Policy

Mondelēz International has partnered with HackerOne to manage the information submitted on this page.

Introduction

Mondelēz International takes vulnerability disclosures seriously and appreciates the security researchers’ efforts. Mondelēz International is committed to establishing a transparent and open communication with researchers.

The Purpose of the Vulnerability Disclosure Policy (VDP) is to give security researchers clear guidelines for conducting vulnerability research, discovery, and reporting against Mondelēz International systems.

Mondelēz International accepts vulnerability findings from various sources such as independent security researchers, industry partners, or customers. Mondelēz International defines a vulnerability as a technical flaw or weakness found in a system that can be leveraged to compromise the confidentiality, integrity, or availability of Mondelēz International products, services, and data. Please see the rules of engagement for security researchers below.

Legal Authorization (Safe Harbor)

If all the associated guidelines highlighted in this policy are followed during the security research, Mondelēz International will consider the research to be authorized, and will look to collaborate to understand any discovered issues quickly. Mondelēz International will not recommend or pursue legal action against authorized activities that are in accordance with this policy.

Test Instructions

  • Please use a user agent header in your HTTP(S) requests, and for non-HTTP requests we strongly recommend you add identification to artifacts in POCs, and, or payloads so our teams can identify you as a verified hacker and not a malicious attacker: h1:<vdp-hackeroneusername>.
  • If you forget to tag your traffic, please list your IP in the submission form.
  • No credentials are required or provided for this program. If you self-register for any accounts, please register with your @wearehackerone.com email address. You may not use exposed credentials to continue testing without written consent from Mondelēz International.

Submitting a Report

  • Notify us immediately upon discovery of any real security issues via the submission form on this page. Please fill out the Vulnerability Disclosure Template in detail.
  • HackerOne will acknowledge that the submission was received within two (2) business days of the submission date. (Requires contact information. We cannot communicate with anonymous submissions).
  • HackerOne will validate steps to reproduce, proof of concept, and severity. Further details may be requested to properly triage the submission. Below are details requested to assist with triaging the reported finding:
    • URL
    • Vulnerability description
    • Potential impact of the issue reported
    • Step-by-step re-production instructions including technical details
    • Any proof-of-concept code that is used
    • Remediation or mitigation steps for the reported issue
  • Any tools utilized to detect the issue

Rules of Engagement

Security researchers must carry out the following activities:
DO:

  • Notify us immediately upon discovery of any real or potential security issues
  • Discard and purge any stored Mondelēz International data upon reporting a vulnerability finding

Security researchers must not carry out the following activities:
DO NOT:

  • Test any systems not specified in Appendix A: In-scope systems.
  • Conduct any testing that may disrupt, impair, or disable Mondelēz International systems (e.g. DoS, DDoS).
  • Engage in social engineering of Mondelēz International employees, contractors, and customers.
  • Physically test any facilities or resources (e.g., office access, tailgating), send any unsolicited or social engineering mail to any Mondelēz International users (e.g., phishing, vishing).
  • Exploit any vulnerability beyond the minimal amount of testing required to identify an indicator related to the vulnerability.
  • Compromise, copy or exfiltrate any data from any systems.
  • Test any third-party websites, applications, or services that integrate with or link to/from Mondelez International systems.
  • Carry on with the testing if you find vulnerabilities involving sensitive data, including personally identifiable information or proprietary data. In this case, you must stop your test and notify us immediately and you must not disclose this data to anyone.
  • Discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent (including via email) from Mondelēz International.

Processing Expectations

Upon submission of the finding, the Mondelēz International team will:

  • Acknowledge that the submission was received within two (2) business days of the submission date.
  • Collaborate to validate and resolve reported vulnerability findings.

Thank you for helping keep our company and our users safe!

Appendix A: In-Scope Systems

mondelezinternational.com
oreo.com
sourpatchkids.com
belvitabreakfast.com
gethalls.com
ritzcrackers.com
snackworks.com
tridentgum.com
wheatthins.com
goodthins.com
discoverteddy.com
triscuit.com
letschatsnacks.com
dentyne.com
slowreleasecarbs.com
milliegram.com
us.greenandblacks.com

mdlzvendtray.com
dirtkitchensnacks.com
makemicromarketsales.com
capaofruit.com
vend.foodservicesnackrack.com
nabiscoxbox.com
summeryourwaysweeps.com
Belvita7elevengame.com
FamilyDollarChipsAhoy.com
startabelvitabrewmance.com
RITZSmartandFinalGiveaway.com
cafollowyourart.com
smartlabel.mondelez.info
holidayoreorecipes.com
togetherwefan.com
NabiscoMarchMadness.com

belvitaDistributorOffer.com
sourpatchkidsmystery.com
nabiscobracket.com
tastegreatnessVIP.com
NabiscoGetYourGameOn.com
belvitaDipItSipIt.com
mdlzfreerackpromo.com
NabiscoFallFootball.com
OREO110BirthdayToolkit.com
togethernessgames.com
honeymaidsmores.com
BackToClassSweeps.com
hallsminiscameo.com
foodservice-snacks-desserts.com
nabiscogearupforgreatness.com
ladygagaoreostanclub.com


The following IP are also in scope for the VDP:

13.66.223.183, 13.74.255.173, 13.77.147.35, 13.79.239.166, 13.88.177.77, 13.91.56.148, 20.72.193.247, 20.72.200.158, 20.72.219.4, 20.190.16.28, 40.67.156.99, 40.67.158.114, 40.70.206.138, 40.75.22.229, 40.90.221.158, 40.112.91.212, 40.125.77.62, 51.143.63.17, 52.137.101.217, 52.164.251.140, 52.167.254.129, 52.175.204.40, 52.178.155.90, 52.178.188.66, 52.178.193.117, 52.178.197.1, 52.183.19.111, 52.191.166.26, 52.247.202.84, 52.247.208.18, 52.247.218.60, 64.254.113.166-64.254.113.167, 74.220.96.180, 77.247.2.180-77.247.2.181, 77.247.9.180, 104.46.125.230, 104.208.139.115, 104.208.222.163, 104.208.236.111, 104.209.128.116, 104.209.178.5, 119.31.169.166, 121.244.32.86, 137.116.33.156, 137.116.48.254, 162.117.250.1, 162.117.251.2, 162.117.251.11-162.117.251.12, 162.117.251.20-162.117.251.21, 162.117.253.1, 162.117.253.7-162.117.253.9, 162.117.253.18-162.117.253.21, 162.117.253.23-162.117.253.26, 162.117.253.31-162.117.253.35, 162.117.253.51-162.117.253.54, 162.117.253.65, 162.117.253.76, 162.117.253.81, 162.117.253.131, 162.117.253.193, 162.117.253.211, 162.117.254.1, 162.117.254.3, 168.61.90.195, 183.84.8.44, 207.179.20.181, 207.179.26.104, 104.208.236.111, 119.31.169.166, 121.244.32.86, 162.117.253.18, 162.117.253.23, 162.117.253.24, 162.117.253.25, 162.117.253.26, 183.84.8.44, 20.190.16.28, 207.179.20.181, 207.179.26.104, 52.175.204.40, 52.178.155.90, 52.178.197.1, 52.183.19.111, 64.254.113.166, 64.254.113.167, 74.220.96.180, 77.247.2.180, 77.247.2.181, 77.247.9.180, 63.241.102.38, 63.241.102.37