Responsible Disclosure
This is a Responsible Disclosure Program. Keurig Dr Pepper is proactively advancing our security to identify new threats. We know no technology is perfect. Because threats to our corporate environment and customer assets are ever present, we value the important role the security community plays in helping us mitigate information security risk. Keurig Dr Pepper looks forward to working with the security community to find vulnerabilities in order to keep our customer and protect the operations of our business. If you have information about possible security vulnerabilities in any Keurig Dr Pepper product or service, please submit a report using these guidelines.
I. Program
1. Scope Domains where Keurig Dr Pepper is listed as the Registrant Organization, Admin Organization, or Tech Organization are in scope. Domains registered to Keurig Dr Pepper but hosted by a third party are out of scope. Not sure what’s in scope? Send an email to support@hackerone.com.
2. Safe Harbor Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will make it known that your actions were conducted in compliance with this policy. Keurig Dr Pepper reserves all legal rights in the event of noncompliance with this policy.
3. Program Eligibility
- You agree and adhere to the Program Rules and Legal terms as stated in this policy.
- You are the first to submit a sufficiently reproducible report for a vulnerability in order to be eligible for the report to be accepted and Triaged.
- You are available to supply additional information, as needed by our team, to reproduce and triage the issue.
- Publically-known Zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability.
- Out-of-scope vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.
- Keurig Dr Pepper employees and third-party assets employees are not eligible for participation in this program.
4. Program Rules
- Do:
- Read and abide by the program policy.
- Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.
- Exercise caution when testing to avoid negative impact to customers and the services they depend on.
- STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
- Do NOT:
- Do not disclose the potential security issue to any third party without Keurig Dr Pepper’s prior written permission.
- Do not Brute force credentials or guess credentials to gain access to systems.
- Do not participate in denial of service attacks.
- Do not upload shells or create a backdoor of any kind.
- Do not engage in any form of social engineering of Keurig Dr Pepper employees, customers, or vendors.
- Do not engage or target any Keurig Dr Pepper employee, customer, or vendor during your testing.
- Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.
- Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
- Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service. Do not interact with accounts you do not own or without the explicit permission of the account holder.
- Do not engage in any physical attempts against Keurig Dr Pepper property
5. Disclosure Policy
You may not discuss this program or any vulnerabilities (even invalid and resolved ones) outside of the program without express consent from the organization. If you are interested in sharing any information about your testing methodology related to a Keurig Dr Pepper report, you must request permission on your report and you must receive written approval from a Keurig Dr Pepper team member.
6. Legal Keurig Dr Pepper reserves the right to modify the terms and conditions of this program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting.
II. Submission Process
1. Response Times
- First Response – 2 days
- Time to Triage – 2 days
- Time to Resolution – depends on severity and complexity
2. Test Instructions
- We strongly recommend you use a user agent header in your HTTP(S) requests, and for non-HTTP requests we strongly recommend you add an identification to artifacts in POCs, and, or payloads so our teams can identify you as a verified hacker and not a malicious attacker: h1:<vdp-hackeroneusername>.
- No credentials are required or provided for this program. If you self-register for any accounts, please register with your @wearehackerone .com email address. You may not use exposed credentials to continue testing without explicit approval of the company.
3. Scope Exclusions
- Keurig Dr Pepper reserves the right to add to and subtract from the Exclusions list depending on the evaluated severity of reported vulnerabilities and risk acceptance*
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user’s device
- Previously known vulnerable libraries without a working Proof of Concept
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Missing best practices in SSL/TLS configuration
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests.
- Bruteforce oracle attacks against unauthenticated endpoints
- Missing best practices in Content Security Policy
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g., stack traces, application or server errors)
- Tabnabbing
- Issues that require unlikely user interaction by the victim