Mintel Responsible Disclosure & Bug Bounty Program
Temporary Pause for Updates:
Please note that our systems are currently undergoing updates and improvements by our teams. During this period, we have temporarily paused the acceptance of new bug reports.
Mintel aims to deliver secure, available and low error products and services for the enjoyment of our clients. However, we recognise that in a changing environment of software development delivery and varied system complexity, vulnerability can exist.
Showing recognition to the power of crowdsourcing, our intent is to engage with security researchers via a bug bounty program, rewarding validated findings inside our specified scope of interest.
Eligibility & Responsible Disclosure Conditions
If you believe you have found a security bug inside our scope of interest, we will be happy to work with you to remediate and will reward you for valid findings.
To receive a monetary reward from Mintel for valid reports:
- The vulnerability must be both inside our scope of interest and meet our qualifying vulnerability criteria.
- You must be the first to report the vulnerability.
Reports should provide clear descriptions of the bug such as:
- Where it was found
- Supporting documentation
- How to reproduce the issue (such as screenshots, walkthroughs, POC code)
Responsible Disclosure Conditions
As part of working with responsible researchers there are some rules that Mintel requires are adhered to:
- You shall not perform denial of service or other tests likely to interrupt our operational capability.
- You are not permitted to retain, leak or manipulate any Mintel data.
- You are ineligible to participate if you are a current or ex-employee.
- Disclosure to public websites and 3rd parties shall not take place until a fix is in play and the researcher has sought and gained permission from Mintel.
Scope of Interest
The asset scopes in the table below are the only ones for which we will pay monetary reward for valid reports at this time.
Scoring of Vulnerabilities shall be evaluated using CVSS and organisational context at the time of submission to determine Severity.
Please note we do not offer test accounts for authenticated testing at this time.
Qualifying & Non-Qualifying Vulnerabilities
To assist security researchers and the bug bounty community, we wish to describe the types of vulnerabilities we will (and won’t) consider for reward.
- Remote Code Execution (RCE)
- Insecure authentication
- Privilege escalation
- Local file access and/or manipulation
- Code injection attacks
- Insecure session management
- Insecure Direct Object References (IDOR)
- 1st party Secrets discovery
- Software version disclosure
- SSL/TLS best practice
- Brute force attacks
- Denial of Service (DOS) attacks
- SPF/DKIM/DMARC record dumps
- Recently disclosed 0-day vulnerabilities
- Stack traces
- Missing cookie flags
- Missing / misconfigured security headers
- Unvalidated web scanner output
- Attacks that require social engineering
This is not an exhaustive list and as such we would still encourage you to submit vulnerabilities that have demonstrable impact which do not appear on the non-qualifying list.
Mintel we will pay invoiced cash rewards via bank transfer once a fix is in place and verified. Mintel will not issue rewards via payment platforms or cryptocurrencies. Please be aware that Mintel operates on a monthly payment run, which may result in extended payment timescales.
Please contact us at firstname.lastname@example.org to submit your findings or if you have further questions.