Contact Sales
Open mobile menu
en
My Account Contact Sales
My Account Contact Sales

Vulnerability Disclosure Policy

Table of Contents

Introduction

At Criteo, the security of our products and services is of the utmost importance. Our goal is to provide our customers and users with the best possible experience, and to ensure that the information and data entrusted to us are protected and secure. To that end, we welcome responsible and ethical disclosure of potential security vulnerabilities from security researchers and the general public. This policy outlines our expectations for the responsible disclosure of security vulnerabilities, and the process by which they will be handled.

Authorization

If you comply with this policy during your research, Criteo will consider that your actions are authorized, and we will not take legal actions against you.

Our Commitments

When you disclose an issue to us in accordance with this policy, you can expect us to:

  • Respond to your report within 3 business days, and work with you to understand and address it
  • Take actions to fix the reported vulnerabilities as soon as possible, unless the vulnerability is about an accepted risk on our side
  • Keep you informed about our progress in fixing the issue
  • Keep information about you and the vulnerability you disclose confidential, unless otherwise agreed with you
  • Reward you according to what is described in the rewards section

Guidelines

For your research to be considered an authorized activity under this policy, you must:

  • Act in good faith and avoid misusing the systems and applications in ways that damage Criteo or our customers
  • Please notify us as soon as you discover a real or potential security issue
  • Only disclose the issue publicly after we deploy a fix, and based on mutual agreement. The agreement will include the timing of the disclosure and the degree of detail to include

and you must not:

  • Access, modify, or remove data that belongs to accounts that you did not create yourself
  • Use high-intensity invasive or destructive tools
  • Submit a high volume of low-quality reports (such as just pasting the results of scanners)
  • Use any of the following test methods:
    • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
    • Physical testing (e.g., office access, open doors, tailgating)
    • Social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
  • Disclose your findings to any third party without prior written authorization from Criteo
  • Use an exploit to compromise or exfiltrate data, establish persistent command line access, or pivot to other systems. Exploits should only be used to the extent necessary to confirm a vulnerability’s presence. If you have any doubts, please report the issue to us for confirmation.

Once you have established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Scope

This policy applies to any digital assets owned, operated, or maintained by Criteo. This excludes third-party services that can be accessed through one of our subdomains or that are integrated with one of our products.

A detailed and up-to-date scope can be found on our BugCrowd policy.

Rewards

Criteo may provide recognition and rewards to anyone who responsibly and ethically discloses security issues to us, provided they adhere to this policy. The amount of the reward, if any, will be determined at our discretion based on various parameters, including the severity of the vulnerability, its impact, and the quality of the report.

In general, the reward amount will vary from $175 for low-impact vulnerabilities to $4500 for the most critical ones.

Please note that all rewards are handled through our private program on BugCrowd, so a BugCrowd account is required to receive the reward.

Reporting a Vulnerability

Our bug bounty rewards are only paid through BugCrowd. To report a potential security vulnerability, please create a report on this platform containing a detailed description and including steps on how to reproduce your findings.

If you are currently not part of our private bug bounty program, you can write us an email containing your BugCrowd handle to security@criteo.com, and we will send you an invitation if you meet our eligibility criteria.

To report a potential security vulnerability, you can also send us an email to security@criteo.com containing a detailed description, including steps on how to reproduce your findings.

Customers

If you are a customer, please note that in addition to our bug bounty program, we also conduct regular penetration tests, the results of which you can request from your Criteo point of contact.

Questions

If you have any questions about this policy or about information security at Criteo, please contact us at security@criteo.com.

Thank you for your efforts in keeping Criteo secure. We appreciate your help in making our products and services safer.