MediaMarktSaturn Bug Bounty Program

Company

In terms of revenue, sales area and headcount, the MediaMarktSaturn Retail Group is Europe’s leading consumer electronics retailer and provider of related services. Our integrated online and fixed-location offerings reach millions of customers every day. For more information visit our homepage: https://www.mediamarktsaturn.com

About the Scope of this Program

Our Bug Bounty program is limited to our e-commerce web application and its associated API, accessible via https://www.mediamarkt.* [de / at / .com.tr / es / be / lu / nl / ch / hu / pl], https://www.mediaworld.it and https://www.saturn.de. Please be aware that *.mediamarkt.pt is out-of-scope.

You are welcome to test any country-specific site linked from https://www.mediamarkt.* (e.g. https://www.mediamarkt.de), https://www.mediaworld.it and https://www.saturn.de, but subdomains are out-of-scope as well as *.mediamarkt.pt. For a full list of supported country locals, please refer to the following page: https://mediamarktsaturn.com/company/international-presence.

Beyond the e-commerce web application scope described above, testing is also permitted on our official iOS and Android e-commerce mobile apps.

Furthermore, we ask you to respect the scope of our program and to don't hunt outside of it. Should you need to report anything outside of the scope of this program you may do so through our VDP program here: https://vdp.mediamarktsaturn.com/p/Startpage.

Program Rules

We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses in our technology.
If you believe you have found a security bug in our service, we are happy to work with you to resolve the issue promptly and ensure you are fairly rewarded for your discovery.

Dont´s:

• Any type of denial of service attacks, as well as any interference with network equipment and MediaMarktSaturn infrastructure,
• Violate any laws (including at least German and European law and any laws applicable in your country),
• Access, change, delete or leak accounts of other MediaMarkt/Saturn customers,
• Change or create more accounts on websites / apps than necessary for the test,
• Damage or change our systems,
• Compromise the availability of our services (e.g. Denial of Service),
• Run automated scanning,
• Scan the infrastructure of our host- provider “PlusServer GmbH”,
• Use any social engineering techniques to access our systems or reach to MediaMarktSaturn employees,
• Reveal any private data to third parties or to the public,
• Do not copy any files from our applications/servers and disclose them,
• No vulnerability disclosure, full, partial or otherwise, is allowed.

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of MediaMarktSaturn however, only those that meet the following eligibility requirements may receive a monetary reward:

• You must not break any of the testing policy rules / program rules listed above.
• If you find the same vulnerability several times (also on different countries), please create only one report and eventually use comments. You'll be rewarded according to your findings.
• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability (see below)
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must avoid tests that could cause degradation or interruption of our service (refrain from using automated tools, and limit yourself about requests per second).
• You must not leak, manipulate, or destroy any user data.
• You must not be a former or current employee of MediaMarktSaturn or one of its contractor.
• No vulnerability disclosure, including partial is allowed for the moment.
  
  

The following examples define acceptable and unacceptable practices for demonstrating vulnerabilities:

• Data or Configuration Modifications:

  • Permitted: Making changes to your own data exclusively
  • Prohibited: Modifying data belonging to other users, altering critical configuration settings, or deleting stored information

• Code Injection:

  • Permitted: Using system utilities (e.g., id, whoami) to determine the user executing the code
  • Prohibited: Executing unauthorized or external code

• Sending Unauthorized Communications:

  • Permitted: Sending a single test message via a contact form for validation
  • Prohibited: Engaging in bulk messaging through contact forms or sending communications to third parties

• SQL Injection:

  • Permitted: Identifying the version of the database management system (DBMS)
  • Prohibited: Accessing tables that contain production or sensitive data, including customer records

• XSS Testing:

  • Permitted: Executing a minimal alert, such as alert(17), to confirm vulnerability
  • Prohibited: Embedding or invoking any external scripts

Reward Amounts are based on:

• Reward grid of the report's scope
• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

REPORTS OF LEAKS AND EXPOSED CREDENTIALS

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and identified outside of our program’s scope, such as:

• Exposed credentials in/from an out-of-scope asset/source
• Sensitive information exposed in/from an out-of-scope asset/source

Also, in order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behaviour (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

This excludes, but is not limited to:

• Stolen credentials gathered from unidentified sources
• Exposed credentials that are not applicable on the program’s scope
• Exposed GitHub/GitLab (or similar) instance with no direct relation with our program’s scope
• Exposed secrets (e.g. API tokens/keys or other technical credentials) that are not directly related to the program’s scope
• Exposed PII on an out-of-scope asset

IMPORTANT PRECAUTIONS AND LIMITATIONS

As a complement to the Program’s rules and testing policy :

• DO NOT alter compromised accounts by creating, deleting or modifying any data
• DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)
• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.
• In case of exposed credentials or secrets, limit yourself to verifying the credentials validity
• In case of sensitive information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Reporting

Please note that we reserve the right to use a "OneFixOneReward" rule, i.e. if two or more endpoints/forms (e.g. given endpoint on www.mediamarkt.de and www.mediamarkt.at) use the same code base and a single fix can be deployed to fix the weakness on those different endpoints, only one endpoint will be considered eligible for a reward and other reports will be closed as Informative. In any case, all reports will be reviewed edge by edge and we intend to be fair in our triage and rewards.