Purpose

At REI, protecting the security and privacy of our members is just as important as helping them enjoy life outdoors. We believe that a strong security foundation is essential to earning and maintaining the trust of our community.

This vulnerability disclosure program is our way of partnering with the global security research community to help protect the systems and data that serve our members. We invite ethical hackers to responsibly disclose vulnerabilities in REI's digital assets, and we're committed to recognizing and rewarding those efforts.

By submitting a vulnerability to us either directly or indirectly, you acknowledge that you have read and agree to abide by the guidelines within our policy. If you believe you've discovered a security bug or vulnerability, please report it to us as soon as possible.

Please be aware that we do not offer compensation for vulnerability disclosures, and there is no obligation on your part to identify and report potential vulnerabilities to REI.

Make your submission count

• Acceptance or rejection of all vulnerability report submissions is subject to REI's sole discretion.
• Detailed reports must be provided. Reports without a working proof of concept and steps to reproduce the finding will have the disposition status changed to "Needs more information."
• When duplicates occur, only the first received report will be awarded provided it can be fully reproduced in a form acceptable to REI.
• Vulnerabilities will be consolidated into a single report and bounty payout if internal review determines that separate fixes are not warranted. This includes multiple reports submitted by a researcher for the same vulnerability found on various endpoints of the same host application or its components impacting multiple hosts.

Disclosure Policy

• Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps.

• Your report must be in scope. Please look over the scope table at the end of this policy before submitting a report. We want to help reduce your risk of submitting an out-of-scope report that could hurt your Signal, as well as reduce noise in our inbox.
• All authenticated testing must be performed using @wearehackerone aliases
• Include the IP address(es) used during testing when submitting vulnerability reports
• Acceptance or rejection of all vulnerability report submissions is subject to REI's sole discretion

There are some things we explicitly ask you not to do:

• When experimenting, please only target accounts belonging to you. Do not use leaked or compromised accounts belonging to other users. Vulnerabilities that were discovered using leaked or compromised accounts will be disqualified
• Do not test the physical security of REI offices or stores.
• Do not test using social engineering techniques (phishing, vishing, etc.)
• Do not perform DoS or DDoS attacks
• In any way attack our end users, or engage in trade of stolen user credentials.

Out of scope vulnerabilities

DO NOT DDoS or otherwise attack us in a way that would disrupt service for our customers.

• Vulnerabilities on out-of-scope assets
• 3rd party sites used by REI
• Reports that contain leaked or harvested credentials
• Physical attacks against REI employees, offices, stores, or warehouses
• Exploits that require the attacker to have access to the user's device or external account (phone, laptop, email)
• Attacks requiring MITM or physical access to a user's device
• Social engineering attacks
• Tabnabbing
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Previously known libraries without a working Proof of Concept
• Cache poisoning
• Open redirect - unless an additional security impact can be demonstrated
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or brute force issues on non-authentication endpoints.
• Missing best practices in Content Security Policy
• Missing email best practices (Invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case-by-case basis
• Any activity that could lead to the disruption of our service (DoS)
• Issues without a clearly defined security impact
• Issues that require unlikely user interaction

Severity Scoring

We will consider numerous factors when determining the severity of a finding, including but not limited to the potential business impact of the finding, the volume of sensitive data at risk, and/or the potential financial impact that could result from the compromise of data or a system.

In Scope

While we expect to expand our scope in the future, we are currently focused on our primary and critical public facing sites and applications. However, if you enumerate other REI assets and identify vulnerabilities against those, please responsibly disclose those to us as well. If you identify a vulnerability within a third party that REI uses and it is not explicitly in scope, please report it to the third party’s responsible disclosure program, Vulnerability Disclosure program, or security team. If you report it to us, we will be happy to assist you in reporting it to the third party, however, these reports usually will not be eligible for bounty from REI (unless special conditions are met such as the root cause being a misconfiguration by REI and not under the control of the 3rd party).

Safe Harbor

REI provides this Safe Harbor Statement to encourage and facilitate researching using HackerOne’s vulnerability disclosure program to help us identify bugs and vulnerabilities. We authorize access to our owned-and-operated systems, services, and applications for the purpose of conducting research consistent with HackerOne’s current policies. However, please be aware that this policy exclusively covers vulnerabilities in our systems and services. We cannot extend these protections to third-party entities. While we support good-faith disclosure, any actions involving non-REI entities may lead to legal action at their discretion.

To the extent that our applicable online terms of service are inconsistent with this Safe Harbor Statement, then this Safe Harbor Statement shall control.

Participants must act responsibly and in compliance with the law, respecting all parties' privacy and security.

Thank you for helping keep REI and our users safe!