Policy

Mondelēz International has partnered with HackerOne to manage the information submitted on this page.

Introduction

Mondelēz International takes vulnerability disclosures seriously and appreciates the security researchers’ efforts. Mondelēz International is committed to establishing a transparent and open communication with researchers.

The Purpose of the Vulnerability Disclosure Policy (VDP) is to give security researchers clear guidelines for conducting vulnerability research, discovery, and reporting against Mondelēz International systems.

Mondelēz International accepts vulnerability findings from various sources such as independent security researchers, industry partners, or customers. Mondelēz International defines a vulnerability as a technical flaw or weakness found in a system that can be leveraged to compromise the confidentiality, integrity, or availability of Mondelēz International products, services, and data. Please see the rules of engagement for security researchers below.

Legal Authorization (Safe Harbor)

If all the associated guidelines highlighted in this policy are followed during the security research, Mondelēz International will consider the research to be authorized, and will look to collaborate to understand any discovered issues quickly. Mondelēz International will not recommend or pursue legal action against authorized activities that are in accordance with this policy.

Test Instructions

  • Please use a user agent header in your HTTP(S) requests, and for non-HTTP requests we strongly recommend you add identification to artifacts in POCs, and, or payloads so our teams can identify you as a verified hacker and not a malicious attacker: h1:<vdp-hackeroneusername>.
  • If you forget to tag your traffic, please list your IP in the submission form.
  • No credentials are required or provided for this program. If you self-register for any accounts, please register with your @wearehackerone.com email address. You may not use exposed credentials to continue testing without written consent from Mondelēz International.

Submitting a Report

  • Notify us immediately upon discovery of any real security issues via the submission form on this page. Please fill out the Vulnerability Disclosure Template in detail.
  • HackerOne will acknowledge that the submission was received within two (2) business days of the submission date. (Requires contact information. We cannot communicate with anonymous submissions).
  • HackerOne will validate steps to reproduce, proof of concept, and severity. Further details may be requested to properly triage the submission. Below are details requested to assist with triaging the reported finding:
    • URL
    • Vulnerability description
    • Potential impact of the issue reported
    • Step-by-step re-production instructions including technical details
    • Any proof-of-concept code that is used
    • Remediation or mitigation steps for the reported issue
  • Any tools utilized to detect the issue

Rules of Engagement

Security researchers must carry out the following activities:
DO:

  • Notify us immediately upon discovery of any real or potential security issues
  • Discard and purge any stored Mondelēz International data upon reporting a vulnerability finding

Security researchers must not carry out the following activities:
DO NOT:

  • Test any systems not specified in Appendix A: In-scope systems.
  • Conduct any testing that may disrupt, impair, or disable Mondelēz International systems (e.g. DoS, DDoS).
  • Engage in social engineering of Mondelēz International employees, contractors, and customers.
  • Physically test any facilities or resources (e.g., office access, tailgating), send any unsolicited or social engineering mail to any Mondelēz International users (e.g., phishing, vishing).
  • Exploit any vulnerability beyond the minimal amount of testing required to identify an indicator related to the vulnerability.
  • Compromise, copy or exfiltrate any data from any systems.
  • Test any third-party websites, applications, or services that integrate with or link to/from Mondelez International systems.
  • Carry on with the testing if you find vulnerabilities involving sensitive data, including personally identifiable information or proprietary data. In this case, you must stop your test and notify us immediately and you must not disclose this data to anyone.
  • Discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent (including via email) from Mondelēz International.

Processing Expectations

Upon submission of the finding, the Mondelēz International team will:

  • Acknowledge that the submission was received within two (2) business days of the submission date.
  • Collaborate to validate and resolve reported vulnerability findings.

Thank you for helping keep our company and our users safe!

Appendix A: In-Scope Systems

mondelezinternational.com
bassettsvitamins.co.uk
belvitabreakfast.com
cadbury.co.uk
cadbury.ie
cadburyworld.co.uk
ejackson.co.uk
foodservice-snacks-desserts.com
gethalls.com
greenandblacks.co.uk
us.greenandblacks.com
milka.com.pl
mondelezdeutschlandprofessional.de
oreo.pt
philadelphia.co.uk
ritzcrackers.com
rssl.com
secure-na1.mdlzapps.com/CollectionAdmin
snackworks.com
stimorol.be
toblerone.ch
tridentgum.com
cocoalife.org
mondelezcanadafoodservice.ca
wheatthins.com
jp.mondelezinternational.com
ru.mondelezinternational.com
ua.mondelezinternational.com
my.mondelezinternational.com
in.mondelezinternational.com
tr.mondelezinternational.com
philadelphia.fi
maraboupremium.fi
maraboupremium.dk
freia.no
freiahjemmekonditori.no
mikado.tv
marabou.se
marabou.dk
marabou.fi
cadbury.co.za
cotedor.com
dairylea.co.uk
fundraising.com.au
halls.jp
jocca.it
maraboupremium.se
milka.com
milka.com.tr
mozartkugel.at
mwtr.com
philadelphia.gr
oreo.eu
philadelphia.be
philadelphia.ch
philadelphia.dk
philadelphia.it
philadelphia.no
philadelphia.se
recaldent-gum.com
sottilette.it
servicesalimentairesmondelezcanada.ca
cadburycustomer.com.au
belvitabreakfast.nl
vitasnellabakery.it
meinebackkreation.de
mondelezpro.fr
mondelezinternationalnutritionscience.com
disclaimer.mondelezinternational.com
agencywire.mdlzapps.com
oboy.se
oboy.no
oboy.fi
mdlzcusthelp.com
mdlzcusthelp.ca
eu.mondelezinternational.com
princepolo.pl
miracelwhip.de
goodthins.com
negotiations.mondelezinternational.com
mondelezinternationalnutritionscience.com
tuc.eu
digitalaccelerator-mdlz.com
lilaliebtgruen.at
philadelphiaprofessional.co.uk
first.com.tr
oreo.ru
lu.fr
amea.mondelezinternational.com
orosaiwa.it
mavieencouleurs.fr
discoverteddy.com
keksihylly.fi
jello.com.mx
app.enjoymdlz.pl
services.cadbury.co.uk
services-mw.rssl.com
clorets.jp
suchard.bg
cotedor.nl
cotedor-chocolat.fr
trident.com.mx
clight.com.mx
tang.com.ar
philadelphia.com.mx
triscuit.com
oreocookie.jp
ritzcrackers.jp
premiumcrackers.jp
fr.cocoalife.org
de.cocoalife.org
letschatsnacks.com
harmony.info
dentyne.com
tuc.be
ir.mondelezinternational.com
stimorol.ch
services.milka.de
suchard.at
gdpr-readiness-kit.mondelezinternational.com
philadelphia.ie
vykotulanesibalstvo.sk
vykutalenarostarna.cz
philadelphia.co.nl
health-pro.snackmindful.com
mikado.com
philadelphia.de
negro.hu
sportszelet.hu
fr.philadelphia.ch
de.philadelphia.ch
philadelphia.pt
philadelphia.es
contactus.mdlzapps.com
services.freia.no
haztudiadelicioso.com
oreo.at
de.oreo.eu
snackfutures.com
ticketing.cadburyfc.com
tang.com.uy
princedelu.fr
fr.oreo.eu
philadelphia.fr
philadelphia-professional.de
mdlzvendtray.com
ritzmx.com
miracelwhip-mayo.de
sensations.milka.ru
mdlzcollaboration.com
tuc.nl
mondelez-foodservice.co.uk
pt.cocoalife.org
oreo.gr

SuperStriker.CadburyFC.com
apolo.hellojoy.es
toblerone.fr
cadburyfavourites.com
dirtkitchensnacks.com
snackworks.ca
oreorecipes.com
cadburygifting.in
catalogo.hellojoy.es
svogeshokoladi.bg
sourpatchkids.com
cadburydonateyourkit.co.nz
vend.foodservicesnackrack.com
stimorol.nl
lu.be
snackmindful.com
staycremoso.it
opavia180.com
sayitwith.milkatender.ru
alpengold.me
fundraising.co.nz
fattorieosella.it
oplatky-kolonada.cz
shop.oreo.eu
wbbsgfx.com/tagroller
philly.com.au
phillyarabia.com
barni.org
philadelphiaprofessional.co.uk
v6-labs.ch
mikadoitalia.it
ziz.be
mondelezinternational.com/makers-bakers-bulletin-board
fr.v6-labs.ch
gethalls.ca
cheeseanything.com
milka.de
xn--80abwto.xn--p1ai
promo.milka.ru
cadburyfavourites.co.nz
bot.cadburygifting.in
cadburyinventor.com
milka.at
caramilkingredients.com
caramilksecret.ca
howcaramilkismade.com
caramilksecrets.ca
cadburycaramilk.ca
recettescaramilk.com
secretdelacaramilk.com
mysteredelacaramilk.com
lesecretdecaramilk.com
mysterecaramilk.com
Caramilk.ca
mondelez.promo.eprize.com/belvitadistributoroffer
xn--l1adbbf.xn--90aiakgkqi1l.xn--p1ai
mondelez.promo.eprize.com/sourpatchkidsmystery
cadburygiftsdirect.co.uk
tang.com.br
lu-original.de
Mondelezfoodservice.com.mx
ritzcrackers.com/lunchgoeson
fontaneda.es
xn--90aiakgkqi1l.xn--p1ai
resultsonline.rssl.com
nabiscoxbox.com
oreo.co.uk
milka.nl
philadelphiaprofessional.co.uk
cadbury.com.au
mitiendamondelez.com
snackonwithxbox.ca
smartlabel.mondelez.info
milka.oreo.ru
fonzies.it
deliciousdisplay.co.uk
bg.barniworld.com
oreoitalia.it
mondelezfoodsolutions.com.br
singwithoreo.com
5ka.alpengold.me
oreo.com
holidayoreorecipes.com
mibodegamondelez.pe
5ka.milka.ru
perekrestok.milka.ru
lenta.milka.ru
ladygagaoreostanclub.com
lacta.com.br
letschatsnacks.com/oreo-cookie-clip
tuc.fun
zamieszkaj2021.princepolo.pl
letschatsnacks.com/oreo-and-friends-kits
europadagustare.sottilette.it
fuehl-dich-gut.philadelphia.de
milka.fr
milka.be/fr-BE
milka.be/nl-BE
milka.it
milka.sk
milka.hu
milka.cz
milka.ru
milka.ro
milka.bg
milka.ua
milka.hr
milka.rs
milka.ba
tuctime.it
cadburyfc.com
oreoconcorso.it
playwithoreo.com
letschatsnacks.com/sour-patch-kids-rebate
fcmilka.de
175ans.lu.fr
milliegram.com
liga.nl
dirol-promo.ru
hollywood-chewinggum.fr
perekrestok.alpengold.me
tippspiel.fcmilka.de
triscuit.connecting-food.com/en/triscuit/original
milka.de/shopselector
philadelphia.ro
fcmilka.de
xn--l1adbbf.xn--80abwto.xn--p1ai
xn--80agpnh5a.xn--80abwto.xn--p1ai
x5.oreo.ru
lenta.alpengold.me
PE.MASDIVERSIONOREO.COM
mondelez.promo.eprize.com/jarreamamie
mondelez.promo.eprize.com/militaryncaa
magnit.alpengold.me
fuehl-dich-gut.philadelphia.de
togethernessgames.com
nl.cotedor.be
wielkanocneszukajki.pl
beldent.com.ar
nu-tavlar-vi.se
oreoacademy.es
ritzcrackers.com/lunchgoeson
dessertscorner.com
promocjadelicje.pl
nussbeisser.pl
altuofiancoincucina.philadelphia-professional.it
milkamagicaleaster.be
Candybarencasa.com
xn--cumpleaos-r6a.milka.es
klubbkakan.marabou.se
oroanniversario.it
letschatsnacks.com/chips-ahoy-sample-kit
zarterwunsch.milka.de
philadelphia.it

mondelez.promo.eprize.com/nabiscogetyourgameon
mondelez.promo.eprize.com/sourpatchkidsmystery
secure.promosite.com.au/belvitawoolworths
nabiscogearupforgreatness.com
nosmuevelaroja.principe.es
barnipromo.ro
fr.cotedor.be
captain.cadburyfc.com
beldent.com.uy
xn--80abhcebubc0amocn4ci.xn--80abwto.xn--p1ai
belvita.se
luprince.be
luprince.nl
suchard.es
mondelez.promo.eprize.com/jarreamamie/videos
brumikobjavitel.sk
brumikobjevitel.cz
figaro.cz
figaro.sk
tang.com.mx
leo.be
philadelphia.cl
mondelez-nabiscominions.promo.eprize.com
xn--e1aaatbxcjcll.xn--80abwto.xn--p1ai
oreo-la.com
honeymaidsmores.com
cookbook.cadbury.co.uk
mezclaydisfruta.com.ar
cadbury.co.uk
citytrip.philadelphia.co.nl
instagram.com/royal_postres
mondelez.promo.eprize.com/followyourart
cadbury.co.nz
citytrip.philadelphia.be
dirolplay.com
promofield.pe
belvitaDipItSipIt.com
cheesecakeperfect.ro
ritzcrackers.com/foster-welcome
oreopromociones.es
win-v6.stimorol.ch
loteriamilka.pl
letschatsnacks.com/RITZ-Cheese-Crispers
oreodzienojca.pl
momentidifamiglia.philadelphia.it
mondelez.promo.eprize.com/walmartcollecttowin21
jeu.princedelu.fr
mondelez.promo.eprize.com/walmartbacktoclass/
nyerjakekszekkel.hu
letschatsnacks.com/RITZ-Cheese-Crispers-Sample-Kit
milkaslovenija.com
xn--80agpnh5a.xn--90aiakgkqi1l.xn--p1ai
lidl.nyerjakekszekkel.hu
letschatsnacks.com/oreo-popcorn-sample
pressplaywithoreo.com
orszagos.nyerjakekszekkel.hu
stimorolgamingcontest.com
milka.es
loteriaciastek.pl
pornuestrasciudades.com
magnitdark.alpengold.me
orociokspacejam.it
cadburywingold.co.nz
matchandwin.cadburyfc.com
cloud.mdlzinsights.com
loteriahalls.pl
pelasnossascidades.com
back2school-gewinnspiel.at
halls.win
tettrungthu.vn
cadburypurpleheart.in
mdlzfreerackpromo.com
disfrutatumomento.es
donutmuffin.milka.de
learnwithbournvita.com
egyedimilka.hu
playcadbury.co.nz
belvita.life
xn--h1abcjhbnel.xn--80abwto.xn--p1ai
unafettapertutti.sottilette.it
promohalls.com.br
readmytwirl.com
bolachasprince.pt
promo.milka.ro
oroecoopinsieme.it
belvitapromo.ro
kz.barni.org
oreo.promo
bontasenzasegreti.fattorieosella.it
cadbury.co.za
nyerjakedvenceiddel.hu
cadburycelebrationsgifting.com
cadburygems.in
madbury.in
cadburycelebrationsmyfirstrakhi.com
vyhrajscoop.cz
winwithoreo.com
cadburyperktakeitlight.com
princepolo.pl
milkatiregala.it
mondelez.promo.eprize.com/belvita7elevengame21/
playpadwebar.com
detoutcoeuraveclesbleus.milka.fr
mannkitayyari.in
back2school-gewinnspiel.at
bbdr.cz
bbdr.sk
mondelez.promo.eprize.com/nabiscofallfootball21/
hideandfind.cadbury.co.uk
oreoplaypack.in
gyoriedes.hu
milkanjeznitrenuci.hr
x5.alpengold.me
belvitajoreggelt.hu
lu.nl
taste.philadelphia.be
taste.philadelphia.co.nl
donutmuffin.milka.de
milkaneznitrenutki.si
rewe.milka.de
kaufland.milka.de
mueller.milka.de
edeka.milka.de
netto.milka.de
miamourembourse.milka.fr
5ka.promo.milka.ru
magnit.promo.milka.ru
ciocolatapoiana.ro
5starnothingcoin.com
hallsminiscameo.com
gustaredetop.ro
generasitiger.com
loteriadelicje.pl
ciasteczkowe.pl
cakesters.oreo.com
milka.at
toblerone.co.uk
biskuatacademy.com
oreomuhely.hu
cerealitas.com.ar
lacta.gr
marabouchokladhus.se
cadburysaythankyou.com
dirtkitchensnacks.com
potursinejnostta.milka.bg
aldi.nyerjakedvenceiddel.hu
mdlzmysales.com
base-mondelez-ag.fr
tatesbakeshop.com
coop.nyerjakedvenceiddel.hu
cadouritandre.ro
sobremesasroyal.pt
5ka.milkatender.ru
hallsbreathofthailand.com
go.milka.bg
chipita.com
fineti.com
7days.com
molto.gr
spinspan.gr


The following IP are also in scope for the VDP:

13.66.223.183, 13.74.255.173, 13.77.147.35, 13.79.239.166, 13.88.177.77, 13.91.56.148, 20.72.193.247, 20.72.200.158, 20.72.219.4, 20.190.16.28, 40.67.156.99, 40.67.158.114, 40.70.206.138, 40.75.22.229, 40.90.221.158, 40.112.91.212, 40.125.77.62, 51.143.63.17, 52.137.101.217, 52.164.251.140, 52.167.254.129, 52.175.204.40, 52.178.155.90, 52.178.188.66, 52.178.193.117, 52.178.197.1, 52.183.19.111, 52.191.166.26, 52.247.202.84, 52.247.208.18, 52.247.218.60, 64.254.113.166-64.254.113.167, 74.220.96.180, 77.247.2.180-77.247.2.181, 77.247.9.180, 104.46.125.230, 104.208.139.115, 104.208.222.163, 104.208.236.111, 104.209.128.116, 104.209.178.5, 119.31.169.166, 121.244.32.86, 137.116.33.156, 137.116.48.254, 162.117.250.1, 162.117.251.2, 162.117.251.11-162.117.251.12, 162.117.251.20-162.117.251.21, 162.117.253.1, 162.117.253.7-162.117.253.9, 162.117.253.18-162.117.253.21, 162.117.253.23-162.117.253.26, 162.117.253.31-162.117.253.35, 162.117.253.51-162.117.253.54, 162.117.253.65, 162.117.253.76, 162.117.253.81, 162.117.253.131, 162.117.253.193, 162.117.253.211, 162.117.254.1, 162.117.254.3, 168.61.90.195, 183.84.8.44, 207.179.20.181, 207.179.26.104, 104.208.236.111, 119.31.169.166, 121.244.32.86, 162.117.253.18, 162.117.253.23, 162.117.253.24, 162.117.253.25, 162.117.253.26, 183.84.8.44, 20.190.16.28, 207.179.20.181, 207.179.26.104, 52.175.204.40, 52.178.155.90, 52.178.197.1, 52.183.19.111, 64.254.113.166, 64.254.113.167, 74.220.96.180, 77.247.2.180, 77.247.2.181, 77.247.9.180, 63.241.102.38, 63.241.102.37, 93.184.72.138, 195.68.214.73, 46.16.194.69, 195.122.195.234, 91.196.156.146, 81.12.139.114, 92.86.207.110, 89.120.147.170, 91.82.106.182, 89.216.23.202, 94.42.120.90, 185.89.65.82, 212.174.158.210, 62.1.54.58, 80.107.91.210, 78.107.30.18, 62.96.194.226, 217.146.130.51, 195.136.48.42, 90.152.54.18, 83.242.228.94, 195.239.232.54, 185.183.185.116, 86.110.242.75, 86.110.245.26, 84.254.8.25