Home Bargains (TJ Morris Ltd) are rolling out a new SSO solution and would like to invite you to test and report any weaknesses you may find.

Home Bargains' new Single Sign-On (SSO) system, built to provide a secure and unified login experience across internal and external applications. It uses a concept called "userpool" to group different types of users. For example, employees belong to the EMPLOYEE userpool, while customers or suppliers would be part of their respective pools.

No technology is perfect, and Home Bargains believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Testing URL

• https://signin-hackerone.hbstaging.website/

How it Works

For this testing environment, we've set up two dedicated userpools:

HACKERONE-A HACKERONE-B

Expected user flow:

• Sign Up
• Enter email
• Choose the userpool
• Provide an Employee Number (any number between 10000000 and 99999999)
• Enter a valid NI Number (any valid format will work)
• Set a password
• Setup 2FA (For HACKERONE-B only)
• Verify your email

Testing

Sign In - Once signed up, users can log in with their email and password. Password reset is also available. Dashboard - After signing in, users are taken to a dashboard that shows which connected apps they can access based on their userpool. Connected Apps - There are three test apps integrated for authentication testing:

App A – Token-based auth App B – Token-based auth App SAML – SAML-based auth

Each app will show whether the user is authenticated and allowed access.

Users in HACKERONE-A can access App A and App SAML Users in HACKERONE-B can access App B only (Two factor authentication is also required)

You’re welcome to explore & test:

• The full signup process
• Sign in with your test user
• Password reset flow
• Dashboard access
• App access based on userpool
• Basic SAML and token-based auth verification
• Anything else, so long as it relates to this system and is in scope

Notes

If the combination of Employee Number and NI Number has already been used by another tester, it won’t be possible to register again with the same details.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Bounty Program

To show our appreciation of responsible security researchers, Home Bargains offers a monetary bounty for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.

Exclusions

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of Home Bargains staff or contractors
• Any physical attempts against Home Bargains property or datacentres
• Forwarding the output of vulnerability scanners such as Nessus
• Reporting issues such as DMARC/DKIM/SPF/E-Mail spoofing or any other issues that aren't directly related to the system under test

In-Scope Domains and Properties

The scope of this program is currently limited to technical security vulnerabilities on Home Bargains' internet applications. See 'Scopes' for full details.

• https://signin-hackerone.hbstaging.website/

Out-of-Scope Domains and Properties

Anything not listed as 'In-Scope' is 'Out-of-Scope'.

See 'Scopes' for full details.