La Redoute Vulnerability Disclosure Program

Overview

This is a responsible disclosure program. Please, read carefully every part of this program.

We consider that the safety and security of our customers is our top priorities. Despite our efforts to implement the best possible security measures, vulnerabilities may still be present in our applications, services and systems.

This document describes La Redoute’s policy for receiving reports related to potential security vulnerabilities in its applications and services.

We want you to help us improve the security of our application in order to protect the privacy of our users.

As this is a production environment, you must be really careful and never bring the application or any related services/server down. Please, don't do anything that can harm our customers and/or their data.

All reports are reviewed on a case-by-case basis, and any exploitable report that substantially affects the confidentiality, integrity or availability of any eligible of our services will not receive any rewards, but you might get recognition for your find, if :

  • you are the first person to file a Report for a particular vulnerability,
  • the vulnerability is confirmed to be a valid security issue,
  • you have complied with these guidelines.

La Redoute may use your report for any purpose it deems relevant, for the purpose of correcting vulnerabilities and errors that are reported that we deem to exist and require correction. To the extent that you propose modifications and/or improvements to a La Redoute applications or service in your report, you assign to La Redoute all rights of use and ownership of such proposals.

Eligible vulnerabilities include, but are not limited to:

  • Cross Site Scripting (XSS)
  • Authentication and Authorization Flaws
  • Cross Site Request Forgery (CSRF)
  • Remote Code Execution
  • SQL Injection
  • Directory Traversal
  • Privilege Escalation

When you report, please have in mind these good practices:

  • The more detailed your steps for reproducing the bug, the better. This should include any pages that you visited, user IDs, links clicked, etc.
  • Images are always useful.
  • Exploit POC code that consistently works can allow us to verify your vulnerability more quickly.
  • Remember – details, details, details! which permits us and you to gain time by triaging the vulnerability quicker.

How do I submit a bug report?

You can submit a bug report through this link https://app.yogosha.com/cvd/la-redoute/1w0n6joTNAru5gbKCMH4zO

A bug report must give a detailed description of the discovered vulnerability and brief steps to reproduce it, or a working proof-of-concept. Video and screenshots can illustrate bug report, but can not replace it. The more details the report is, the better the IT Team of la Redoute will be able to identify and resolve the issue found.

Out of scope

The following actions do not qualify for Coordinated Disclosure and should not be tested when participating in the Program:

  • DoS or DDoS attacks
  • Physical Attacks against our properties or data centers
  • Phishing and Social Engineering Attacks
  • Missing http security headers which do not lead to a vulnerability (you must deliver a proof of concept that leverages their absence)
  • Vulnerabilities in third-party applications or services which use or integrate with our services and applications.
  • Reports from automated tools or scans without an exploitation proof of concept
  • Missing cookie flags on non-sensitive cookies
  • Reports of SSL best practices or insecure ciphers (unless you have a working proof of concept, and not just a report from a scanner)

We will not accept reports from automated vulnerability scanners hence aggressive scans are not tolerated to avoid services disturbance.