Cybersecurity

Responsible Disclosure of Vulnerabilities

This policy establishes the framework for collaboration between the InfoSec community and Sonae Sierra SGPS, SA (hereinafter referred as “Sonae Sierra”) to support the identification and mitigation of security vulnerabilities.

Sonae Sierra provides a dedicated channel for the ethical and responsible disclosure of discovered vulnerabilities. The scope of this policy is limited to vulnerabilities affecting platforms and servers operated or managed, directly or indirectly, by Sonae Sierra.

This Responsible Vulnerability Disclosure policy does not constitute a bug bounty program.

Methodology for Responsible Disclosure of Vulnerabilities:
If you identify a vulnerability which is covered by the scope defined within this policy, please contact Sonae Sierra via the e-mail address: rvd@sonaesierra.com.
To ensure the confidentiality and integrity of the information, a PGP key must be used for encrypted communication, available here.

Scope of Activities:

1. Limited to platforms and servers operated or managed directly or indirectly by Sonae Sierra. Customer platforms and servers are excluded. If a report is received regarding a platform not included in the scope of this document, a reply will be given informing of the fact.
2. The present policy does not constitute and does not represent a bug bounty program.

What we ask of the community:
If any vulnerability is identified, contact Sonae Sierra as soon as possible via the email address: rvd@sonaesierra.com.
To expedite the screening and prioritization of reports, we recommend that the disclosure:

• Includes a description of the vulnerability, where it was discovered, i.e., which system, as well as the potential impact of its exploitation.
• Provides a detailed description of the steps required to replicate the vulnerability.
• Is conducted in English.

Additionally, Sierra expects that InfoSec community:

• Does not use the information obtained in an abusive manner that may compromise the availability and confidentiality of the information and the integrity of the platforms and servers;
• Does not disclose identified vulnerabilities until they have been corrected and express permission has been given by Sonae Sierra to do so;
• Deletes any information obtained through the identified vulnerability no later than 10 days after being informed that the vulnerability has been fixed;
• Refrains from:
  1. seeking to obtain an economical advantage from the identified vulnerability;
  2. causing a disruption or interruption of the functioning of the relevant system or service;
  3. deleting or deteriorating computer data or from any unauthorized copying;
  4. inflicting any harmful, damaging, or detrimental effect on the person or entity affected, directly or indirectly, or on any third parties, excluding the effects corresponding to the unauthorized access or interception itself and also those effects which would already result, with high probability, from the detected vulnerability itself or from its exploitation.
• Ensure the privacy of the users;
• Ensure a cooperative and responsible behaviour in compliance with the law.

Activities Out of Scope:

1. Exploitation of vulnerabilities or the use of techniques that may lead to degradation or denial of services (DoS/DDoS).
2. Use of means and resources that are inadequate or disproportionate for proving identified vulnerabilities.
3. The use of physical security tests, use of social engineering techniques, human resource exploitation, spam or phishing as well as extend testing to third-party applications even if they are being used by Sonae Sierra platforms.
4. Use of identified vulnerabilities or errors to access data beyond what is strictly necessary for verification of vulnerabilities.
5. Erasure or modification of data.
6. Issues related to general security recommendations:
   1. Errors related to common HTTP codes;
   2. Spoofing of content or host header injection;
   3. Information disclosure through publicly accessible service banners;
   4. Publicly known files or directories with non-sensitive information (ex.: robots.txt);
   5. Non-existence of HTTP security headers (ex.: Strict-Transport-Security; X-Frame-Options;X-XSS-Protezction;X-Content-Type-Options;Content-Security-Policy);
   6. SSL Configurations (SSL forward secrecy not enabled; Weak ou insecure cipher suites);
   7. SPF, DKIM and DMARC configurations;
   8. Deprecated software versions without known vulnerabilities.

What you can expect from Sonae Sierra:

1. A response within a maximum of thirty days with an evaluation of the reported vulnerability and the estimated timeframe for correction;
2. By adhering to the rules and procedures described in this policy, no criminal prosecution will be made for facts related to the discovery of the reported vulnerability;
3. We will not provide information to third parties without authorization, unless required by legal obligations;
4. Recognition of the name/alias of the person that identified the vulnerability and the summary identification through the hall of fame, under your consent;
5. Information regarding the processing of personal data within the remit of this policy is outlined below.

Additional Information regarding our Personal Data Protection Commitment:

For the sole purpose of ensuring the proper handling of any vulnerability disclosure, Sonae Sierra collects your email, name and/or alias (if you choose to disclose the latter two) based on your consent as per article 6/1 (a) of the General Data Protection Regulation. Your consent for this processing activity relies on the fact that you have shared this personal data with Sonae Sierra willingly and in an informed manner.
As a general rule we will store your personal data up to one year after the disclosed vulnerability is confirmed and, in such case, resolved.
In the event of non-compliance with the rules and procedures described in this policy, a formal complaint may be lodged with the relevant authorities. Personal data associated with the dispute shall be stored for a maximum of one year after the final settlement.
If you would like to be acknowledged in our hall of fame webpage, please indicate your preference when submitting the vulnerability disclosure to Sonae Sierra. For individuals recognized in our hall of fame, their personal data, including their name and/or alias, will be retained and publicly displayed on our website for a period of five years.
You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 
Providing your personal data is neither a statutory obligation nor a contractual necessity.
Make sure to read our Personal Data Protection Commitment before engaging with Sonae Sierra.