING SOON) the second one (and the most recent) is deployed in 4 countries. This solution is composed of 3 front-end applications that interact with new back-end APIs.

Rule for E-Commerce: Since a bug in the E-Commerce solution may be present in multiple domains, we may count those as informative if reported on several domains of the same scope.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of Decathlon. However, please note that only those that meet the following eligibility requirements may receive a monetary reward :

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability.
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through YesWeHack platform.
  • Any vulnerability found Out-Of-Scope will not be rewarded.
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about 50 requests per second and 500 requests per minute).
  • You must not leak, manipulate, or destroy any user data.
  • You must not be a former or current employee of Decathlon or one of its contractor.
  • Reports about vulnerabilities are examined by our analysts.
  • Our analysis is always based on worst case exploitation of the vulnerability, as is the reward we pay.
  • No vulnerability disclosure, including partial is allowed for the moment.

Some assets under surveillance in our program rely on the same code base. If you find the exact same vulnerability on multiple webpages of the same kind (ex: store..), please report them once and all in a single report. We will, on a case-to-case basis, consider increasing the amount of the bounty accordingly.

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Medium
€50€500€1,000€2,500

Scopes

ScopeTypeAsset value
https://www.decathlon.(be|ch|es|fr|hu|pl|pt|ro|cz|com.tr)/ Web application
Medium
Low
€50
Medium
€500
High
€1,000
Critical
€2,500

Out of scopes

  • All domains and subdomains not listed in-scope

Vulnerability types

Qualifying vulnerabilities

  • Remote code execution (RCE)
  • Code/Content/Text injections (SQLi, XXE..)
  • Cross-Site Scripting (XSS)
  • Medium or higher-severity Cross-Site Requests Forgery (CSRF) (CVSS score > 3.9)
  • Open redirect
  • Broken authentication & session management
  • Business logic vulnerability with real security impact
  • Insecure direct object references
  • CORS with real security impact
  • Horizontal and vertical privilege escalation
  • Clickjacking/UI redressing
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Private or misconfigured API keys
  • Recently disclosed 0-day vulnerabilities
  • Reports with attack scenarios requiring MITM or physical access to victim's device
  • Exposed secrets, credentials or sensitive information from an in-scope asset

Non-qualifying vulnerabilities

  • Tabnabbing
  • Missing cookie flags
  • SSL/TLS best practices
  • Mixed content warnings
  • Denial of Service attacks
  • Physical or social engineering attempts of staff, contractors or customers
  • Presence of autocomplete attribute on web forms
  • Vulnerabilities affecting outdated browsers
  • Missing security-related HTTP headers (including HSTS) which do not lead directly to a vulnerability
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • Any hypothetical flaw or best practices without exploitable PoC (includes CVEs and outdated libraries)
  • Unexploitable vulnerabilities (ex: host header injection, self-XSS)
  • Subdomain takeover on out of scope domains (ex: test.decathlon.fr / test.decathlon.com)
  • Blind SSRF without direct impact (e.g. DNS pingback)
  • Password requirements policies (length / complexity / reuse)
  • Invalid or missing email security records (ex: SPF/DKIM/DMARC)
  • Broken Social Media Link
  • Session expiration policies (no automatic logout, invalidation after a certain time or after a password change)
  • Exposed credentials and sensitive information leak whose impact is out of scope and source of leak is out of scope.
  • Exposed credentials and sensitive information leak whose source of leak does not belong to the company.

Hunting requirements

Account access

You may register as many accounts as you want for your tests in authenticated mode. When doing so, please make sure to use a yeswehack email alias https://yeswehack.com/user/tools/email-alias. When reporting a bug do not hesitate to tell us what accounts you used.

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.
program thumbnail
To submit a vulnerability report, you need to login with your hunter account.