Effective date: December 5, 2023

Responsible Disclosure Mars believes that the security of our services is of the utmost importance and appreciates your assistance in identifying potential vulnerabilities. This Responsible Disclosure Policy (“Policy”) provides guidance to ensure that your contribution is handled in a responsible manner. Please note, you are under no obligation to identify potential vulnerabilities. This policy describes Mars’ philosophy regarding the receipt of disclosures and its commitment to validate and fix vulnerabilities in accordance with our commitment to the Five Principles on which Mars is built.

Disclosure Program Guidelines

When reporting, we ask that you complete the following steps:

1. Review this Policy.
2. Complete the form (“Reporting Template”) that we have provided at the bottom of this page, providing as much detail as possible. We ask that you provide detailed information with sufficient steps to permit our security team to replicate and locate the identified vulnerability.
3. REQUIRED: Please provide the site/domain address on the report's title. (We use this for internal tracking.)
4. Do not take advantage of the vulnerability or problem you have discovered. For example, do not download more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
5. Do not reveal the problem to others until it has been resolved. We ask that you refrain from disclosing this issue to third-parties or the public while we work toward resolution because disclosure may increase the potential risks associated with the vulnerability.
6. Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
7. Provide sufficient information for Mars to reproduce the problem if needed. Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but complex vulnerabilities may require further explanation.
8. Allow a reasonable amount of time to respond to the issue. Responses will be within one business day, while time to resolution depends on severity and complexity.
9. Mars may choose not to contact or otherwise interact with reporters who decline to identify themselves when making the report.
10. As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
11. Follow HackerOne's disclosure guidelines.
12. When conducting security testing that requires an email address, hackers must use their HackerOne email alias ([username]@wearehackerone.com or [username]+[identifier]@wearehackerone.com) rather than personal email addresses to ensure consistent identification and proper attribution of testing activities.

Noncompliance

Mars does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity or in violation of the Mars Terms of Use [https://www.mars.com/legal]. Therefore, we note that any party researching vulnerabilities under this Policy must do the following:

• Comply with all applicable laws relevant to security research activities. If you engage in any activities that are inconsistent with this Policy, you may be subject to criminal and/or civil liabilities. • Do Not: o Access, acquire, remove, download, or modify data residing in an account that does not belong to you; o Destroy or corrupt, or attempting to destroy or corrupt, data or information that does not belong to you; o Execute or attempt to execute any “Denial of Service” attack; o Post, transmit, upload, link to, send, or store any malicious software; o Test in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages or degrade the operation of any Mars properties; o Testing third-party applications, websites, or services that integrate with or link to Mars properties; nor o Exploit any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists.

In sum, we ask that you refrain from harming or otherwise compromising Mars properties, violating Mars’ rights, the rights of third-parties, or the law.

However, if you have found a potential vulnerability (excluding the out of scope vulnerability classes listed below) on any system or asset that you believe belongs to Mars, we request that you please submit it through this program.

Out of Scope Vulnerabilities and Attacks

Some vulnerabilities classes and attacks are out of scope for our Responsible Disclosure Program. These out of scope vulnerability classes include: • Physical Testing • Social Engineering • Phishing • Denial of Service Attacks • Resource Exhaustion Attacks • Clickjacking on pages with no sensitive actions • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions • Attacks requiring MITM or physical access to a user's device. • Previously known vulnerable libraries without a working Proof of Concept. • Comma Separated Values (CSV) injection without demonstrating a vulnerability. • Missing best practices in SSL/TLS configuration. • Any activity that could lead to the disruption of our service (DoS). • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS • Rate limiting or brute-force issues on non-authentication endpoints • Missing best practices in Content Security Policy. • Missing HttpOnly or Secure flags on cookies • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.) • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version] • Software version disclosure / Banner identification issues / Descriptive error messages or headers • Tabnabbing • Issues that require unlikely user interaction

Response Targets

Mars will make a best effort to meet the following SLAs for hackers participating in our program:

No Limitation of Liability to Third-Parties

While Mars appreciates the reporting of potential vulnerabilities and does not intend to take action against entities making good faith efforts to report such vulnerabilities lawfully and in compliance with this Policy, we are not able to make such a representation on behalf of any third-party. Notably, to the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any non-Mars entity, or personal data of Mars employees, customers, suppliers or any other third party, such non-Mars entity or person may independently determine whether to pursue legal action or remedies related to such activities.

Thank you for helping us to keep our platforms safe!