Purpose

At REI, protecting the security and privacy of our members is just as important as helping them enjoy life outdoors. We believe that a strong security foundation is essential to earning and maintaining the trust of our community.

This bug bounty program is our way of partnering with the global security research community to help protect the systems and data that serve our members. We invite ethical hackers to responsibly disclose vulnerabilities in REI's digital assets, and we're committed to recognizing and rewarding those efforts.

Eligibility to Participate

• Must utilize the HackerOne platform for all submissions to receive any payout, thereby abiding by HackerOne’s terms of service and privacy policy.
• REI employees, contractors who are currently working with REI, or have worked with REI in the past 12 months, or immediate family members of either are not eligible for bug bounties.

Make your submission count

• Acceptance or rejection of all vulnerability report submissions is subject to REI's sole discretion.
• Detailed reports must be provided. Reports without a working proof of concept and steps to reproduce the finding will have the disposition status changed to "Needs more information."
• Proof of concepts are required to obtain the full bounty payment. If a proof of concept cannot be provided, justification by the researcher must be included.
• When duplicates occur, only the first received report will be awarded provided it can be fully reproduced in a form acceptable to REI.
• Exposed or compromised credentials will be evaluated on a case-by-case basis and paid out according to risk and impact to REI.
• Vulnerabilities will be consolidated into a single report and bounty payout if internal review determines that separate fixes are not warranted. This includes multiple reports submitted by a researcher for the same vulnerability found on various endpoints of the same host application or its components impacting multiple hosts.

Disclosure Policy

• Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.

Third Party Managed Websites

Please note that there is a multitude of third-party managed sites under the REI name and brand. If a bug you have submitted affects a site managed by a third party, we will not award a bounty but instead we will close the report as informational.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

• ** Proof of concepts are required to obtain the full bounty payment.** When hunting for bugs and when providing evidence, please only use your own accounts. Do not use or access other people’s data or accounts at any time. If a proof of concept cannot be provided, justification by the researcher must be included.
• The underlying issue must be unique, ie. multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Your report must be in scope. Please look over the scope table at the end of this policy before submitting a report. We want to help reduce your risk of submitting an out-of-scope report that could hurt your Signal, as well as reduce noise in our inbox.
• All authenticated testing must be performed using @wearehackerone aliases
• Include the IP address(es) used during testing when submitting vulnerability reports
• Acceptance or rejection of all vulnerability report submissions is subject to REI's sole discretion

There are some things we explicitly ask you not to do:

• When experimenting, please only target accounts belonging to you. Do not use leaked or compromised accounts belonging to other users. Vulnerabilities that were discovered using leaked or compromised accounts will be disqualified
• Do not test the physical security of REI offices or stores.
• Do not test using social engineering techniques (phishing, vishing, etc.)
• Do not perform DoS or DDoS attacks
• In any way attack our end users, or engage in trade of stolen user credentials.

Scope

Researchers are strictly prohibited from any security testing on applications that are not in-scope. Security testing on out-of-scope assets, vulnerabilities, and/or any actions that are otherwise in violation of the requirements stated are not eligible for bounty reward. All security researchers participating in the program must adhere to the scope requirements.

Out of scope vulnerabilities

DO NOT DDoS or otherwise attack us in a way that would disrupt service for our customers.

• Vulnerabilities on out-of-scope assets
• 3rd party sites used by REI (check our scope for more details)
• Reports that contain leaked or harvested credentials
• Physical attacks against REI employees, offices, stores, or warehouses
• Exploits that require the attacker to have access to the user's device or external account (phone, laptop, email)
• Attacks requiring MITM or physical access to a user's device
• Social engineering attacks
• Tabnabbing
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Previously known libraries without a working Proof of Concept
• Cache poisoning
• Open redirect - unless an additional security impact can be demonstrated
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or brute force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis
• Any activity that could lead to the disruption of our service (DoS)
• Issues without a clearly defined security impact
• Issues that require unlikely user interaction

Severity Scoring

We will consider numerous factors when determining the severity of a finding, including but not limited to the potential business impact of the finding, the volume of sensitive data at risk, and/or the potential financial impact that could result from the compromise of data or a system.

Safe Harbor

REI provides this Safe Harbor Statement to encourage and facilitate researching using HackerOne’s vulnerability disclosure program to help us identify bugs and vulnerabilities. We authorize access to our owned-and-operated systems, services, and applications for the purpose of conducting research consistent with HackerOne’s current policies. However, please be aware that this policy exclusively covers vulnerabilities in our systems and services. We cannot extend these protections to third-party entities. While we support good-faith disclosure, any actions involving non-REI entities may lead to legal action at their discretion.

To the extent that our applicable online terms of service are inconsistent with this Safe Harbor Statement, then this Safe Harbor Statement shall control.

Participants must act responsibly and in compliance with the law, respecting all parties' privacy and security.

Thank you for helping keep REI and our users safe!