#
# -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Responsible Disclosure Policy
Version 1.0 (October 2023)
Contact: it-security@canda.com
# -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
#
# The provision of utmost security to our customers is top priority at C&A. But no matter how much effort we put into system security, there can still be vulnerabilities present. If vulnerabilities are identified, we take its remediation seriously. In this context, we are grateful for any help from the global security research community in identifying risks. We therefore welcome the reporting of identified vulnerabilities, as this is the only way to enable us to eliminate them.
#
# So, if you find vulnerabilities in our websites, we encourage you to report them to us in accordance with the below described Reporting Procedure.
# Reports can be submitted anonymously or by providing contact information. Please note that providing contact information is completely voluntary, but we may then use it to contact you with any queries about the report if necessary.
# The report does not give rise to any claim to remuneration or other entitlement to a reward, whether financial or otherwise. Such uses are solely and exclusively at the discretion of C&A.
# By submitting the report, you agree that C&A may use the report to address any reported vulnerabilities and errors that C&A believes exist and require correction. You also agree to the terms and conditions set out below. In particular, you confirm:
# * If C&A identifies any other uses beyond this, C&A is free to use the report for such purpose as it deems appropriate.
# * Identified vulnerabilities and bugs and any data learned in connection therewith will not be used, exploited, deleted, altered, destroyed or otherwise exploited, including but not limited to, to harm C&A, C&A customers, C&A employees, partners, affiliates, suppliers or other business partners of C&A.
# * No social engineering, spamming, phishing, denial of service or resource exhaustion attacks will be conducted. 
# * All information and data obtained in connection with the identification of the vulnerability, as well as the fact that a vulnerability exists, are kept secret and are not to be disclosed to third parties under any circumstances.
#
# Bug bounty:
#
# We have a reward program for reporting security issues that we are not yet aware of. The amount paid out is determined at our sole discretion. It is also at our discretion to decide whether we pay out anything at all for reporting a security issue. We can therefore terminate or pause the Bug Bounty Program at any time.
# In the event that we decide to pay out a reward, you will be solely responsible for paying any taxes and duties that may be incurred in your country of residence and citizenship. 
# 
# The amount of the payout is determined by the impact and severity of the security issues found as follows, with the following amounts being indicative only:
# 
# |      HIGH      |    MEDIUM    |   LOW
# |----------------|--------------|---------
# | up to 1000€    | up to 600€   |   0€       
#
# We reserve the right to issue gift cards in lieu of cash.
# We pay only to billing ethical hackers and private researchers.
# 
# Reporting Procedure for Identified Security Issues:
#
# Should you come across a potential security vulnerability within our systems, we request you to report your findings to it-security@canda.com (please use English to report vulnerabilities).
# We prefer not to receive any Personally Identifiable Information (PII) or bank account numbers, although providing your name and email is acceptable.
# Once submitted, await our acknowledgment confirming the receipt of your report. We aim to respond within 3-5 days.
# We request that you refrain from publicly disclosing the issue until we've had an opportunity to address it.
# We may reach out for further information or clarification as we work to validate and assess the reported issue.
# We value the responsible disclosure of security issues and look forward to collaborating with you to maintain the integrity and security of our systems.
# 
# In Scope Targets:
# *.c-and-a.com
# C&A mobile app ( Android | iOS )
# 
# Out of Scope Targets:
# Third-party Websites - Websites and services that are linked from our site but not controlled C&A.
# Third-party Services - Integrated services not developed or directly controlled by our C&A.
# Third-party APIs - APIs belonging to third parties, even if they are utilized within our website.
# Third-party Code - Libraries, plugins, or other code not authored by C&A.
# Third-party Servers - Servers not under our control, even if they are part of an integrated system.
# Embedded Widgets - Third-party widgets embedded within our site.
# Payment Processors - Any third-party payment processing services and their respective systems and data.
# Advertising Networks - Third-party advertising services and networks.
# 
# Out of scope vulnerabilities (WEB):
# Self-XSS - Vulnerabilities where the user can only exploit themselves.
# Descriptive Error Handling - Verbose errors that don't expose sensitive data.
# Denial of Service (DoS) - Attacks that can take down a service are often out of scope.
# Software Version Disclosure - Revealing the versions of software without demonstrating a vulnerability.
# Clickjacking - Attacks that trick users into clicking something different than they perceive.
# Missing Security Headers - Like missing HTTP security headers that don't lead to a direct vulnerability.
# SSL/TLS Best Practices - Weak cipher suites, lack of perfect forward secrecy, etc., without a direct impact.
# Content Spoofing - Without a demonstrable security impact.
# Host Header Injection - Unless it can be shown to create a working exploit.
# Vulnerabilities without security impact - Issues that don't pose a risk.
# Vulnerabilities regarding SPF/DMARC/DKIM records - Without demonstrated exploitation.
# CSRF Vulnerabilities - Out of scope of this program, may be considered at a later stage
# Best practice concerns - Like non-session cookies not marked secure and HTTP only, SSL/TLS configuration, etc.
# Vulnerabilities reported by automated tools and scanners - Without additional proof of concept.
# End of Life Browsers/Old Browser versions - Issues only replicable in outdated browsers.
# Distributed Denial of Service (DDoS) attacks, Brute force on forms
# Outdated/vulnerable libraries - Without a working Proof of Concept.
# OPTIONS / TRACE HTTP methods enabled - Without a demonstrated risk.
# Functional, UI, and UX bugs and spelling mistakes - Typically not security issues.
# Missing best practices in Content Security Policy - Without a direct impact.
# Any kind of vulnerabilities that require installation of software on the victim's machine.
# Social Engineering Attacks - Manipulative tactics to trick individuals into divulging confidential information.
# Public Third-party API key disclosures - E.g. Google Map API keys and keys in Android XML files. 
#
# Out of scope vulnerabilities (Android/iOS):
# Exploits requiring physical access - to the victim’s device.
# Exploits reproducible only on rooted/jailbroken devices - Issues only present on modified devices.
# Bypassing root/jailbroken detection - Circumventing mechanisms that detect device modification.
# Snapshot/Pasteboard/Clipboard data leakage - Inadvertent data exposure through these channels.
# Lack of obfuscation - Absence of code obfuscation which doesn't directly lead to a vulnerability.
# Irrelevant activities/intents exported - Exported components that don’t expose a risk.
# Lack of binary protection control - Absence of protections like anti-debugging or anti-reversing.
# Descriptive Error Handling - Verbose errors that do not expose sensitive data.
# Content Spoofing - Without a demonstrable security impact.
# Software Version Disclosure - Revealing the versions of software without demonstrating a vulnerability.
# Missing Security Headers - In the app's network communications that don't lead to a direct vulnerability.
# SSL/TLS Best Practices - Weak cipher suites, lack of perfect forward secrecy, etc., without a direct impact.
# Functional, UI, and UX bugs and spelling mistakes - Typically not security issues.
# Vulnerabilities reported by automated tools and scanners - Without additional proof of concept.
#
# -----------------------------------------------------------------------------------END--------------------------------------------------------------------------------------