McDelivery Bug Bounty Program
McDonalds India (West & South) i.e. Hardcastle Restaurants Private Limited (“HRPL”) or (“the Company”) has taken the initiative to launch “Bug Bounty Program” to honour independent security groups or individual researchers (“Reporter” or “Reporters”) who can help us to identify any potential security flaw (“bug”) and to keep our users’ data safe. This includes only genuine security issues and valid non-security issues (“valid bug”) for all HRPL owned Web and Mobile Application platforms for McDelivery.
Guidelines
All Reporters are expected to adhere to the following guidelines:
- Report their findings by sending an email to bugbounty@mcdonaldsindia.com without disclosing any information in the public domain. Reporters need to allow HRPL at least 10 business days to respond.
- This program shall be governed by the terms and conditions as enumerated in the ‘Confidentiality Terms’ and such other terms and conditions as maybe updated/amended by HRPL from time to time on its website at www.mcdelivery.co.in
- Confidentiality obligations as enumerated in the Confidentiality Terms should always be adhered to by the Reporter. Any disclosure in the public domain will result in suspension of the Reporter from the Bug Bounty Program whereafter the Reporter shall not be eligible to get any rewards and HRPL shall reserve the rights to sue the Reporter for damages against such disclosure.
- The HRPL team might take at least 6 to 8 weeks to fix a valid bug based on the criticality level. The criticality level of a valid bug shall be determined solely by HRPL.
- During security testing, there should not be a) any disruption to production systems, b) destruction of data or c) any impact on user data.
- Any public disclosure without the prior written approval of HRPL/misuse of information will entitle HRPL to take appropriate legal action.
Rewards
Monetary reward for each valid bug reported would be based on criticality of the issue. As mentioned above, the level of criticality shall be determined at the sole discretion of HRPL. The reward for a valid bug will be Rs. 2,500/- (Rupees Two Thousand Five Hundred only) in the form of coupons (applicable only in McDonald’s India West & South). Such coupons shall need to be used within the validity period mentioned therein and shall not be, encashable or transferable. All rewards shall be subject to taxes as applicable. HRPL reserves all rights to modify the rewards program at its sole discretion. Reporters who have successfully reported a valid bug shall be contacted on their registered email id for passing on their rewards. HRPL’s decision on all matters relating to validity of the bug and the rewards under the Bug Bounty Program shall be final and binding on the Reporters.
Program Scope
The following applications/system will be in the scope of the program:
1. McDelivery Web Application (www.mcdelivery.co.in);
2. McDelivery Mobile Application – Android / iOS;
3. McDelivery APIs;
4. Infrastructure Security.
Out-of-Scope
The following applications/system will be out of scope of the program:
1. 3rd Party vendor Applications / API Endpoints
The following ‘areas’ are considered to be qualified as part of the scope of the program:
1. Cross-Site Scripting (XSS);
2. SQL Injection;
3. Cross-Site Request Forgery (CSRF);
4. Sensitive customer data / Bulk users sensitive information leak;
5. APIs Vulnerabilities;
6. Authentication Flaws;
7. Session flaws;
8. Business Logical flaws;
9. Remote Code Execution;
10. Any vulnerability that can affect our users/brand.
Out-of-Scope
The following ‘areas’ are considered to be out of scope of the program:
1. Issues related to software/application not under McDelivery control;
2. DDOS attacks;
3. Minor issues like version disclosures;
4. Best practice.
Significant Contributors
Confidentiality Terms
All Reporters participating under the Bug Bounty Program shall be bound by the Confidentiality Terms mentioned hereunder.
1. The Reporter including his/her employees, agents, associates, affiliates and representatives shall not disclose or cause to be disclosed, directly or indirectly, the materials, information, data and all other facts and figures including but not limited to sales numbers, volume numbers, reports, notes, recipes, processes, projections, specifications, operational methods, know-how, techniques, services, costs, sources of supply, customer lists, sales, profits, pricing methods, personnel, and business relationships, intellectual property and the like (hereinafter collectively referred to as (“Confidential Information”) relating to or concerning HRPL provided that Confidential Information shall not include any information which is approved for release by prior written authorization of HRPL.
2. The Reporter expressly acknowledges that all such Confidential Information is owned solely by HRPL or shall remain the exclusive property of HRPL and constitutes valuable trade secrets of HRPL, and that the unauthorised disclosure or use of such Confidential Information by or through the Reporter directly or indirectly, will cause irreparable harm to HRPL. Further, the Reporter shall immediately notify HRPL of any misuse, misappropriation or unauthorized disclosure of Confidential Information.
3. The Reporter recognizes and agrees that nothing contained in these terms shall be construed as granting or conferring any rights by agency, partnership, joint venture or license or otherwise, expressly or impliedly, to or upon the Reporter for any Confidential Information that may be disclosed to Reporter or accessed by the Reporter by virtue of the nature of this Bug Bounty Program.
4. The Reporter recognises and acknowledges that Confidential Information is of a special, unique and extraordinary character to HRPL and that any unauthorized disclosure, misappropriation or unauthorised use of such Confidential Information by the Reporter may cause serious injury to HRPL. The Reporter expressly agrees therefore that HRPL shall be entitled to seek injunctive and other equitable relief to prevent the breach or the further breach of any of the terms and provisions hereof. For the removal of doubt, it is hereby clarified that, the said injunctive and other equitable relief shall be without prejudice to any other remedies available to HRPL under law.
5. The Reporter shall indemnify and keep harmless and fully and effectively indemnified HRPL from and against any loss and/or damage which HRPL may suffer or incur on account of any breach committed by the Reporter in respect of any of the terms herein.
6. The invalidity or unenforceability of any provisions herein shall not affect the validity or enforceability of any other provision.
7. Nothing contained in these terms shall be construed to obligate HRPL to disclose any information to the Reporter.
8. Any notice or communication to be given under these terms shall be given if delivered in writing to the intended Reporter at the registered email address of the Reporter.
9. The Confidentiality Terms shall be fully binding upon all the Reporters or any person wanting to participate in the Bug Bounty Program.
10. The Reporter shall not make any assignment of these terms of or of the interest therein.
11. The failure of HRPL to insist upon or enforce strict performance of any of the provisions of hereof or to exercise any rights or remedies under these terms shall not be construed as a waiver or relinquishment to any extent of HRPL’s rights to assert or rely upon any such provisions, rights or remedies in that or any other instance; rather the same shall remain in full force and effect.
12. These terms shall be governed by, construed and enforced in accordance with the laws of India.
13. The courts in Mumbai shall have exclusive jurisdiction over disputes arising out of these Confidentiality Terms.