Details

Mintel Vulnerability Disclosure Program

Program highlights

Gold Standard Safe Harbor Adheres to Gold Standard Safe Harbor. https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement

Managed by HackerOne

17 hours Average time to first response
23 hours Average time to triage
2 months, 1 week Average time to resolution

Overview

Last updated on November 11, 2024.

Mintel looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Disclosure Policy

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines

Test Plan

Add a X-Hackerone: username header to your requests to allow us to attribute malicious activity to the bug bounty program.
Use test accounts. Use your [email protected] address whenever possible.
Please rate limit your automated scanning tools to 2 requests per second.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Any activity that could lead to the disruption of our service (DoS, DDoS).
Social engineering of our employees or contractors, unless explicitly authorized.
Attacks against our physical facilities, unless explicitly authorized.
Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.
Attacks requiring disabling Man In The Middle (MITM) protections.
Attacks only affecting obsolete browsers or operating systems.
Missing best practices (SSL/TLS configuration, Content Security Policy & Strict Transport Security headers, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records, Subresource Integrity), unless a significant impact can be demonstrated.
Clickjacking or Cross-Site Request Forgery (CSRF) on unauthenticated pages / forms with no sensitive actions.
Open redirects, unless a significant impact can be demonstrated.
Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.
Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.
Software version disclosure / Prometheus metrics / Banner identification issues / Descriptive error messages or stack traces.
Issues that require unlikely user interaction by the victim.

Thank you for helping keep Mintel and our users safe!

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Any activity that could lead to the disruption of our service (DoS, DDoS).

Social engineering of our employees or contractors, unless explicitly authorized.

Attacks against our physical facilities, unless explicitly authorized.

Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.

Attacks requiring disabling Man In The Middle (MITM) protections.

Attacks only affecting obsolete browsers or operating systems.

Missing best practices (SSL/TLS configuration, Content Security Policy & Strict Transport Security headers, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records, Subresource Integrity), unless a significant impact can be demonstrated.

Clickjacking or Cross-Site Request Forgery (CSRF) on unauthenticated pages / forms with no sensitive actions.

Open redirects, unless a significant impact can be demonstrated.

Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.

Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.

Software version disclosure / Prometheus metrics / Banner identification issues / Descriptive error messages or stack traces.

Issues that require unlikely user interaction by the victim.

Thank you for helping keep Mintel and our users safe!