At Criteo, the security of our products and services is of the utmost importance. Our goal is to provide our customers and users with the best possible experience, and to ensure that the information and data entrusted to us is protected. To that end, we welcome responsible and ethical disclosure of potential security vulnerabilities from security researchers and the general public. This policy outlines our expectations for the responsible disclosure of security vulnerabilities, and the process by which they will be handled.
If you comply with this policy during your research, Criteo will consider that your actions are authorized and we will not take legal actions against you.
When you disclose an issue to us in accordance to this policy, you can expect us to:
- Respond to your report within 3 business days, and work with you to understand and address it
- Take actions to fix the reported vulnerabilities as soon as possible, unless the vulnerability is about an accepted risk on our side
- Keep you informed about our progress in fixing the issue
- Keep information about you and the vulnerability you disclose confidential, unless otherwise agreed with you
- Reward you according to what is described in the rewards section
For your research to be considered an authorized activity under this policy, you must:
- Act in good faith and avoid misusing the systems and applications in ways that damage Criteo or our customers
- Notify us as soon as you discover a real or potential security issue
- Only disclosure the issue publicly after we deploy a fix and based on mutual agreement. The agreement will include the timing of the disclosure and the degree of details to include
and you must not:
- Access, modify, or remove data that belongs to accounts that you did not create yourself
- Use high-intensity invasive or destructive tools
- Submit high volume of low quality reports (such as just pasting the results of scanners)
- Use any of the following test methods:
- Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
- Physical testing (e.g. office access, open doors, tailgating)
- Social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
- Disclose your findings to any third party without prior written authorization of Criteo
- Use an exploit to compromise or exfiltrate data, establish persistent command line access, or pivot to other systems. Exploits should only be used to the extent necessary to confirm a vulnerability’s presence. In case of doubt, please report the issue to us for confirmation
Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
This policy applies to any digital assets owned, operated, or maintained by Criteo. This excludes third-party services that can be access through one of our subdomains or that are integrated with one of our products.
A detailed and up-to-date scope can be found on our HackerOne policy.
Criteo may provide recognition and rewards to anyone who responsibly and ethically discloses security issues to us while adhering to this policy. The amount of the reward, if any, will be determined at our discretion based on various parameters, such as the severity of the vulnerability, its impact, as well as the quality of the report.
In general, the reward amount will vary from $100 for low impact vulnerabilities to $5000 for the most critical ones.
Please note that all rewards are handled through our private program on HackerOne, so an account there is needed to receive the reward.
Reporting a Vulnerability
Our bug bounty rewards are only paid through HackerOne. To report a potential security vulnerability, please create a report on this platform containing a detailed description and including steps on how to reproduce your findings.
If you are currently not part of our private bug bounty program, you can write us an email containing your HackerOne handle to email@example.com and we will send you an invitation if you meet our eligibility criteria.
To report a potential security vulnerability, you can also send us an email to firstname.lastname@example.org containing a detailed description, including steps on how to reproduce your findings.
If you are a customer, please note that in addition to our bug bounty program, we also conduct regular penetration tests, the results of which you can request from your Criteo point of contact.
If you have any questions about this policy or about information security at Criteo, please contact us at email@example.com.
Thank you for your efforts in keeping Criteo secure. We appreciate your help in making our products and services safer.