Responsible Disclosure Process

If you discover a vulnerability in IT systems and web applications of Hellmann, please inform us. We will then take immediate action to handle the vulnerability found as quickly as possible.

Process

  1. Send your findings about the vulnerability to privacy@hellmann.com. Our E-Mail-Servers offer transport security but please do not hesitate to use PGP to encrypt and/or sign your documentation to prevent sensitive information from reaching the wrong hand.
  2. Provide sufficient information for us to reproduce and analyze the problem. Also provide a contact option for further questions.
  3. In order to optimize the communication between you and the Cyber Security Team of Hellmann and allow an efficient risk handling, we ask you to use the provided template as far as reasonable possible.
  4. Do not exploit the vulnerability or problem by, for example, downloading, modifying, deleting data, or uploading code.
  5. Do not share information about the vulnerability with any third party or institution unless cleared to do so by Hellmann.
  6. Do not conduct attacks on our IT systems and web applications that compromise, alter, or tamper with infrastructure and people.
  7. Do not conduct social engineering (e.g., phishing), (distributed) denial of service, spam, or other attacks against Hellmann.

Contact us

PGP Key

Fingerprint of the PGP Key:

54DE 381D 2BB7 07D1 075C
9356 516C 2B22 C283 BC29

Template Vulnerability Report

If you would like to file an internal report of non-compliant behavior instead of reporting a vulnerability, please use the Whistleblower Hotline.

Whistleblower Hotline

Qualified reporting of vulnerabilities

Any design or implementation problem at Hellmann can be reported that is reproducible and affects confidentiality, integrity or availability of our systems or data.

Common examples are:

  • Cross Site Request Forgery (CSRF)
  • Cross Site Scripting (XSS)
  • Insecure Direct Object Reference
  • Remote Code Execution (RCE) – Injection Flaws
  • Improper Error Handling
  • Unauthorized access to properties or accounts
  • Data/information leaks
  • Possibility of exfiltration of data / information
  • Active exploitable backdoors
  • Possibility of unauthorized system use
  • Misconfiguration

The following vulnerabilities do not fall within the scope of our Responsible Disclosure Process:

  • Attacks that require physical access to a user's device or network
  • Forms with missing cross-site request forgery (CSRF tokens) (exception: criticality exceeds Common Vulnerability Scoring System (CVSS) level 5)
  • Missing security headers that do not directly lead to an exploitable vulnerability
  • Using a library known to be vulnerable or publicly known to be broken (without active evidence of exploitability)
  • Reports from automated tools or scans without explanatory documentation
  • Social engineering against individuals or entities of Hellmann as well as our suppliers and customers
  • Denial of Service attacks (DoS/DDoS Distributed Denial of Service)
  • Bots, SPAM, mass registration
  • Non-compliance of best practices (e.g., certificate pinning, security headers)
  • Use of vulnerable and "weak" cipher suites/ciphers

Our Promise

We take immediate action to resolve the vulnerability. You will receive feedback from us on the receipt of your report, as well as about the validity of the vulnerability and the resolution of the issue during the processing period.

If you act in accordance with the above instructions of Hellmann, law enforcement authorities will not be informed in connection with your findings. This does not apply if recognizable criminal or intelligence intentions are pursued. In case of doubt, please feel free to approach a trustworthy intermediary instance like the Chaos Computer Club.
We will treat your report confidentially and will not disclose your personal data to third parties without your consent.

You as a reporter will not be judged based on your age, education, gender and origin or social rank. We show this respect publicly and recognize your achievement. With your consent, we will mention the kind of the closed vulnerability, the date of your initial report, your name (or alias) and a contact address or social media profile as requested by you in the context of our Acknowledgments in order to publicly express good cooperation with Hellmann.

Acknowledgments

2022-06-28
Anonymous
Faulty container configuration that favours clickjacking

2021-09-07
Mahad Ali (LinkedIn)
UI Redressing Hellmann Portal Login

2021-07-19
Anonymous
Output of non-public information Hellmann Track & Trace