Vulnerability Disclosure Policy

• We will investigate reported vulnerabilities and respond to you as soon as possible.
• We will work to resolve all qualifying security vulnerabilities as soon as possible.
• We will not take legal action against you as long as you obey our vulnerability disclosure policy - see Section 3 "Legal Safe Harbor".
• We will use your personal data exclusively for the purpose of processing your reported vulnerability.
• We currently do not offer a bug bounty program and thus will not financially reward reports but we would like to recognize your contribution to improve our security by publicly expressing your positive cooperation with ALDI at our "Hall of Fame" page if you are the first to report a qualifying vulnerability and we have resolved it.

We require all security researchers to...

• Act in good faith and with extreme caution to avoid unwanted events, in particular privacy violations, degradation of our services, disruption to production systems, and destruction of data.
• Perform security research only within the scope - see Section 4 "In-Scope" and Section 5 "Out-of-Scope".
• Only use methods or techniques that are necessary to verify vulnerabilities. Do not exploit vulnerabilities beyond a proof of concept.
  • Do not modify and delete data that you do not own or have rights to access (if possible create own test accounts or test content to avoid affecting real users.
  • Do not upload any dangerous data (e.g. backdoor).
  • Do not try to access unnecessary amounts of data (e.g. one to ten instead of 1000 records).
  • Do not execute dangerous code/commands: (e.g. "whoami" instead of "sudo rm -rf").
• Provide sufficient information so that the vulnerability can be verified and reproduced. Proof of concepts are appreciated (e.g. code snippets, step by step instructions, videos).
• Report any vulnerability you have discovered in a timely manner.
• Only use the official channels to initially contact us - see Section 6 "Report Vulnerabilities".
• Keep information about any vulnerabilities you have discovered confidential until we have resolved the issue. This does not prevent notification of a vulnerability to 3rd parties to whom the vulnerability is directly relevant, but ALDI SOUTH group must not be referenced in such reports.
• Delete retrieved data as soon as it is no longer required and at most, one month after the vulnerability is resolved, whichever occurs soonest, unless otherwise regulated by law.

When conducting security research according to this policy, we consider this research to be:

• Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy.
• Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please contact us before going any further.

4.1 In-Scope vulnerabilities/ security tests

Any design or implementation issue that substantially affects the confidentiality or integrity of our services is in scope. Common examples include:

• Authentication or Authorization Flaws
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Local or Remote File Inclusions (LFI, RFI)
• Server-Side Request Forgery (SSRF)
• Server-Side Template Injection (SSTI)
• SQL Injection (SQLI)
• Remote Code Execution (RCE)
• XML External Entity (XXE)

4.2 In-Scope systems

Every ALDI SOUTH group website and mobile app that links to this policy is in scope. Unless stated otherwise, subdomains are not in scope.

5.1 Out-Scope vulnerabilities/ security tests

• Do not perform any testing that causes degradation to ALDI SOUTH group's services, e.g. Denial of Service, or heavy automated scanning.
• Do not perform social engineering attacks, including phishing.
• Do not perform any physical attacks.
• Do not perform lateral movement and post-exploitation past the initial exploitation.

5.2 Out-Scope systems

All systems that are not listed in Section 4.2 "In-Scope systems" are out of scope. In doubt get in touch with us.