Vulnerability Disclosure Program
Hy-Vee, Inc. (“Hy-Vee”) is a Midwestern grocery retailer with more than 275 stores across Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota, and Wisconsin.
Hy-Vee’s Security Team is committed to protecting our users and their personal information.
We encourage security researchers to work with us to identify and mitigate security vulnerabilities in order to keep our business and customers safe. If you believe you have discovered a vulnerability on our websites or within our mobile apps, we kindly ask that you disclose it to us promptly and responsibly. We will investigate your report and respond as quickly as possible. We look forward to collaborating with you to resolve any issues.
#Our Ask
- Report suspected vulnerabilities as soon as they are discovered.
- Provide detailed reports including reproducible steps and supporting evidence.
- Submit one vulnerability per report unless chaining issues is necessary to demonstrate impact.
- Do not publicly disclose the vulnerability until it has been resolved and coordinated disclosure has been agreed with Hy-Vee.
- Do not exploit vulnerabilities beyond what is necessary to confirm their existence.
- Make a good-faith effort to avoid privacy violations, destruction of data, or service disruption. Only interact with accounts you own or have explicit permission to test.
- Test only systems and assets within the defined program scope.
#Our Commitment
- We will acknowledge receipt of your report within 5 business days.
- We will investigate and provide status updates as appropriate.
- We will provide an estimated remediation timeline when possible.
- We will notify you when the issue has been remediated.
- With your consent, we will publicly acknowledge your responsible disclosure after resolution.
Out of Scope Vulnerabilities and Attacks
- Social engineering attacks (e.g., phishing, vishing, smishing)
- UI-based attacks without demonstrated sensitive impact, including clickjacking, tabnabbing, content spoofing, or open redirects
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring privileged network positioning (MITM) or physical access to a user’s device without a realistic attack scenario
- Reports based solely on vulnerable library/version identification without demonstrating exploitability in our environment
- CSV injection without demonstrated impact
- Missing security best practices in SSL/TLS configuration
- Denial-of-Service testing or traffic flooding
- Rate-limiting or brute-force issues affecting non-authentication endpoints only
- Missing security best practices in Content Security Policy
- Missing HttpOnly or Secure flags on cookies without demonstrated impact
- Missing or misconfigured SPF/DKIM/DMARC or other email best practices
- Vulnerabilities affecting only outdated or unsupported browsers (more than two stable versions behind)
- Software version disclosure, banner identification, verbose error messages, stack traces, or headers without sensitive exposure
- Self-XSS or issues requiring unrealistic user interaction
- Issues relying on highly improbable user behavior
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.
Thank You
We appreciate the security community’s help in protecting Hy-Vee’s customers and systems. Responsible research helps us improve and keep our platform safe for everyone.
