Vulnerability Disclosure Policy
Purpose
The security of our customers’ data and the reliability of our products and services are of the utmost importance to Decathlon. Therefore, Decathlon aims to design its products and services with the highest levels of security and reliability. Despite our constant best efforts, due to their highly complex and sophisticated nature, vulnerabilities and errors may still appear.
Scope
This policy describes Decathlon’s philosophy of requesting and receiving reports related to potential vulnerabilities and errors in its connected sport products, their related services, and its European ecommerce websites.
For Decathlon, "connected sport products" refer to all our network-connectable products, including:
- Bikes, ex: with bluetooth to send information to a smartphone, LTEM(4G) bike to send data to Decathlon cloud,
- Fitness equipment, ex: with wifi or bluetooth to send information to a smartphone or to Decathlon cloud,
- Wearable, ex: watch, earphone; with bluetooth to send information to a smartphone,
- Electronics products, ex: dartboard; with bluetooth to send information to a smartphone.
The related services include the mobile and cloud applications used by the connected sport products.
The European ecommerce websites list is composed of the following scopes:
- www.decathlon.fr
- www.decathlon.co.uk
- www.decathlon.es
- www.decathlon.pt
- www.decathlon.it
- www.decathlon.be
- www.decathlon.de
- www.decathlon.ch
- www.decathlon.pl
- www.decathlon.nl
- www.decathlon.ro
- www.decathlon.com.tr
- www.decathlon.hu
- www.decathlon.se
- www.decathlon.cz
- www.decathlon.sk
- www.decathlon.at
- www.decathlon.bg
- www.decathlon.uk
- www.decathlon.com.gr
- www.decathlon.ie
- www.decathlon.lt
- www.decathlon.lv
- www.decathlon.hr
- www.decathlon.si
- www.decathlon.rs
Who?
Customers, users, researchers, partners and any other person that interacts with Decathlon’s connected sports products are encouraged to report identified vulnerabilities and errors within such products and services.
How to report a vulnerability?
The preferred method for contacting Decathlon regarding such vulnerabilities and errors is by using the form present on this page. The supported languages are English and French.
Decathlon highly appreciates the efforts made by the reporting party in identifying the vulnerability or error. These reports will contribute to improving the security and reliability of our product and services.
Anonymity
Please note that supplying your contact information with your report is entirely voluntary and at your discretion. If you do submit your contact information, YesWehack -our approved partner- will collect your name and email, and Decathlon will only use such information to request clarifications of your report, if that is necessary, and to notify you with your report’s status update. Otherwise, please visit YesWeHack general privacy policy to see how we respect the privacy of your personal data: https://www.yeswehack.com/page/privacy-policy
Decathlon will make use of all reports that are submitted; both those submitted anonymously and those with contact information.
Response time
After you have submitted your report, we will do our best to respond to your report within 5 working days and aim to triage your report within 14 working days. We will also aim to keep you informed of our progress if your contact information was provided.
Priority for remediation is assessed by looking at the impact, severity and exploit complexity.
In case the vulnerability / error originates from the third-party proprietary code used by the product, the time required for assessment and development of mitigations may need to be extended.
Once the vulnerability has been resolved, we welcome requests to disclose your report. We’d like to unify guidance to affected users, so please do continue to coordinate public release with us.
Decathlon’s commitment
- We will handle your report with strict confidentiality.
- Where possible, we will inform you of the resolution of the vulnerability you have reported to us.
- Decathlon will not take any legal action against persons who act in good faith, in accordance with the instructions and guidelines outlined in this Vulnerability Disclosure Policy and the applicable laws.
Your undertakings
- Contact us as soon as possible after discovering a vulnerability in our systems or networks (web, apps, etc.).
- Comply with all applicable laws and regulations.
- Try to provide us with enough information so that we can identify, reproduce and solve the vulnerability. We may ask you for further details or information.
- Be careful to maintain the confidentiality of any information you may have had access to when discovering the vulnerability(ies) and during our exchanges.
By disclosing an error or vulnerability to Decathlon, you confirm that you are acting responsibly by not taking advantage of the error or vulnerability, including that:
- You have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to Decathlon), the discovered vulnerabilities and/or errors;
- You have not engaged, and will not engage, in testing/research of systems with the intention of harming Decathlon, its customers, employees, partners or suppliers;
- You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability and/or error discovered;
- You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;
- You have not tested, and will not test, the physical security of any property, building, plant or factory of Decathlon;
- You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Decathlon’s product or service that lead to your report.
- We kindly ask you not to disclose to any third party any information related to your report, the vulnerabilities and/or errors reported, nor the fact that vulnerabilities and/or errors have been reported to Decathlon without first allowing a reasonable period of not less than 90 days to remediate the vulnerabilities/errors.
- You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, and without any expectation or requirement that the vulnerabilities and/or errors reported are corrected by Decathlon.
- You must remove all data and sensitive information you got from the analysis once the report is submitted.
Accepted vulnerabilities
Accepted, in-scope vulnerabilities include, but are not limited to:
- Injection vulnerabilities
- Broken Authentication and Session Management
- Remote Code Execution
- Insecure Direct Object Reference
- Insecure IPC mechanisms
- Sensitive Data Exposure
- Security Misconfiguration
- Missing Function Level Access Control
- Using Components with Known & Exploitable Vulnerabilities
- Directory/Path traversal
- Exposed credentials
- Exposed access key for cloud account
- Publicly accessible code repository
- Confidential information publicly accessible
- Open redirect
- Attacks requiring MITM or physical access to a user's device.
- Side channel attack
Out of Scope vulnerabilities
Out of scope vulnerabilities include, but are not limited to:
- Social Engineering attacks
- Account enumeration using brute-force attacks
- Weak password policies and password complexity requirements
- Missing http security headers which do not lead to a vulnerability
- Reports from automated tools or scans
- Missing cookie flags on non-sensitive cookies
- Reports of SSL/TLS issues, best practices or insecure ciphers
- Vulnerabilities without security impact (ex: self-exploitation attacks)
- Test versions of applications
- Mail configuration issues including SPF, DKIM, DMARC settings
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Previously known vulnerable libraries without a working Proof of Concept.
- Any activity that could lead to the disruption of our service (DoS).
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing HttpOnly or Secure flags on cookies
- Vulnerabilities only affecting users of outdated or unpatched products and services.
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Issues that require unlikely user interaction
- Credentials obtained by malware, data leaks or shared on the dark web
- Solutions affected by known CVEs published less than 30 days ago
Thank you
Decathlon appreciates the efforts made by the person making the report to identify the vulnerability or error. We appreciate your efforts to improve the security of our products, services and information systems and the Internet community as a whole.