Watsons
Bounty Range
$10 - $8,500
external program
Public
Open
Retail
AS Watson/Watsons/Detail
/programs/aswatson/watsons/detail/programs/aswatson/watsons/leaderboard?alltime=true
AS Watson is a diverse family of over 130,000 people, 17,000 stores shared by 12 retail brands in 31 markets. Established in 1841, AS Watson Group is one of the world's longest-standing and most recognised retail companies with roots in Asia. For 185 years, we’ve been united by an unchanging purpose - To put a Smile on our customers’ faces today and tomorrow. It is always our pride and joy to bring a Smile to everyone we come in touch with.
AS Watson Group looks forward to working with the security community to discover vulnerabilities in order to keep our businesses and customers safe.
Please note that some of our websites run on a similar codebase (Hybris/SAP CMS). This means that issues that are found on one asset, might also apply to another asset (also across programs). These findings will be regarded and treated as a single issue.
Our websites are always under development and have new releases on a regular basis. These new releases sometimes do introduce functionalities (and potentially new vulnerabilities). We encourage you to keep testing our assets to uncover these.
This bug bounty program focuses specifically on the Watsons brands from AS Watson. This brand has online and offline stores in many different countries in Asia and Europe. In addition, the PNS Hong Kong, Fortress Hong Kong, LookAtMe Philippines, Drogas and the Moneyback Hong Kong Loyalty program are included in the scope for this bug bounty program.
Bounties
Low 0.1 - 3.9
Medium 4.0 - 6.9
High 7.0 - 8.9
Critical 9.0 - 9.4
Exceptional 9.5 - 10.0
min. $ max. $
100 350
350 1,250
1,250 4,000
4,000 7,500
7,500 8,500
$100 - $8,500
min. $ max. $
100 300
300 1,000
1,000 3,000
3,000 5,000
5,000 5,500
$100 - $5,500
min. $ max. $
50 100
100 500
500 1,000
1,000 1,500
1,500 2,000
$50 - $2,000
min. $ max. $
10 25
25 50
50 100
100 250
250 500
$10 - $500
Reward policy
The wildcards in Tier 5 host a large variety of assets which have a varying impact on our security posture. By default, we try our best to grade known assets into their appropriate bounty tier. Our wildcard bounty tier (Tier 5) is meant for assets that are regarded less impactful. Depending on the program's view on the risk involved with the given asset, your Tier 5 report may be eligible for additional bonuses.
User agent Not applicable
Automated tooling max. 5 requests /sec
Request header Not applicable
https://go.intigriti.com/researcher-rules-of-engagement
Respect the [https://go.intigriti.com/coc](Community Code of Conduct)
Respect the Intigriti [https://go.intigriti.com/tac](Terms and Conditions)
Respect the scope of the program
Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
Validation times
We will strive to validate all submissions within the below timelines, once your submission has been verified by Intigriti.
Vulnerability Severity | Time to validate |
Exceptional | 3 Working days |
Critical | 3 Working days |
High | 7 Working days |
Medium | 15 Working days |
Low | 15 Working days |
Safe harbour for researchers is applied Show safe harbour
Assets
tier
All
type
Expand all
7 Watsons Hong Kong
URL
Tier 1
URL
Tier 1
[https://play.google.com/store/apps/details?id=com.ndn.android.watsons]( Watsons Hong Kong Android )
Android
Tier 1
[https://apps.apple.com/hk/app/%E5%B1%88%E8%87%A3%E6%B0%8F%E9%A6%99%E6%B8%AF/id479512803]( Watsons Hong Kong iOS )
iOS
Tier 1
URL
Tier 1
URL
Tier 4
*.watsons.com.hk
Wildcard
Tier 5
9 Watsons Thailand
URL
Tier 1
URL
Tier 1
URL
Tier 1
[https://apps.apple.com/hk/app/watsons-th/id619935224]( Watsons Thailand iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=com.mtelnet.watson.thailand]( Watsons Thailand Android )
Android
Tier 1
URL
Tier 1
http://community.watsons.co.th
URL
Tier 4
URL
Tier 4
*.watsons.co.th
Wildcard
Tier 5
8 Watsons Taiwan
URL
Tier 1
URL
Tier 1
[https://play.google.com/store/apps/details?id=tw.com.watsons.app]( Watsons Taiwan Android )
Android
Tier 1
[https://apps.apple.com/hk/app/%E5%B1%88%E8%87%A3%E6%B0%8F%E5%8F%B0%E7%81%A3/id477968775]( Watsons Taiwan iOS )
iOS
Tier 1
URL
Tier 1
URL
Tier 4
URL
Tier 4
*.watsons.com.tw
Wildcard
Tier 5
7 Watsons Singapore
URL
Tier 1
URL
Tier 1
[https://apps.apple.com/hk/app/watsons-sg-the-official-app/id449412168]( Watsons Singapore iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=com.watsons.sg.android]( Watsons Singapore Android )
Android
Tier 1
URL
Tier 1
URL
Tier 4
*.watsons.com.sg
Wildcard
Tier 5
8 Watsons Philippines
URL
Tier 1
[https://apps.apple.com/hk/app/watsons-philippines/id1438203234]( Watsons Philippines iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=com.mtelnet.watson.ph]( Watsons Philippines Android )
Android
Tier 1
URL
Tier 1
URL
Tier 1
http://community.watsons.com.ph
URL
Tier 4
URL
Tier 4
*.watsons.com.ph
Wildcard
Tier 5
6 LookAtMe Philippines
URL
Tier 1
[https://play.google.com/store/apps/details?id=com.app.lookphilippines]( LookAtMe Philippines Android )
Android
Tier 1
[https://apps.apple.com/ph/app/look-philippines/id1552856139]( LookAtMe Philippines iOS )
iOS
Tier 1
URL
Tier 1
URL
Tier 4
*.lookatme.com.ph
Wildcard
Tier 5
8 Watsons Malaysia
URL
Tier 1
URL
Tier 1
[https://play.google.com/store/apps/details?id=com.watsons.mcommerce]( Watsons Malaysia Android )
Android
Tier 1
[https://apps.apple.com/hk/app/watsons-my/id1112796292]( Watsons Malaysia iOS )
iOS
Tier 1
URL
Tier 1
http://community.watsons.com.my
URL
Tier 4
URL
Tier 4
*.watsons.com.my
Wildcard
Tier 5
7 Watsons Indonesia
URL
Tier 1
URL
Tier 1
[https://play.google.com/store/apps/details?id=com.watsons.id.android]( Watsons Indonesia Android )
Android
Tier 1
[https://apps.apple.com/hk/app/watsons-id/id1184851346]( Watsons Indonesia iOS )
iOS
Tier 1
URL
Tier 1
URL
Tier 4
*.watsons.co.id
Wildcard
Tier 5
7 Watsons Vietnam
URL
Tier 1
URL
Tier 1
[https://apps.apple.com/in/app/watsons-vietnam/id1446869800]( Watsons Vietnam iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=com.watsons.vn.android]( Watsons Vietnam Android )
Android
Tier 1
URL
Tier 1
URL
Tier 4
*.watsons.vn
Wildcard
Tier 5
8 PNS
URL
Tier 1
URL
Tier 1
URL
Tier 1
[https://apps.apple.com/hk/app/parknshop/id840837558]( PNS iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=com.parknshop.parknshopapp]( PNS Android )
Android
Tier 1
URL
Tier 4
*.pns.hk
Wildcard
Tier 5
*.parknshop.com
Wildcard
Tier 5
7 Fortress Hong Kong
URL
Tier 1
URL
Tier 1
[https://play.google.com/store/apps/details?id=fortress.fortressapp]( Fortress Hong Kong Android )
Android
Tier 1
[https://apps.apple.com/hk/app/fortress/id1133110850]( Fortress Hong Kong iOS )
iOS
Tier 1
URL
Tier 1
URL
Tier 4
*.fortress.com.hk
Wildcard
Tier 5
19 Watsons Turkey
URL
Tier 1
[https://play.google.com/store/apps/details?id=com.mobular.watsons]( Watsons Turkey Android )
Android
Tier 1
[https://apps.apple.com/tr/app/watsons-kozmetik-ve-al%C4%B1%C5%9Fveri%C5%9F/id1507132907]( Watsons Turkey iOS )
iOS
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 4
http://campaign.watsons.com.tr
URL
Tier 4
http://adayevrak.watsons.com.tr
URL
Tier 4
URL
Tier 4
http://www.watsonsbeautystudio.com
URL
Tier 4
URL
Tier 4
URL
Tier 4
URL
Tier 4
URL
Tier 4
URL
Tier 4
URL
Tier 4
URL
Tier 4
URL
Tier 4
*.watsons.com.tr
Wildcard
Tier 5
16 Drogas
URL
Tier 1
URL
Tier 1
[https://play.google.com/store/apps/details?id=lv.drogas.consumer]( Drogas Latvia Android )
Android
Tier 1
[https://apps.apple.com/lv/app/drogas/id1564705644]( Drogas Latvia iOS )
iOS
Tier 1
[https://play.google.com/store/apps/details?id=lt.drogas.consumer]( Drogas Lithuania Android )
Android
Tier 1
[https://apps.apple.com/lt/app/drogas/id1571651832]( Drogas Lithuania iOS )
iOS
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 1
URL
Tier 4
URL
Tier 4
*.drogas.lt
Wildcard
Tier 5
*.drogas.lv
Wildcard
Tier 5
5 Moneyback
URL
Tier 2
[https://play.google.com/store/apps/details?id=com.asw.moneyback]( Moneyback Android )
Android
Tier 2
[https://apps.apple.com/hk/app/moneyback/id1230818544]( Moneyback iOS )
iOS
Tier 2
URL
Tier 2
*.moneyback.com.hk
Wildcard
Tier 5
View changes
In scope
Introduction
We are happy to announce our program! We've done our best to clean up our known issues and now would like to request your help to spot the ones we missed!
Focus Areas
E-commerce Payment & order flows
Authorization flaws in API & Microservices in the e-commerce environment
Any e-commerce functionality which processes customer data
Critical Scenarios
Mass customer data exposure: emails, addresses, phone numbers, order history, etc.
Zero-click mass customer account takeover
Remote Code Execution
Unauthorized access to important infrastructure, databases, or backend systems
Checkout/order process abuse (e.g. free or discounted products)
Leaked Credentials
We welcome security researchers to responsibly report any discovered publicly leaked credentials that could allow unauthorized access or exposure of sensitive information.
Below is a list of generic guidelines on which credentials will or won't accept in reports:
Cases with impact:
Credentials providing administrative or high-privileged access to network infrastructure, servers, or critical applications
Credentials providing admin access to high-priority web applications within AS Watson’s attack surface.
Credentials exposing sensitive data of a large number of employees or customers
Credentials belonging to service accounts with broad access
Cases without significant impact:
Personal user credentials for non-critical applications (e.g. training platforms, corporate social media)
Credentials external to AS Watson’s domains/infrastructure (ex. personal Gmail account for AS Watson applications)
Credentials that cannot be accessed due to multi-factor authentication (MFA)
Individual customer credentials (we can only advice customers to be careful with their passwords)
⚠️ Please note that we will evaluate the impact of credential-related reports and reserve the right to make final determinations on bounty eligibility and awards. Private or paid for leaked credentials are strictly out of scope.
Feedback Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:
[https://go.intigriti.com/program-feedback](Program feedback link) Please note this form will be checked periodically and should not be used for submission or support queries.
Out of scope
Wordpress usernames disclosure
Pre-Auth Account takeover/OAuth squatting
Self-XSS that can't be used to exploit other users
Verbose messages/files/directory listings without disclosing any sensitive information
CORS misconfiguration on non-sensitive endpoints
Missing cookie flags
Missing security headers
Cross-site Request Forgery with no or low impact
Presence of autocomplete attribute on web forms
Reverse tabnabbing
Bypassing rate-limits or the non-existence of rate-limits.
Best practices violations (password complexity, expiration, re-use, etc.)
Clickjacking without proven impact/unrealistic user interaction
CSV Injection
Sessions not being invalidated (logout, enabling 2FA, etc.)
Tokens leaked to third parties
Anything related to email spoofing, SPF, DMARC or DKIM
Content injection without being able to modify the HTML
Username/email enumeration
Email bombing
HTTP Request smuggling without any proven impact
Homograph attacks
XMLRPC enabled
Banner grabbing/Version disclosure
Not stripping metadata of files
Same-site scripting
Subdomain takeover without taking over the subdomain
Arbitrary file upload without proof of the existence of the uploaded file
Blind SSRF without proven business impact (pingbacks aren't sufficient)
Disclosed/misconfigured Google Maps API keys
Host header injection without proven business impact
CSRF for non-sensitive actions (example: adding or removing a product to a shopping cart or wishlist)
Ratelimit on OTP Request. Avoid sending high number of OTP Requests.
Brute force on Login, E-giftCards, Promo codes, Vouchers, user account registration
Forgot password token requests being leaked to third parties
In case that a reported vulnerability was already known to the company from their own tests, it will be flagged as a duplicate
Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited
Spam, social engineering and physical intrusion
DoS/DDoS attacks or brute force attacks
Vulnerabilities that only work on software that no longer receive security updates
Attacks requiring physical access to a victim's computer/device, man in the middle or compromised user accounts
Recently discovered zero-day vulnerabilities found in in-scope assets within 14 days after the public release of a patch or mitigation may be reported, but are usually not eligible for a bounty
Reports that state that software is out of date/vulnerable without a proof-of-concept
Shared links leaked through the system clipboard
No session timeout
Any URIs leaked because a malicious app has permission to view URIs opened
The absence of certificate pinning
Sensitive data in URLs/request bodies when protected by TLS
Lack of obfuscation
Path disclosure in the binary
Lack of jailbreak & root detection
Crashes due to malformed URL Schemes
Lack of binary protection (anti-debugging) controls, mobile SSL pinning
Snapshot/Pasteboard leakage
Runtime hacking exploits (exploits only possible in a jailbroken environment)
API key leakage used for insensitive activities/actions
Vulnerabilities that require physical access to the victim device have limited impact
Severity assessment
This program follows Intigriti's [https://go.intigriti.com/triage-standards](triage standards) based on the proof of concept.
AS Watson takes information security risks seriously and is committed to handling reported vulnerabilities in a fair, transparent, and consistent manner.
The severity of a reported vulnerability is determined through an internal assessment process that considers both technical impact and business context. While industry-standard scoring systems (such as CVSS) may be used as an input, the final severity rating may differ based on our evaluation of the specific circumstances in which the vulnerability exists.
FAQ
You can self-register on most of the e-commerce applications but please don’t forget to use your @intigriti.me address.
If the application has a "Continue with Facebook" option, this can also be used. For example, Watsons Malaysia.
Some e-commerce applications require having a local phone number, for example Watsons Turkey.
All aboard!
Please log in or sign up on the platform
For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.
It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.
[/auth/dashboard?redirect=/programs/aswatson/watsons](Log in or sign up)
last contributors
leaderboard
Overall stats
submissions received 170
average payout $1,466
accepted submissions 20
total payouts $29,309
Last 90 day response times
avg. time first response < 3 days
avg. time to decide < 2 weeks
avg. time to triage < 4 days
Activity
3/25
AS Watson closed a submission
3/24
/profile/0xalessandrocreated a submission
3/24
/profile/p4fgcreated a submission
3/24
/profile/aikoisdeadcreated a submission
3/24
/profile/everything_blackkkcreated a submission
3/24
AS Watson closed a submission
3/24
/profile/0xalessandrocreated a submission
3/24
/profile/0xalessandrocreated a submission
3/24
AS Watson closed a submission
3/24
/profile/cyb3rgsec101created a submission