lululemon

lululemon invites you to test and help secure our assets - We appreciate your efforts and hard work in making us more secure, and look forward to working with the researcher community to create a meaningful and successful bug bounty program. Good luck and happy hunting!

---

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Special Rewards

We will reward an extra bounty to researchers who demonstrate any of the following that we have not already seen. Finding RCE/LFI using the same injection type on different endpoints will not count twice.

$10000

• Remote unauthorized access to our customer database or datastore
• Automated account takeover (ATO) requiring no interaction from the user.
  • This doesn't imply clicking on a valid XSS link to an account takeover, this purely means account takeover via backend means. Have you RCEd yourself in and somehow grabbed other session cookies? We require a full compromise like this to be eligible for reward.
• Remote unauthorized access or arbitrary code execution to web servers.

$5000

• Account takeover (ATO) with limited customer interactions; payloads can not be reused by individual researchers to get subsequent high-level reward.
• User authentication beyond our current entry points (e.g. login, track order, return, checkout) Any vulnerability within our checkout process that exposes or compromises customers’ personal or financial data
• We are particularly interested in methods / techniques that are undetectable by our current security infrastructure.