Details

Responsible Disclosure Policy

We at Best Buy work hard every day to enrich the lives of consumers through technology, whether they come to us online, visit our stores or invite us into their homes. Best Buy is committed to protecting our customer data. No technology is perfect, and Best Buy believes that working with skilled security researchers is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

For any activity you conduct in compliance with this policy, Best Buy will not initiate legal action against you.

General Policy Guidelines

In order to protect our company, our customers and their data, you must accept and comply with the following guidelines:

Do not disclose the potential security issue to any third party without Best Buy's prior written permission.
Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Do not engage in any denial of service.
Do not engage in any spamming of our customers or potential customers.
Do not engage in social engineering (including phishing) of Best Buy employees or contractors.
Do not engage in any physical attempts against Best Buy property or data centers.
Domain and Subdomain Takeovers: demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username.
Once a report is submitted, Best Buy commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.
Submitted reports are received and processed by a third-party provider of Best Buy.
You give us the right to use the content of your report for any purpose.
Submission of a report does not create a consumer, employment, or agency relationship between you and Best Buy.
Submitting a valid vulnerability report does not guarantee a reward. Rewards, if any, are at Best Buy's sole discretion.
Retesting Resolved Reports: Researchers must operate in good faith. They are encouraged to maintain open communication with our security team regarding any findings or potential issues during the retest phase. Additional insights on how security fixes can be made more robust, reducing the likelihood of bypasses will be taken into account when considering the validity of reported bypasses.
Best Buy may update this policy from time to time.

By reporting a security bug or vulnerability, you agree to the terms and conditions of this Responsible Disclosure Policy. The information you provide will be handled according to the Best Buy Privacy Policy.

Thank you for helping keep Best Buy and our customers secure.

Responsible Disclosure Policy

For any activity you conduct in compliance with this policy, Best Buy will not initiate legal action against you.

General Policy Guidelines

In order to protect our company, our customers and their data, you must accept and comply with the following guidelines:

Do not disclose the potential security issue to any third party without Best Buy's prior written permission.

Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Do not engage in any denial of service.

Do not engage in any spamming of our customers or potential customers.

Do not engage in social engineering (including phishing) of Best Buy employees or contractors.

Do not engage in any physical attempts against Best Buy property or data centers.

Domain and Subdomain Takeovers: demonstrate that you are able to take over the page by leaving a non-offensive message, such as your username.

Once a report is submitted, Best Buy commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Submitted reports are received and processed by a third-party provider of Best Buy.

You give us the right to use the content of your report for any purpose.

Submission of a report does not create a consumer, employment, or agency relationship between you and Best Buy.

Submitting a valid vulnerability report does not guarantee a reward. Rewards, if any, are at Best Buy's sole discretion.

Retesting Resolved Reports: Researchers must operate in good faith. They are encouraged to maintain open communication with our security team regarding any findings or potential issues during the retest phase. Additional insights on how security fixes can be made more robust, reducing the likelihood of bypasses will be taken into account when considering the validity of reported bypasses.

Best Buy may update this policy from time to time.

Thank you for helping keep Best Buy and our customers secure.