Report a Security Vulnerability
At Target, we take security seriously. If you are a security researcher and would like to report a potential security vulnerability in any of Target's guest-facing online services, please submit the details below for our security teams to review and investigate. Target will deal in good faith with security researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with this Policy and is committed to coordinating with you as openly and quickly as possible. In order to expedite this process, please provide all necessary details for our team to fully reproduce your issue.
To the extent that we are able, we will confirm with you the existence of any vulnerability and share with you any remediation steps taken by Target. After a vulnerability has been validated and fixed, we will seek to allow researchers to be recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized after the vulnerability has been addressed and requires the express written consent of Target. In the event the report you submit involves a third-party vendor, we will forward your report to that vendor.
1. Safe Harbor
Target will not take legal action against you related to any activities conducted in a manner consistent with this Policy and otherwise in good faith.Target reserves all of its legal rights in the event of noncompliance with this policy.
2. Program Rules
- Read and abide by the program Policy.
- Perform testing using only accounts that are your own personal/test accounts.
- Immediately delete/destroy any sensitive information you may inadvertently access, and report your finding(s)
- Exercise caution when testing to avoid negative impacts to customers and the services they depend on.
- Stop testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
- Do not publicly disclose or share potential or confirmed vulnerability details without the written permission of Target.
- Do not brute-force or guess credentials in order to gain access to systems.
- Do not participate in or attempt denial of service attacks.
- Do not upload shells or create a backdoor of any kind.
- Do not engage in any form of social engineering or deception of Target employees, customers, or vendors.
- Do not physically connect to a Target network or any other device within a Target store or Target property.
- Do not perform testing in a manner that could result in sending unsolicited messages to Target guests or team members.
- Do not engage or target any Target employee, customer, or vendor during your testing.
- Do not modify, expose, or exfiltrate data that you believe may contain personally identifiable information, Target intellectual property, or any other sensitive data other than your own.
- Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself, or an account that was not provided to you, stop and report the finding immediately.
- Do not do anything that could compromise the privacy or safety of any Target guest or team member.
- Do not perform any testing designed to cause destruction of data, or the interruption or degradation of Target services.
Target reserves the right to modify the terms and conditions of this program at any time and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our program terms and eligibility, which are effective upon posting.
Target uses HackerOne to help review and evaluate submissions. By clicking submit you agree to the HackerOne Terms and Conditions. If you do not agree to the HackerOne Terms and Conditions you may submit your information to firstname.lastname@example.org.