Details

The Eurofins Group contributes to a safer and healthier world by providing our customers with innovative and high-quality laboratory, research and advisory services whilst creating opportunities for our employees and generating sustainable shareholder value.

Eurofins takes cybersecurity seriously and values the contributions of the security community and security researchers. The purpose of this Vulnerable Disclosure Program (VDP) is to encourage the responsible disclosure of vulnerabilities by providing a safe and secure mechanism to report them. The responsible disclosure of potential issues helps us ensure the security and confidentiality of our customers and data.

We value your work and thank you in advance for your contributions to our vulnerability disclosure program and the Eurofins Global Information Security team is looking forward to working with you!

Response Targets

Eurofins will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	1 day
Time to Triage	7 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

Do not discuss or disclose any vulnerabilities (even resolved ones) outside of the program and keep them in full confidentiality without prior explicit written consent from Eurofins.
Follow HackerOne's disclosure guidelines.

How to report

Provide as much information as possible about the potential issue you have discovered with reproducible steps.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. When duplicates occur, we only triage the first report received (provided if it can be fully reproduced).
Use your @wearehackerone.com Email Alias when signing up for any accounts so we can identify you as a security researcher.
Make a good faith effort to avoid privacy violations (incl. any personal data protection breaches), destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Remove all Eurofins Confidential Information, including Personal Data you got from the analysis once the report is resolved.

All the following conduct is strictly prohibited:

Social engineering (e.g. phishing, vishing, smishing).
Physical attacks.
Any testing that could harm our services or customers, including launching any large-scale automated attacks (e.g. denial-of-service attacks (DDoS)), Spam, pyramid schemes, or deployment or use any other malicious software or technology.
Intentional conduct that deletes or alters user-generated data; impairs, disrupts, or disables systems; or renders data inaccessible.
Violation of any laws, including Data Protection Laws, other officially binding rules or regulatory provisions, courts of law and administrative court judgements, such as codes of practice, public authority decisions, specifically but not limited to all competition, privacy, personal data protection and information security laws.
Accessing, copying, modification, deletion, publishing or otherwise disclosing as well as making any other use or making advantage of any Eurofins information, including personal data of any kind.
Including any Personal Data in the disclosed vulnerability report.
Public disclosure of any Eurofins Confidential Information, specifically the details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving prior explicit written authorization from Eurofins.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Testing third-party applications, websites, or services that integrate with or link to Eurofins properties.
Missing http security headers which do not lead to a vulnerability.
Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).
Login/logout CSRF or CSRF on non-sensitive actions (e.g. adding products to shopping carts without a direct impact)
Password and account recovery policies, such as reset link expiration or password complexity.
Clickjacking without an impact.
Content spoofing / reflection / injection (on 404 page, search result page etc.) unless executes code.
Known-vulnerable library (without evidence of exploitability).
Certain reports of spam.
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies.
Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
Low impact host header issues.
Hard to exploit SSL/TLS protocol vulnerabilities, Missing best practices in SSL/TLS configuration.
Rate limiting or brute-force issues on non-authentication endpoints or authentication endpoints which are secured by additional measures (e.g. MFA).
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application, or server errors).
Tabnabbing.
Open redirect - unless an additional security impact can be demonstrated.
Open ports which do not lead directly to a vulnerability.
Reports from automated tools or scans without a working Proof of Concept.
Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset.
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.
Email enumeration.
Cookie and logout policies.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Vulnerabilities which require a jailbroken device.
API keys found in our mobile applications.
Attacks requiring physical access to a user's device or Attacks requiring MITM.
Physical security of Eurofins facilities, employees, equipment, etc.
Tests in a manner that would corrupt the operation of Eurofins solutions.
Issues that require unlikely user interaction.

Safe Harbor

Gold Standard Safe Harbor applies.

Legal Notice

By submitting your report, you grant Eurofins, its subsidiaries, affiliates, and contractors a perpetual, worldwide, exclusive, irrevocable, no charge, transferrable, sublicensable (through multiple tiers) and non-exclusive license to copy, distribute, display, perform, transmit, publish, or otherwise use the report or any part thereof.
You hereby represent and warrant that the report submission is original to you and you own all rights, title, and interest in and to the report submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the report submission to Eurofins.
You understand that nothing in this Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Eurofins or third-party product, service, patent, trademark, trade secret, or other intellectual property.
By submitting your report, you provide Eurofins with your consent to process personal data contained in the report (if any) in accordance with the Eurofins Privacy Policy.
Any information you receive or collect about Eurofins or any Eurofins user or customer through the this VDP (“Confidential Information”) must be kept confidential and only used in connection with the VDP. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Eurofins scope, except upon receiving explicit written authorization from Eurofins.

Definitions

“Eurofins” or “Eurofins Group” means any entity that is under direct or indirect control of Eurofins Scientific S.E.
“VDP” means Vulnerability Disclosure Program
“Data Protection Laws” mean any relevant international or national binding laws regulating the use and protection of Personal Data, including but not limited to the GDPR, CCPA, UK Data Protection Act 2018 (and any replacement law that may be issued by the United Kingdom in relation to the UK Brexit), as well as related guidance, instructions or opinions and judgments issued by the competent public authorities or courts of law.
“The GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” is any information that identifies, relates to, describes, is reasonably capable of being associated with an identified or identifiable individual (natural person), or could reasonably be linked, directly or indirectly with a particular individual (or household in certain jurisdictions).
Eurofins Confidential Information means any confidential or proprietary business or technical information about Eurofins disclosed by it or made available in connection with this VDP, whether disclosed in written, electronic or visual form, which is identified as confidential at the time of disclosure or should reasonably be understood to be confidential given the nature of the information and the circumstances surrounding the disclosure, including without limitation business, operations, finances, technologies, products and services, pricing, personnel, customer and suppliers, including the HackerOne Platform and the content of the report.

Thank you for helping keep Eurofins and our customers safe!

Response Targets

Eurofins will make a best effort to meet the following SLAs for hackers participating in our program:

Type of Response	SLA in business days
First Response	1 day
Time to Triage	7 days
Time to Resolution	depends on severity and complexity

We’ll try to keep you informed about our progress throughout the process.

How to report

Provide as much information as possible about the potential issue you have discovered with reproducible steps.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. When duplicates occur, we only triage the first report received (provided if it can be fully reproduced).

Use your @wearehackerone.com Email Alias when signing up for any accounts so we can identify you as a security researcher.

Make a good faith effort to avoid privacy violations (incl. any personal data protection breaches), destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Remove all Eurofins Confidential Information, including Personal Data you got from the analysis once the report is resolved.

All the following conduct is strictly prohibited:

Social engineering (e.g. phishing, vishing, smishing).

Physical attacks.

Any testing that could harm our services or customers, including launching any large-scale automated attacks (e.g. denial-of-service attacks (DDoS)), Spam, pyramid schemes, or deployment or use any other malicious software or technology.

Intentional conduct that deletes or alters user-generated data; impairs, disrupts, or disables systems; or renders data inaccessible.

Violation of any laws, including Data Protection Laws, other officially binding rules or regulatory provisions, courts of law and administrative court judgements, such as codes of practice, public authority decisions, specifically but not limited to all competition, privacy, personal data protection and information security laws.

Accessing, copying, modification, deletion, publishing or otherwise disclosing as well as making any other use or making advantage of any Eurofins information, including personal data of any kind.

Including any Personal Data in the disclosed vulnerability report.

Public disclosure of any Eurofins Confidential Information, specifically the details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving prior explicit written authorization from Eurofins.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Testing third-party applications, websites, or services that integrate with or link to Eurofins properties.

Missing http security headers which do not lead to a vulnerability.

Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability).

Password and account recovery policies, such as reset link expiration or password complexity.

Clickjacking without an impact.

Content spoofing / reflection / injection (on 404 page, search result page etc.) unless executes code.

Known-vulnerable library (without evidence of exploitability).

Certain reports of spam.

Missing best practices in Content Security Policy.

Missing HttpOnly or Secure flags on cookies.

Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).

Low impact host header issues.

Hard to exploit SSL/TLS protocol vulnerabilities, Missing best practices in SSL/TLS configuration.

Rate limiting or brute-force issues on non-authentication endpoints or authentication endpoints which are secured by additional measures (e.g. MFA).

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application, or server errors).

Tabnabbing.

Open redirect - unless an additional security impact can be demonstrated.

Open ports which do not lead directly to a vulnerability.

Reports from automated tools or scans without a working Proof of Concept.

Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset.

Vulnerabilities only affecting users of outdated or unpatched browsers and platforms.

Email enumeration.

Cookie and logout policies.

Comma Separated Values (CSV) injection without demonstrating a vulnerability.

Vulnerabilities which require a jailbroken device.

API keys found in our mobile applications.

Attacks requiring physical access to a user's device or Attacks requiring MITM.

Physical security of Eurofins facilities, employees, equipment, etc.

Tests in a manner that would corrupt the operation of Eurofins solutions.

Issues that require unlikely user interaction.

Legal Notice

By submitting your report, you grant Eurofins, its subsidiaries, affiliates, and contractors a perpetual, worldwide, exclusive, irrevocable, no charge, transferrable, sublicensable (through multiple tiers) and non-exclusive license to copy, distribute, display, perform, transmit, publish, or otherwise use the report or any part thereof.

You hereby represent and warrant that the report submission is original to you and you own all rights, title, and interest in and to the report submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the report submission to Eurofins.

You understand that nothing in this Policy shall be deemed to constitute the grant to you of any license or other right to or in respect of any Eurofins or third-party product, service, patent, trademark, trade secret, or other intellectual property.

By submitting your report, you provide Eurofins with your consent to process personal data contained in the report (if any) in accordance with the Eurofins Privacy Policy.

Any information you receive or collect about Eurofins or any Eurofins user or customer through the this VDP (“Confidential Information”) must be kept confidential and only used in connection with the VDP. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Eurofins scope, except upon receiving explicit written authorization from Eurofins.

Definitions

“Eurofins” or “Eurofins Group” means any entity that is under direct or indirect control of Eurofins Scientific S.E.

“VDP” means Vulnerability Disclosure Program

“Data Protection Laws” mean any relevant international or national binding laws regulating the use and protection of Personal Data, including but not limited to the GDPR, CCPA, UK Data Protection Act 2018 (and any replacement law that may be issued by the United Kingdom in relation to the UK Brexit), as well as related guidance, instructions or opinions and judgments issued by the competent public authorities or courts of law.

“The GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Personal Data” is any information that identifies, relates to, describes, is reasonably capable of being associated with an identified or identifiable individual (natural person), or could reasonably be linked, directly or indirectly with a particular individual (or household in certain jurisdictions).

Eurofins Confidential Information means any confidential or proprietary business or technical information about Eurofins disclosed by it or made available in connection with this VDP, whether disclosed in written, electronic or visual form, which is identified as confidential at the time of disclosure or should reasonably be understood to be confidential given the nature of the information and the circumstances surrounding the disclosure, including without limitation business, operations, finances, technologies, products and services, pricing, personnel, customer and suppliers, including the HackerOne Platform and the content of the report.

Thank you for helping keep Eurofins and our customers safe!