Information Security at Alshaya

At Alshaya, we take Cybersecurity seriously and our Information Security Team is working hard to protect Alshaya information assets, services and products and the confidentiality of customer information. It's one of our top priorities to make sure we comply with all up-to-date security requirements and prove that our customer’s data is always safeguarded.

What is a Vulnerability Disclosure Program (VDP)?

A vulnerability disclosure program permits independent researchers to discover and report security issues that affect the confidentiality, integrity and/or availability of customer or company information.

Purpose

Knowing that the global security research community frequently makes contributions to the security of the Internet, Alshaya believes that a relationship with this community will also improve our security. As a result, if you have information about a vulnerability, we want to hear from you! This is a VDP (Vulnerability Disclosure Program) which is part of Alshaya efforts to collaborate between outside security researchers and Alshaya. If you are a security researcher or expert and believe you’ve identified security-related issues with any of the Alshaya in-scope assets, we would appreciate you disclosing it to us responsibly. By submitting a report, you acknowledge and agree to the terms and conditions contained in this Policy. You also acknowledge that, to the extent they are not inconsistent with this Policy; you are subject to:

Response Targets

Alshaya will make its best effort to meet the following SLAs for hackers participating in our program:

Type of Response SLA in business days
First Response 1 day
Time to Triage 3 to 5 days
Time to Resolution depends on severity and complexity


We’ll try to keep you informed about our progress throughout the process.

Program Rules

  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • You must not collect, disclose, destroy, compromise, alter, interfere with, or transfer any proprietary or confidential Alshaya or data belonging to Alshaya business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party directly or indirectly affiliated with Alshaya. Actions such as storing Alshaya data in public internet services such as Pastebin are strictly prohibited. You must notify Alshaya immediately if you access, modify, delete, or store Alshaya data.
  • Do not use automated scanners/tools (Such as Tenable/Nessus, Qualys, WebInspect, Acunetix or any other automated tool)
  • You should also use your best effort not to harm the availability or stability of our services. Do no perform DoS/DDoS tests and spamming.
  • All submissions must also abide by HackerOne Code of Conduct
  • Do not threaten or attempt to extort Alshaya. We will not recognize your efforts if you threaten to withhold the security issue from us or if you threaten to release the vulnerability or any exposed data to the public.
  • Alshaya may change the rules of the Vulnerability Disclosure Program at any time.
  • Do not exploit beyond what is necessary to demonstrate vulnerability presence.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions
  • Unauthenticated/logout/login CSRF
  • Insecure Cookie Settings on non-sensitive cookies
  • Bugs requiring inordinate amounts of user interaction or prior knowledge of user secrets such as session tokens or CSRF values
  • Information regarding software versions or web server versions/banners where there is no evidence these versions are impacted by a security flaw
  • Attacks requiring MITM or physical access to a user's device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Known SSL issues
  • SSL Forward Secrecy or HSTS not enabled
  • Weak SSL/TLS cipher suites
  • Common Automated Tooling including Acunetix, Nessus, and Qualys, among others should be avoided; however, use of Burp Suite and other custom tools are allowed
  • Any activity that could lead to the disruption of our service (DoS)
  • Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
  • Avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited
  • Do not test the physical security of Alshaya properties
  • Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps
  • Subdomain takeovers without a complete proof of concept
  • Attacks which require internal network access or are from Alshaya employees or contractors
  • Attacks requiring MITM or physical access to a user's device
  • Missing email best practices (e.g., invalid, incomplete, or missing SPF/DKIM/DMARC records)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Missing security headers
  • Spam vulnerability, mail spoofing, mail bomb, etc
  • Self-XSS

 

Safe Harbor

*Golden Standard Safe Harbor applies. Thank you for helping keep Alshaya and our users safe!

 

*Gold Standard Safe Harbor

Gold Standard Safe Harbor supports the protection of organizations and hackers engaged in Good Faith Security Research. “Good Faith Security Research” is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (“TOS”) and/or Acceptable Use Policies (“AUP”) that conflicts with the standard for Good Faith Security Research outlined here.

This means that, for activity conducted while this program is active, we:

  • Will not bring legal action against you or report you for Good Faith Security Research, including for bypassing technological measures we use to protect the applications in scope; and,
  • Will take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

You should contact us for clarification before engaging in conduct that you think may be inconsistent with Good Faith Security Research or unaddressed by our policy.

Keep in mind that we are not able to authorize security research on third-party infrastructure, and a third party is not bound by this safe harbor statement.

By accepting, you acknowledge that Alshaya reserves the right not to be responsible for the topicality, correctness, completeness, or quality of the information provided by the reporter.