Office Depot: Responsible Disclosure Policy
Office Depot cares deeply about maintaining the trust and confidence that our customers place in us. The security of our online platforms is of paramount importance. If you are a security researcher and have discovered a security vulnerability in one of our services or sites, we encourage you to disclose it to us in a responsible manner. You can responsibly disclose a suspected vulnerability to the Office Depot Information Security Team by filling out the form below. Your submission will be reviewed and validated, then our representatives will contact you with any further questions. Rewards for this program follow this pay structure:
- P1 impacting a production environment: $1000
- P2 impacting a production environment: $750
- P3 impacting a production environment: $250
- P4 impacting a production environment: $100
Reporting:
We require security researchers to include detailed information with steps for us to reproduce the vulnerability.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy (https://bugcrowd.com/vulnerability-rating-taxonomy). However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood, impact, or mitigating control in place. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher.
By reporting the vulnerability, you agree not to disclose the vulnerability to a third party without Office Depot's written permission.
Program Scoped Domains:
Any domain/property of Office Depot not listed in the Program Scope, including data repos such as GitHub, PastBin, etc, along with any submission for property that is not owned or managed by Office Depot may be accepted at Office Depot's discretion but is not guaranteed.
Primary Focus Areas:
- SQL Injection
- Directory Traversal
- Information Disclosure
- Application logic issues
- Remote Code Execution
- Significant Authentication Bypass
- Cross Site Request Forgery on Critical Actions
- Cross Site Scripting (excluding self-XSS)
To remain compliant with this program, you are prohibited from:
- Accessing, downloading, or modifying data residing in an account that does not belong to you
- Executing or attempting to execute any Denial of Service attack
- Posting, transmitting, uploading, linking to, sending, or storing any malicious software
- Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
- Testing in a manner that would degrade the operation of any Office Depot systems or compromise the privacy and security of our customers.
- Testing third-party applications, websites, or services that integrate with or link to Office Depot systems
If any of the above behaviors are observed, the researcher will be removed from the program without notice.