At Criteo, the security of our products and services is of the utmost importance. Our goal is to provide our customers and users with the best possible experience, and to ensure that the information and data entrusted to us is protected. To that end, we welcome responsible and ethical disclosure of potential security vulnerabilities from security researchers and the general public. This policy outlines our expectations for the responsible disclosure of security vulnerabilities, and the process by which they will be handled.
If you comply with this policy during your research, Criteo will consider that your actions are authorized and we will not take legal actions against you.
When you disclose an issue to us in accordance to this policy, you can expect us to:
For your research to be considered an authorized activity under this policy, you must:
and you must not:
Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
This policy applies to any digital assets owned, operated, or maintained by Criteo. This excludes third-party services that can be access through one of our subdomains or that are integrated with one of our products.
A detailed and up-to-date scope can be found on our HackerOne policy.
Criteo may provide recognition and rewards to anyone who responsibly and ethically discloses security issues to us while adhering to this policy. The amount of the reward, if any, will be determined at our discretion based on various parameters, such as the severity of the vulnerability, its impact, as well as the quality of the report.
In general, the reward amount will vary from $100 for low impact vulnerabilities to $5000 for the most critical ones.
Please note that all rewards are handled through our private program on HackerOne, so an account there is needed to receive the reward.
Our bug bounty rewards are only paid through HackerOne. To report a potential security vulnerability, please create a report on this platform containing a detailed description and including steps on how to reproduce your findings.
If you are currently not part of our private bug bounty program, you can write us an email containing your HackerOne handle to email@example.com and we will send you an invitation if you meet our eligibility criteria.
To report a potential security vulnerability, you can also send us an email to firstname.lastname@example.org containing a detailed description, including steps on how to reproduce your findings.
If you are a customer, please note that in addition to our bug bounty program, we also conduct regular penetration tests, the results of which you can request from your Criteo point of contact.
If you have any questions about this policy or about information security at Criteo, please contact us at email@example.com.
Thank you for your efforts in keeping Criteo secure. We appreciate your help in making our products and services safer.