Marionnaud
Bounty Range
$10 - $8,500
external program
Public
Open
Retail
AS Watson/Marionnaud/Detail
/programs/aswatson/marionnaud/detail/programs/aswatson/marionnaud/leaderboard?alltime=true
AS Watson is a diverse family of over 130,000 people, 17,000 stores shared by 12 retail brands in 31 markets. Established in 1841, AS Watson Group is one of the world's longest-standing and most recognised retail companies with roots in Asia. For 185 years, we’ve been united by an unchanging purpose - To put a Smile on our customers’ faces today and tomorrow. It is always our pride and joy to bring a Smile to everyone we come in touch with.
AS Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe.
Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (also across programs). These findings will be regarded and treated as a single issue.
Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these.
This program focuses specifically on the Marionnaud brand from AS Watson. This brand is operating in eight different countries within Europe.
Bounties
Low 0.1 - 3.9
Medium 4.0 - 6.9
High 7.0 - 8.9
Critical 9.0 - 9.4
Exceptional 9.5 - 10.0
min. $ max. $
100 350
350 1,250
1,250 4,000
4,000 7,500
7,500 8,500
$100 - $8,500
min. $ max. $
100 300
300 1,000
1,000 3,000
3,000 5,000
5,000 5,500
$100 - $5,500
min. $ max. $
50 100
100 500
500 1,000
1,000 1,500
1,500 2,000
$50 - $2,000
min. $ max. $
10 25
25 50
50 100
100 250
250 500
$10 - $500
Reward policy
The wildcards in Tier 5 host a large variety of assets which have a varying impact on our security posture. By default, we try our best to grade known assets into their appropriate bounty tier. Our wildcard bounty tier (Tier 5) is meant for assets that are regarded less impactful. Depending on the program's view on the risk involved with the given asset, your Tier 5 report may be eligible for additional bonuses.
User agent Not applicable
Automated tooling max. 5 requests /sec
Request header Not applicable
https://go.intigriti.com/researcher-rules-of-engagement
Respect the [https://go.intigriti.com/coc](Community Code of Conduct)
Respect the Intigriti [https://go.intigriti.com/tac](Terms and Conditions)
Respect the scope of the program
Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
Validation times
We will strive to validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Vulnerability Severity | Time to validate |
Exceptional | 3 Working days |
Critical | 3 Working days |
High | 7 Working days |
Medium | 15 Working days |
Low | 15 Working days |
Safe harbour for researchers is applied Show safe harbour
Assets
tier
All
type
Expand all
13 Marionnaud France
URL
Tier 1
[https://play.google.com/store/apps/details?id=com.marionnaud.marionnaudfrance]( Marionnaud France Android )
Android
Tier 1
[https://apps.apple.com/fr/app/marionnaud-france/id1127368763]( Marionnaud France iOS )
iOS
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 1
http://ecom-data.marionnaud.fr
URL
Tier 4
URL
Tier 4
URL
Tier 4
*.marionnaud.fr
Wildcard
Tier 5
*.marionnaud.es
Wildcard
Tier 5
*.marionnaud.paris
Wildcard
Tier 5
*.marionnaud.com
Wildcard
Tier 5
10 Marionnaud Austria
URL
Tier 1
[https://apps.apple.com/gb/app/marionnaud-%C3%B6sterreich/id1114541888]( Marionnaud Austria iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=at.marionnaud.customer]( Marionnaud Austria Android )
Android
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 4
http://ecom-data.marionnaud.at
URL
Tier 4
*.marionnaud.de
Wildcard
Tier 5
*.marionnaud.at
Wildcard
Tier 5
10 Marionnaud Switzerland
URL
Tier 1
[https://apps.apple.com/ch/app/id1486316902]( Marionnaud Switzerland iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=ch.marionnaud.customer]( Marionnaud Switzerland Android )
Android
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 4
http://ecom-data.marionnaud.ch
URL
Tier 4
URL
Tier 4
*.marionnaud.ch
Wildcard
Tier 5
9 Marionnaud Italy
URL
Tier 1
[https://apps.apple.com/it/app/marionnaud/id883671274]( Marionnaud Italy iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=it.marionnaud.customer]( Marionnaud Italy Android )
Android
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 4
http://ecom-data.marionnaud.it
URL
Tier 4
*.marionnaud.it
Wildcard
Tier 5
9 Marionnaud Hungary
URL
Tier 2
[https://apps.apple.com/hu/app/marionnaud-magyarorsz%C3%A1g/id1645840482]( Marionnaud Hungary iOS )
iOS
Tier 2
[https://play.google.com/store/apps/details?id=hu.marionnaud.customer]( Marionnaud Hungary Android )
Android
Tier 2
URL
Tier 2
URL
Tier 2
URL
Tier 2
http://ecom-data.marionnaud.hu
URL
Tier 4
URL
Tier 4
*.marionnaud.hu
Wildcard
Tier 5
9 Marionnaud Czech Republic
URL
Tier 2
[https://apps.apple.com/cz/app/marionnaud-%C4%8Desko/id1641863747]( Marionnaud Czech Republic iOS )
iOS
Tier 2
[https://play.google.com/store/apps/details?id=cz.marionnaud.customer]( Marionnaud Czech Republic Android )
Android
Tier 2
URL
Tier 2
URL
Tier 2
URL
Tier 2
URL
Tier 4
http://ecom-data.marionnaud.cz
URL
Tier 4
*.marionnaud.cz
Wildcard
Tier 5
7 Marionnaud Romania
URL
Tier 2
[https://play.google.com/store/apps/details?id=ro.marionnaud.customer]( Marionnaud Romania Android )
Android
Tier 2
[https://apps.apple.com/ro/app/marionnaud-romania/id1021924260]( Marionnaud Romania iOS )
iOS
Tier 2
URL
Tier 2
URL
Tier 2
URL
Tier 2
*.marionnaud.ro
Wildcard
Tier 5
7 Marionnaud Slovakia
URL
Tier 2
[https://apps.apple.com/gb/app/marionnaud-beaut%C3%A9-soins/id1127368763]( Marionnaud Slovakia iOS )
iOS
Tier 2
[https://play.google.com/store/apps/details?id=sk.marionnaud.customer]( Marionnaud Slovakia Android )
Android
Tier 2
URL
Tier 2
URL
Tier 2
URL
Tier 2
*.marionnaud.sk
Wildcard
Tier 5
In scope
Introduction
We are happy to announce our program! We've done our best to clean up our known issues and now would like to request your help to spot the ones we missed!
Focus Areas
E-commerce Payment & order flows
Authorization flaws in API & Microservices in the e-commerce environment
Any e-commerce functionality which processes customer data
Critical Scenarios
Mass customer data exposure: emails, addresses, phone numbers, order history, etc.
Zero-click mass customer account takeover
Remote Code Execution
Unauthorized access to important infrastructure, databases, or backend systems
Checkout/order process abuse (e.g. free or discounted products)
Leaked Credentials
We welcome security researchers to responsibly report any discovered publicly leaked credentials that could allow unauthorized access or exposure of sensitive information.
Below is a list of generic guidelines on which credentials will or won't accept in reports:
Cases with impact:
Credentials providing administrative or high-privileged access to network infrastructure, servers, or critical applications
Credentials providing admin access to high-priority web applications within AS Watson’s attack surface.
Credentials exposing sensitive data of a large number of employees or customers
Credentials belonging to service accounts with broad access
Cases without significant impact:
Personal user credentials for non-critical applications (e.g. training platforms, corporate social media)
Credentials external to AS Watson’s domains/infrastructure (ex. personal Gmail account for AS Watson applications)
Credentials that cannot be accessed due to multi-factor authentication (MFA)
Individual customer credentials (we can only advice customers to be careful with their passwords)
⚠️ Please note that we will evaluate the impact of credential-related reports and reserve the right to make final determinations on bounty eligibility and awards. Private or paid for leaked credentials are strictly out of scope.
Feedback Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
[https://go.intigriti.com/program-feedback](Program feedback link) Please note this form will be checked periodically and should not be used for submission or support queries.
Out of scope
Wordpress usernames disclosure
Pre-Auth Account takeover/OAuth squatting
Self-XSS that can't be used to exploit other users
Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
Missing cookie flags
Missing security headers
Cross-site Request Forgery with no or low impact
Presence of autocomplete attribute on web forms
Reverse tabnabbing
Bypassing rate-limits or the non-existence of rate-limits.
Best practices violations (password complexity, expiration, re-use, etc.)
Clickjacking without proven impact/unrealistic user interaction
CSV Injection
Sessions not being invalidated (logout, enabling 2FA, etc.)
Tokens leaked to third parties
Anything related to email spoofing, SPF, DMARC or DKIM
Content injection without being able to modify the HTML
Username/email enumeration
Email bombing
HTTP Request smuggling without any proven impact
Homograph attacks
XMLRPC enabled
Banner grabbing/Version disclosure
Not stripping metadata of files
Same-site scripting
Subdomain takeover without taking over the subdomain
Arbitrary file upload without proof of the existence of the uploaded file
Blind SSRF without proven business impact (pingbacks aren't sufficient)
Disclosed/misconfigured Google Maps API keys
Host header injection without proven business impact
CSRF for non-sensitive actions (example: adding or removing a product to a shopping cart or wishlist)
Ratelimit on OTP Request. Avoid sending high number of OTP Requests.
Brute force on Login, E-giftCards, Promo codes, Vouchers, user account registration
Forgot password token requests being leaked to third parties
In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
Spam, social engineering and physical intrusion
DoS/DDoS attacks or brute force attacks
Vulnerabilities that only work on software that no longer receive security updates
Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
Reports that state that software is out of date/vulnerable without a proof-of-concept
Shared links leaked through the system clipboard
No session timeout
Any URIs leaked because a malicious app has permission to view URIs opened
The absence of certificate pinning
Sensitive data in URLs/request bodies when protected by TLS
Lack of obfuscation
Path disclosure in the binary
Lack of jailbreak & root detection
Crashes due to malformed URL Schemes
Lack of binary protection (anti-debugging) controls, mobile SSL pinning
Snapshot/Pasteboard leakage
Runtime hacking exploits (exploits only possible in a jailbroken environment)
API key leakage used for insensitive activities/actions
Vulnerabilities that require physical access to the victim device have limited impact
Severity assessment
This program follows Intigriti's [https://go.intigriti.com/triage-standards](triage standards) based on the proof of concept.
AS Watson takes information security risks seriously and is committed to handling reported vulnerabilities in a fair, transparent, and consistent manner.
The severity of a reported vulnerability is determined through an internal assessment process that considers both technical impact and business context. While industry-standard scoring systems (such as CVSS) may be used as an input, the final severity rating may differ based on our evaluation of the specific circumstances in which the vulnerability exists.
FAQ
You can self-register on the e-commerce applications but please don’t forget to use your @intigriti.me address.
All aboard!
Please log in or sign up on the platform
For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.
It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.
[/auth/dashboard?redirect=/programs/aswatson/marionnaud](Log in or sign up)
last contributors
leaderboard
Overall stats
submissions received 89
average payout $1,126
accepted submissions 1
total payouts $1,126
Last 90 day response times
avg. time first response < 4 days
avg. time to decide < 2 weeks
avg. time to triage < 4 days
Activity
3/25
/profile/abhinandan73created a submission
3/25
/profile/abinsolocreated a submission
3/25
/profile/rebelmintcreated a submission
3/25
/profile/rebelmintcreated a submission
3/25
/profile/rebelmintcreated a submission
3/24
/profile/laynuxcreated a submission
3/24
/profile/marildocreated a submission
3/24
AS Watson closed a submission
3/24
AS Watson closed a submission
3/23
/profile/agentecontrainteligentecreated a submission