Background

In this Responsible Disclosure Policy, references to (a) “Kingfisher” are to be read as references to Kingfisher PLC and each of its group companies; and (b) “security researcher” or “you” are to security researchers who have responded to a task on the Kingfisher bug bounty programme board or  identify any vulnerability in a Kingfisher online business asset.

The security and integrity of its online business assets are of utmost importance to Kingfisher.  The provisions of this Responsible Disclosure Policy are intended to supplement BugCrowd’s terms and conditions.  In the event of a conflict between this Responsible Disclosure Policy, and BugCrowd’s terms and conditions, the provisions of this Responsible Disclosure Policy shall prevail.

If you have identified a vulnerability in any of our online assets, you must disclose that to Kingfisher in accordance with this Responsible Disclosure Policy using the submission form below. Kingfisher may, at its sole discretion, engage with security researchers where a vulnerability is reported pursuant to this Responsible Disclosure Policy. Where a security vulnerability is proven and verified by Kingfisher, we will remedy such vulnerability.

Agreement

By completing the submission form below, you agree to comply with, and be bound by, the provisions of this Responsible Disclosure Policy, and the BugCrowd terms and conditions.

Kingfisher’s Rights

Kingfisher reserves all of its rights to take action against security researchers who do not comply with this Responsible Disclosure Policy, including but not limited to immediate removal of the security researcher from any Kingfisher bug bounty programme.  Any submission which does not comply with the Responsible Disclosure Policy will not be considered by Kingfisher.

Reporting

If you identify an issue or security vulnerability in any of Kingfisher’s online assets, please report this to us using the submission form below.  Kingfisher will review the submissions it receives from security researchers, and determine if the vulnerability is proven and verified.  Where a security vulnerability is proven and verified, you may be eligible for monetary compensation if the vulnerability has not been previously reported. 

Remuneration & Eligibility

Kingfisher may issue monetary compensation to a security researcher in respect of any security vulnerability at its sole discretion.  Kingfisher is under no obligation to issue monetary compensation.

Kingfisher personnel, Kingfisher suppliers (and their personnel) and residents of countries on UK, EU or US sanctions lists are not eligible for monetary compensation.  If you fall into any of the aforementioned categories, you must mention this in your submission form.

Security Researcher Obligations

If you wish to submit a security vulnerability report using the form below.  In addition, and for your report to be considered by Kingfisher, you must:

  • Comply with all applicable laws, regulations and rules.
  • Provide true and accurate identification details.
  • Not do any of the following:
  •  Access, download, or modify data residing in an account that does not belong to you
  •  Execute or attempt to execute any “Denial of Service” attack
  •  Post, transmit, upload, link to, send, or store any malicious software
  •  Test in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages
  •  Test in a manner that would degrade the operation of any Kingfisher systems
  •  Test third-party applications, websites, or services that integrate with or link to Kingfisher systems
  •  Disclose, or otherwise share, any details of any Kingfisher security vulnerability with anyone other than Kingfisher.

General

The terms and conditions set out in this Responsible Disclosure Policy, and any matter arising in respect thereof, shall be governed by the laws of England.  The parties irrevocably submit to the exclusive jurisdiction of the courts of England and Wales in respect of any dispute or other proceeding arising in connection with this Responsible Disclosure Policy.