We are using cookies in order to facilitate your navigation. By continuing to navigate on this website or clicking on the close button you accept our policy regarding the usage of cookies.Yes, I accept Learn more
Mondelēz International has partnered with HackerOne to manage the information submitted on this page.
Mondelēz International takes vulnerability disclosures seriously and appreciates the security researchers’ efforts. Mondelēz International is committed to establishing a transparent and open communication with researchers.
The Purpose of the Vulnerability Disclosure Policy (VDP) is to give security researchers clear guidelines for conducting vulnerability research, discovery, and reporting against Mondelēz International systems.
Mondelēz International accepts vulnerability findings from various sources such as independent security researchers, industry partners, or customers. Mondelēz International defines a vulnerability as a technical flaw or weakness found in a system that can be leveraged to compromise the confidentiality, integrity, or availability of Mondelēz International products, services, and data. Please see the rules of engagement for security researchers below.
Legal Authorization (Safe Harbor)
If all the associated guidelines highlighted in this policy are followed during the security research, Mondelēz International will consider the research to be authorized, and will look to collaborate to understand any discovered issues quickly. Mondelēz International will not recommend or pursue legal action against authorized activities that are in accordance with this policy.
- Please use a user agent header in your HTTP(S) requests, and for non-HTTP requests we strongly recommend you add identification to artifacts in POCs, and, or payloads so our teams can identify you as a verified hacker and not a malicious attacker:
- If you forget to tag your traffic, please list your IP in the submission form.
- No credentials are required or provided for this program. If you self-register for any accounts, please register with your @wearehackerone.com email address. You may not use exposed credentials to continue testing without written consent from Mondelēz International.
Submitting a Report
- Notify us immediately upon discovery of any real security issues via the submission form on this page. Please fill out the Vulnerability Disclosure Template in detail.
- HackerOne will acknowledge that the submission was received within two (2) business days of the submission date. (Requires contact information. We cannot communicate with anonymous submissions).
- HackerOne will validate steps to reproduce, proof of concept, and severity. Further details may be requested to properly triage the submission. Below are details requested to assist with triaging the reported finding:
- Vulnerability description
- Potential impact of the issue reported
- Step-by-step re-production instructions including technical details
- Any proof-of-concept code that is used
- Remediation or mitigation steps for the reported issue
- Any tools utilized to detect the issue
Rules of Engagement
Security researchers must carry out the following activities:
- Notify us immediately upon discovery of any real or potential security issues
- Discard and purge any stored Mondelēz International data upon reporting a vulnerability finding
Security researchers must not carry out the following activities:
- Test any systems not specified in Appendix A: In-scope systems.
- Conduct any testing that may disrupt, impair, or disable Mondelēz International systems (e.g. DoS, DDoS).
- Engage in social engineering of Mondelēz International employees, contractors, and customers.
- Physically test any facilities or resources (e.g., office access, tailgating), send any unsolicited or social engineering mail to any Mondelēz International users (e.g., phishing, vishing).
- Exploit any vulnerability beyond the minimal amount of testing required to identify an indicator related to the vulnerability.
- Compromise, copy or exfiltrate any data from any systems.
- Test any third-party websites, applications, or services that integrate with or link to/from Mondelez International systems.
- Carry on with the testing if you find vulnerabilities involving sensitive data, including personally identifiable information or proprietary data. In this case, you must stop your test and notify us immediately and you must not disclose this data to anyone.
- Discuss this program or any vulnerabilities (even resolved ones) outside of the program without express written consent (including via email) from Mondelēz International.
Upon submission of the finding, the Mondelēz International team will:
- Acknowledge that the submission was received within two (2) business days of the submission date.
- Collaborate to validate and resolve reported vulnerability findings.
Thank you for helping keep our company and our users safe!
Appendix A: In-Scope Systems
The following IP are also in scope for the VDP:
188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206-220.127.116.11, 18.104.22.168, 22.214.171.124-126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206-220.127.116.11, 18.104.22.168-22.214.171.124, 126.96.36.199, 188.8.131.52-184.108.40.206, 220.127.116.11-18.104.22.168, 22.214.171.124-126.96.36.199, 188.8.131.52-184.108.40.206, 220.127.116.11-18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168