Security Vulnerability Disclosure Policy

No technology is perfect, and John Lewis & Partners believes that working with skilled security researchers across the globe is crucial in identifying security vulnerabilities in any technology we use. If you believe you've found a security issue or vulnerability in the John Lewis & Partners web platform’s, its sub domains and/or our network. Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

Guidelines for Disclosure

To promote the discovery and reporting of security vulnerabilities and increase user safety, we ask that you follow these guidelines:

• Only perform the security evaluation on the following domains:
• *.johnlewis.co.uk
• *.johnlewis.com
• Do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving express written consent from John Lewis & Partners;
• Follow the [HackerOne's disclosure guidelines] (https://www.hackerone.com/disclosure-guidelines)
• Do not cause any interruption or degradation of our services;
• Only interact with accounts you own or with explicit permission of the account holder;
• Make every effort to avoid privacy violations and do not destroy or damage data;
• Do not view, alter, save, store, transfer or otherwise access user or company data, and immediately purge any local information upon reporting the vulnerability to John Lewis & Partners;
• Do not cause a denial of service;
• Do not send spam to John Lewis & Partners customer, staff or contractors;
• Do not perform social engineering (including phishing) of John Lewis & Partners customer, staff or contractors;
• Do not make any physical access attempts against John Lewis & Partners property or data centres.

Reporting a Vulnerability

Please disclose your findings using the Contact Security Team link above using the subject “Security Vulnerability Disclosure from HackerOne” in the following manner:

• Submit one vulnerability per report;
• Provide detailed steps to reproduce the steps;
• Provide valid contact information for you as the reporter;
• Provide a description of the location and nature of the security issue and its potential impact;
• Screenshots or videos are welcome;
• Contact us immediately if you do inadvertently encounter user data.

Note: Vulnerabilities in third-party systems are not covered by this VDP.

Your Conduct

Please respond quickly to any communications from us regarding your activities so that we can resolve the issue as soon as possible. Any activities conducted in a manner consistent with this policy will be considered authorised conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted with our authorisation, in compliance with this policy. Thank you for helping keep John Lewis & Partners, our customers and our partners safe!