Unilever Vulnerability Disclosure Program

  • Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

19 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

This program only awards points for VRT based submissions.

Targets

In scope

Target name Type
https://unilever.com/ Website Testing

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Unilever not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you believe you've identified a vulnerability on a system outside the scope, please reach out to support@bugcrowd.com before submitting.

Unilever is starting this program with their primary public facing web application on unilever.com. As the program progresses more targets will be added to the program.


Scanning Activity

Please do not use automated vulnerability scanners on this program. Custom scripts and fuzzing tools are permitted, but if using them, please keep your traffic to six requests per second or less. Additionally, it’s worth noting that the client already runs automated scans from Acunetix, Zap, Nessus, et al., against the in-scope targets – so using these tools is likely of minimal utility to researchers. As such, please avoid using them unless for targeted, specific testing, and then only at less than six requests per second.

Exclusions

Non-qualifying vulnerabilities / Known Issues

When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user's device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or brute force issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Tab nabbing
  • Open redirect - unless an additional security implication can be demonstrated
  • Self XSS
  • Promo code abuse (e.g. ordering multiple times using the same promo code)
  • Abuse of our promotional offers and referral codes
  • Promo code enumeration, abuse of our promotional offers and referral codes.
  • Able to retrieve user's public information.
  • Username / email enumeration
  • Social engineering of users, Unilever staff or contractors
  • Bugs in 3rd party authentications (attacks specifically against our implementation are fine)
  • Results from automated tools without any manual confirmation
  • Bugs affecting 3rd party sites that consume data from Social Club
  • Any similar action that interferes with a user's privacy, security or experience
  • Clear Text / HTTP Basic Authentication
  • Internal Path disclosure
  • Blind XSS, Blind SSRF with no actual exploitation
  • Subdomain takeover

Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.