Estée Lauder

The Esteé Lauder Companies Inc. (ELC) is committed to keeping our products and information secure. We understand and appreciate the role of the security community and thank you in advance for your contributions to our Vulnerability Disclosure Program (the “Program”). This Program does not provide monetary rewards for bug submissions.

If you believe you have discovered a potential security vulnerability with any of our applications, systems, information technology (IT) products, and/or IT services, we look forward to receiving your submission through the HackerOne platform. We value your work and request your help in disclosing potential issues to us responsibly.

#Guidelines

Your participation in the Program is voluntary and subject to the terms and conditions set forth on this page. Violation of any of the Program rules can result in ineligibility for, and/or removal from, the Program. By submitting a report, you acknowledge and agree to the terms and conditions contained in this Policy. You also acknowledge that, to the extent they are not inconsistent with this Policy, you are subject to:

• HackerOne’s Disclosure Guidelines
• Finder Terms and Conditions
• General Terms and Conditions

Our consumers' and employees’ privacy, data confidentiality, and integrity are crucial. You must agree that you will not disclose vulnerability information reported to ELC to any other third party. Public disclosure may be allowed upon request but only after you have been granted explicit written permission to do so from ELC through this Program. In such cases, we will try to grant permission within four weeks from the release of the fix that addresses the discovered vulnerability.

ELC reserves the right to change or modify the terms of this Program or terminate this Program at any time.

#Program Rules

To be eligible for this Program, you must not be:

• A resident of, or make your submission from, a country that appears on any United States sanctions lists or is subject to any trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
• In violation of any national, state, or local law or regulation;
• A current or former employee/contractor/consultant/vendor employee of ELC or its subsidiaries or affiliates;
• An immediate family member of a current or former employee/contractor/consultant of ELC or its subsidiaries or affiliates;
• A person acting on behalf of a company or organization; or
• Less than 16 years of age. If you are between the ages of 16 and 17 years old but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s written permission prior to participating in the Program.

If it is discovered that you meet any of the criteria listed above, you will be disqualified from receiving any recognition under this Program.

#Program Rules As with most vulnerability disclosure programs, there are some requirements and restrictions:

• Provide detailed reports with reproducible steps. We request that researchers provide sufficient technical details and background necessary for us to identify and validate reported issues.
• We ask that submissions include:
• Description of the vulnerability
• Steps to reproduce the reported vulnerability
• Proof of exploitability (e.g. screenshot, video)
• Perceived impact to another user or the organization
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only recognize the first report that was received (provided that the steps in the report can be fully reproduced). We will not recognize or otherwise consider previously-known issues.
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• You must comply with ELC’s posted Terms and Conditions for all its ELC-owned digital properties, including but not limited to its e-commerce websites, and all applicable laws and regulations, including without limitation any laws or regulations governing privacy, security or the lawful processing of data.
• Do not exploit a vulnerability you discovered. Use a proof of concept only to demonstrate an issue.
• You are prohibited from engaging in any activity that would be disruptive, damaging or harmful to ELC, its businesses or its customers. This includes, without limitation:
• Social engineering (e.g. phishing, vishing, smishing)
• Posting, transmitting, uploading, linking to, sending, or storing any malicious software
• Testing in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, or other forms of duplicative or unsolicited messages
• Denial of Service (DoS) and Distributed Denial of Service (DDoS)-based attacks.
• You are prohibited from engaging in any privacy violations, destruction of data, and interruption or degradation of service. Only interact with accounts you own or with explicit permission of the account holder. Do not attempt to compromise or otherwise gain access to an account or data that is not your own.
• You are prohibited from engaging in any activity that results in you, or any third party, accessing, acquiring, altering, copying, storing, sharing, transferring, deleting or otherwise processing of personal information, or ELC confidential information. If you inadvertently engage in any such activity, please stop testing and contact us immediately at [email protected]. All copies of such information must be securely purged upon submitting the vulnerability to ELC.
• You must securely delete ELC information that may have been downloaded, cached, or otherwise stored on systems used to perform the research.
• Automated vulnerability scanning tools are strictly prohibited.
• You must abide by the Program scope. Out-of-scope vulnerabilities are not eligible for this Program.

As a condition of participation in this program, you waive any rights to the confidentiality of the submitted work and, further, grant ELC an irrevocable, worldwide, royalty-free, perpetual transferable, sub-licensable license to use the submitted research, as well as any materials submitted therewith, for any purpose, and waive claims against ELC based on ELC’s license or the rights granted herein.

This Program is not an offer of employment, nor of a contractual relationship between ELC and any other party.

#Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider:

1. The attack scenario / exploitability
2. The security impact of the bug

The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Reporting a missing CAA record.
• Reporting not being on the HSTS preload list.
• Cross-site request forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Rate limiting or brute force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing best practices in HTTP security header configuration.
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
• Vulnerabilities only affecting users of outdated or unpatched browsers (Less than two stable versions behind the latest released stable version).
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors).
• Public zero-day vulnerabilities that have had an official patch for less than one month will be awarded on a case-by-case basis.
• Tabnabbing.
• Open redirect, except for redirection to arbitrary external resources without user interaction or when an additional security impact can be demonstrated.
• Issues that require unlikely user interaction.
• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
• Impacts caused by attacks requiring access to leaked keys/credentials.
• HTTP Host Header XSS.
• Reflected file download.
• Results of automated scanners.
• Verbose error pages (without proof of exploitability).
• Issues that resolve to third-party services.
• Issues that do not affect the latest version of modern browsers.
• General best practice concerns.

Thank you for helping keep Estée Lauder Companies and our users safe!