Details

PepsiCo Responsible Disclosure Program

Introduction

Welcome to the PepsiCo Responsible Disclosure Program!

At PepsiCo, we take security seriously. If you believe that you have found an application security vulnerability that affects PepsiCo, please report it to us using the "Submit Report" button on this page.

We're excited to work with HackerOne and the hacker community to help keep PepsiCo secure.

Disclosure Policy

Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.
No testing of Third-party Services.
Do not upload vulnerability or client-related content to third-party utilities (e.g. Github, DropBox).

Core Ineligible Vulnerabilities

The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact:

Core Ineligible findings as defined by HackerOne
Disclosed Google Maps API Keys
Account/e-mail enumeration using brute-force attacks.
Any low impact issues related to session management (i.e. concurrent sessions, session expiration, password reset/change log out, etc.)
Bypassing content restrictions in uploading a file without proving the file was received.
Client-side application/browser autocomplete or saved password/credentials.
Issues related to password/credential strength, length, lockouts, or lack of brute-force/rate-limiting protections.
Lack of SSL or Mixed content.
Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability.
Reflected file download attacks (RFD).
Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS).
IIS Tilde File and Directory Disclosure.
SSH Username Enumeration.
WordPress Username Enumeration.

Reporting Considerations

When reporting potential vulnerabilities, please consider:

(1) realistic attack scenarios (2) the security impact of the behavior.

If you have reported an issue determined to be within program scope; is determined to be a valid security issue; and further you have followed the program rules, PepsiCo VDP will recognize your finding after a fix has been issued.

Thank you for helping keep PepsiCo and our users safe!

Safe Harbor

This program adheres to Gold Standard Safe Harbor.

Introduction

Welcome to the PepsiCo Responsible Disclosure Program!

We're excited to work with HackerOne and the hacker community to help keep PepsiCo secure.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.

Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Social engineering (e.g., phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Only interact with accounts you own or with explicit permission of the account holder.

No testing of Third-party Services.

Do not upload vulnerability or client-related content to third-party utilities (e.g. Github, DropBox).

Core Ineligible Vulnerabilities

The following issues will be closed as invalid except in rare circumstances demonstrating clear security impact:

Core Ineligible findings as defined by HackerOne

Disclosed Google Maps API Keys

Account/e-mail enumeration using brute-force attacks.

Any low impact issues related to session management (i.e. concurrent sessions, session expiration, password reset/change log out, etc.)

Bypassing content restrictions in uploading a file without proving the file was received.

Client-side application/browser autocomplete or saved password/credentials.

Issues related to password/credential strength, length, lockouts, or lack of brute-force/rate-limiting protections.

Lack of SSL or Mixed content.

Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability.

Reflected file download attacks (RFD).

Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS).

IIS Tilde File and Directory Disclosure.

SSH Username Enumeration.

WordPress Username Enumeration.

Reporting Considerations

When reporting potential vulnerabilities, please consider:

(1) realistic attack scenarios (2) the security impact of the behavior.

Thank you for helping keep PepsiCo and our users safe!