#LOWE'S VULNERABILITY REPORTING ELIGIBILITY POLICY

At Lowe's, we respect and care deeply about the data security and privacy of our customers, associates and partners. The security of our eCommerce platforms and systems is of paramount importance to us. We welcome security researchers to share details of any suspected vulnerabilities in our systems and eCommerce platforms in a responsible manner. When a Security Researcher reports any suspected security vulnerabilities in accordance with this Vulnerability Disclosure Policy, Lowe's and/or its designated service provider will review the vulnerability in accordance with Lowe's policies and procedures, and at Lowe’s discretion, you may be eligible for monetary or nonmonetary compensation for your efforts.

No joint venture, partnership, employment or agency relationship is created or exists between you and Lowe's as a result of or related to your vulnerability submission.

How Does It Work?

Lowe's vulnerability reporting eligibility policy is designed to better protect and prioritize our platforms and systems that serve our customers. We have defined Program Scope and Focus Areas that we would like Security Researchers to focus on. If it is not covered under the Policy, we will acknowledge your contributions toward better protections

Lowe's will not take legal action against or suspend or terminate the accounts of those who discover and report security vulnerabilities in accordance with this Vulnerability Disclosure Policy. Lowe's reserves all legal rights in the event of any noncompliance.

Lowe's does not condone any illegal or unethical activities, and will not triage any noncompliant submission and/or any ineligible participants.

##Who is Eligible to Participate?

All Security Researchers must meet the following eligibility requirements to be eligible for submitting reports:

• You are 18 years of age or older, or if you are 16 years of age old with demonstrable parental consent.
• You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.
• You are not employed by a competitor of Lowe's (i.e. a home improvement retailer);
• You are not a resident of any countries nor an individual under U.S. sanctions, nor are you affiliated with such country or person in the submission of the Vulnerability;
• You are not a government official acting in your official capacity;
• Currently or within six months prior to providing your Vulnerability report, you are not a Lowe's employee, or an employee of a Lowe's contractor or service provider of Lowe's, or an immediate family member (parent, sibling, spouse, or child) or household member of such an employee;
• You obtained Vulnerability in good faith and in an ethical manner and you will only seek reasonable compensation for your expertise, knowledge and efforts;
• You will not engage in any illegal or unethical activities exploiting the Vulnerabilities to Lowe's harm; and
• You comply with all applicable laws and regulations, applicable Lowe's policies, your non-disclosure agreement and Security Vulnerabilities Reporting Terms and Conditions of Lowe's.
• There is no other legal prohibition that prevents you from performing the security research under this policy.

Response Targets

Lowe's Companies will make a best effort to meet the following response targets for hackers participating in our program:

#First Things First – Here are Some Ground Rules

Lowe's does not condone any illegal activities, and prohibits any of the conduct listed below. As such, we ask you do NOT perform the below actions and we will not triage any of the vulnerabilities discovered by the following:

• access, download, or modify data residing in an account that does not belong to you, you may, however, investigate or target vulnerabilities against your own test accounts. Testing must not disrupt or compromise any data or data access that is not yours.
• perform any attack that could harm our services, including launching any denial of service attacks (DDoS), Spam, pyramid schemes, or deploy or use any other malicious software or technology
• conduct non-technical attacks such as social engineering or phishing.
• access infrastructure is not allowed.
• test the physical security of Lowe's facilities, employees, equipment, etc.
• attack, in any way, our end users, or engage in trade of stolen user credentials.
• perform automated/scripted testing of web forms, especially Contact forms that are designed for customers to contact our support team.
• use automated scanners/tools
• test third-party applications, websites, or services that integrate with or link to Lowe's properties

Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.
• This program will accept submissions for assets that are not listed as in scope and are validated as Lowe's owned assets.

#Let the Hunt Begin!

Vulnerability Submission

Please review the program scope and focus areas before you start. You will need to follow designated submission format and provide all the information required. Lowe's and/or its designated service provider (HackerOne) will review and validate the reported vulnerability. Any submission that cannot be validated, either internally or via Lowe's retained 3rd party investigation, is not eligible for compensation and/or triage.

Test Plan

• Users are able to sign up for a free account through our website
• Please use your hacker email alias when testing ([email protected])

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

• “X-HackerOne-Research: [H1 username]”

Vulnerability Review Process and Scoring

Lowe's and its designated service provider (HackerOne) will review and rate vulnerabilities submitted.

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for triage.
• Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Ask the program team before submitting vulnerabilities on unscoped subdomains
• Only interact with accounts you own or with the explicit permission of the account holder.

**Vulnerability Reporting **

Lowe's and its designated service provider (HackerOne) will review and rate vulnerabilities submitted.

Program Scope and Focus Areas

In-Scope

The following consumer-facing websites operated by Lowe's that collects or processes personal information:

Important - the Apps are only available from the USA, so it may be necessary to use a VPN to connect to the Play Stores.

###Out of Scope URL(s)

Lowe's Focus Areas:

1. Cross Site Scripting (XSS)
2. Cross Site Request Forgery (CSRF)
3. Insecure direct object references
4. Injection Vulnerabilities
5. Authentication Vulnerabilities
6. Server-side Code Execution
7. Privilege Escalation
8. Significant Security Misconfiguration (when not caused by user)
9. Any out of the box issues which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy.

###Out of Scope

The following finding types are specifically excluded from the Vulnerability triage:

1. Findings from physical testing such as store, office, or distribution center access (e.g. open doors, tailgating).
2. Findings derived primarily from social engineering (e.g. phishing, vishing).
3. Findings from applications or systems not listed in the scope section.
4. Functional, UI and UX bugs and spelling mistakes.
5. Network level Denial of Service (DoS/DDoS) vulnerabilities.
6. Pivoting, scanning, and vulnerability exploitation.
7. Exfiltration of data from Lowe's systems.
8. Email spoofing and missing or incorrect SPF/DMARC/DKIM records of any kind
9. Descriptive error messages (e.g. Stack Traces, application or server errors).
10. HTTP 404 codes/pages or other HTTP non-200 codes/pages.
11. Fingerprinting / banner disclosure on common/public services.
12. Disclosure of known public files or directories, (e.g. robots.txt).
13. Clickjacking and issues only exploitable through clickjacking.
14. Login/Logout/Unauthenticated/low impact/anonymous user CSRF.
15. Presence of application or web browser autocomplete or save password functionality.
16. Lack of Secure/HTTP Only flags on non-sensitive Cookies.
17. Lack of Security Speedbump when leaving the site.
18. Weak Captcha / Captcha Bypass
19. Forgot Password page brute force and account lockout not enforced.
20. OPTIONS HTTP method enabled
21. Username / email enumeration via Login Page error message or Forgot Password error message
22. Any missing HTTP security headers
23. SSL Attacks such as BEAST, BREACH, Renegotiation attack
24. SSL Forward secrecy not enabled
25. SSL weak / insecure cipher suites
26. Vulnerabilities affecting users of outdated browsers such as:

• IE 9
• Chrome 40
• Firefox 35
• Safari 7
• Opera 13

##Confidentiality

Lowe's requires that vulnerability submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions without Lowe's prior express written consent. You must not use, disclose or threat using the Vulnerabilities to cause any direct or indirect harm to Lowe's. Violation of this section may disqualify you from any future participation in Lowe's Vulnerability reporting

Legal

Lowe's reserves the right to modify terms and conditions of this program and your participation in the program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting. We reserve the right to cancel this program at any time.

Thank you for helping Lowe's improve our system and eCommerce platform!