About Alshaya Group
- Alshaya Group is a dynamic family-owned enterprise, first established in Kuwait in 1890. With a consistent record of growth and innovation, Alshaya Group is one of the world’s leading brand franchise operators, offering an unparalleled choice of well-loved international brands to customers.
- Alshaya Group’s portfolio extends across MENA, Türkiye and Europe, with thousands of stores, cafes, restaurants and leisure destinations, as well as a growing online and digital business.
- Operating in multiple sectors including Fashion, Food, Health & Beauty, Pharmacy, Home Furnishings and Leisure & Entertainment, Alshaya Group colleagues are united by a commitment to authentically deliver great customer service and brand experiences.
- Fresh, modern and relevant, Alshaya’s constantly evolving portfolio reflects the choices and lifestyle of its customers. From flagship stores and restaurants in prestige malls, through to local coffee shops, drive-thrus and online, Alshaya Group brings customers the brands they love in the places they want to be. Brands such as Starbucks, H&M, Mothercare, Debenhams, American Eagle Outfitters, P.F. Chang’s, The Cheesecake Factory, The Body Shop, M.A.C, Victoria’s Secret, Boots, Pottery Barn and KidZania.
- In addition to its retail operations, the Alshaya Group is active in several other sectors, including real estate, automotive, hotels, trading and investments. Learn more about the company at www.alshaya.com or on Instagram https://www.instagram.com/alshayagroup/, and Facebook at www.facebook.com/Alshaya.
Information Security at Alshaya
At Alshaya we take Cybersecurity seriously and our Information Security Team is working hard to protect Alshaya information assets, services and products and the confidentiality of customer information. It's one of our top priorities to make sure we comply with all up-to-date security requirements and prove that our customers data is always safeguarded.
Purpose
Knowing that the global security research community frequently makes contributions to the security of the Internet, Alshaya believes that a relationship with this community will also improve our security. As a result, if you have information about a vulnerability, we want to hear from you!
This is a VDP (Vulnerability Disclosure Program) which is part of Alshaya efforts to collaborate between outside security researchers and Alshaya.
If you are a security researcher or expert and believe you’ve identified security-related issues with any of the Alshaya in-scope assets, we would appreciate you disclosing it to us responsibly.
By submitting a report, you acknowledge and agree to the terms and conditions contained in this Policy. You also acknowledge that, to the extent they are not inconsistent with this Policy; you are subject to:
Response Targets
Alshaya will make a best effort to meet the following SLAs for hackers participating in our program:
| Type of Response | SLA in business days |
|---|
| First Response | 1 day |
| Time to Triage | 3 to 5 days |
| Time to Resolution | depends on severity and complexity |
We’ll try to keep you informed about our progress throughout the process.
Disclosure Policy
Program Rules
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
- Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- You must not collect, disclose, destroy, compromise, alter, interfere with, or transfer any proprietary or confidential Alshaya or data belonging to Alshaya business partners, customers, employees, franchisees, owners, shareholders, vendors, or any other party directly or indirectly affiliated with Alshaya. Actions such as storing Alshaya data in public internet services such as Pastebin are strictly prohibited. You must notify Alshaya immediately if you access, modify, delete, or store Alshaya data.
- Do not use automated scanners/tools (Such as Tenable/Nessus, Qualys, WebInspect, Acunetix or any other automated tool)
- You should also use your best effort not to harm the availability or stability of our services. Do no perform DoS/DDoS tests and spamming.
- All submissions must also abide by HackerOne Code of Conduct
- Do not threaten or attempt to extort Alshaya. We will not recognize your efforts if you threaten to withhold the security issue from us or if you threaten to release the vulnerability or any exposed data to the public.
- Alshaya may change the rules of the Vulnerability Disclosure Program at any time.
- Do not exploit beyond what is necessary to demonstrate vulnerability presence.
Out of scope vulnerabilities
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Unauthenticated/logout/login CSRF
- Insecure Cookie Settings on non-sensitive cookies
- Bugs requiring inordinate amounts of user interaction or prior knowledge of user secrets such as session tokens or CSRF values
- Information regarding software versions or web server versions/banners where there is no evidence these versions are impacted by a security flaw
- Attacks requiring MITM or physical access to a user's device
- Previously known vulnerable libraries without a working Proof of Concept
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Known SSL issues
- SSL Forward Secrecy or HSTS not enabled
- Weak SSL/TLS cipher suites
- Common Automated Tooling including Acunetix, Nessus, and Qualys ammong otherss should be avoided; however, use of Burp Suite and other custom tools are allowed
- Any activity that could lead to the disruption of our service (DoS)
- Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
- Avoid privacy violations, destruction of data, and interruption or degradation of our services
- Social engineering (e.g. phishing, vishing, smishing) is prohibited
- Do not test the physical security of Alshaya properties
- Vulnerabilities disclosed without a working proof-of-concept or clear reproducible steps
- Subdomain takeovers without a complete proof of concept
- Attacks which require internal network access or are from Alshaya employees or contractors
- Attacks requiring MITM or physical access to a user's device
- Missing email best practices (e.g., invalid, incomplete, or missing SPF/DKIM/DMARC records)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Missing security headers
- Spam vulnerability, mail spoofing, mail bomb, etc
- Self-XSS
Safe Harbor
Golden Standard Safe Harbor applies.
Thank you for helping keep Alshaya and our users safe!
