Introduction

Mondelēz International takes vulnerability disclosures seriously and appreciates the security researchers’ efforts. Mondelēz International is committed to establishing a transparent and open communication with researchers.

The Purpose of the Vulnerability Disclosure Policy (VDP) is to give security researchers clear guidelines for conducting vulnerability research, discovery, and reporting against Mondelēz International systems.

Mondelēz International accepts vulnerability findings from various sources such as independent security researchers, industry partners, or customers. Mondelēz defines a vulnerability as a technical flaw or weakness found in a system that can be leveraged to compromise the confidentiality, integrity, or availability of Mondelēz International products, services, and data. Please see the rules of engagement for security researchers below.

Legal Authorization (Safe Harbor)

If all the associated guidelines highlighted in this policy are followed during the security research, Mondelēz International will consider the research to be authorized, and will look to collaborate to understand any discovered issues quickly. Mondelēz International will not recommend or pursue legal action against authorized activities that are in accordance with this policy.

Test Instructions

When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Mondelez VDP Program: *Where possible, register accounts using your [email protected] addresses. (see https://docs.hackerone.com/hackers/hacker-email-alias.html ) *Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.

• No credentials are required or provided for this program. If you self-register for any accounts, please register with your @wearehackerone.com email address. You may not use exposed credentials to continue testing without written consent from Mondelēz International. *Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. *Identifier: Your HackerOne Username *Format: X-Mondelez-VDP: HackerOne- *Example: X-Mondelez-VDP: HackerOne-H4x0r
• ==Always tag your traffic, and list your IP in the submission form.==

Submitting a Report

• Notify us immediately upon discovery of any real security issues.
• HackerOne will acknowledge that the submission was received within two (2) business days of the submission date. (Requires contact information. We cannot communicate with anonymous submissions).
• HackerOne will validate steps to reproduce, proof of concept, and severity. Further details may be requested to properly triage the submission. Below are details requested to assist with triaging the reported finding:
  • URL
  • Vulnerability description
  • Potential impact of the issue reported
  • Step-by-step re-production instructions including technical details
  • Any proof-of-concept code that is used
  • Remediation or mitigation steps for the reported issue
• Any tools utilized to detect the issue

Rules of Engagement

Security researchers must carry out the following activities: DO:

• Notify us immediately upon discovery of any real or potential security issues
• Discard and purge any stored Mondelēz International data upon reporting a vulnerability finding

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Self XSS
• Unauthenticated/logout/login CSRF
• Attacks requiring MITM or physical access to a user's device
• Any activity that could lead to the disruption of our service (DoS)
• Missing best practices in SSL/TLS configuration
• Content spoofing and text injection issues WITHOUT showing an attack vector/without being able to modify HTML/CSS
• Publically-known Zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.

Security researchers must not carry out the following activities: DO NOT:

• Test any systems not specified in Appendix A: In-scope systems.
• Conduct any testing that may disrupt, impair, or disable Mondelēz International systems (e.g. DoS, DDoS).
• Engage in social engineering of Mondelēz International employees, contractors, and customers.
• Physically test any facilities or resources (e.g., office access, tailgating), send any unsolicited or social engineering mail to any Mondelēz International users (e.g., phishing, vishing).
• Exploit any vulnerability beyond the minimal amount of testing required to identify an indicator related to the vulnerability.
• Compromise, copy or exfiltrate any data from any systems.
• Test any third-party websites, applications, or services that integrate with or link to/from Mondelez International systems.
• Carry on with the testing if you find vulnerabilities involving sensitive data, including personally identifiable information or proprietary data. In this case, you must stop your test and notify us immediately and you must not disclose this data to anyone.
• Discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent (including via email) from Mondelēz International.

#Processing Expectations Upon submission of the finding, the Mondelēz International team will:

• Acknowledge that the submission was received within two (2) business days of the submission date.
• Collaborate to validate and resolve reported vulnerability findings.

Thank you for helping keep our company and our users safe!