Vulnerability Disclosure Policy

DHL Group cares about information security. We are committed to maintaining the confidentiality, integrity and availability of DHL Group systems and information to ensure the trust and confidence of our customers.

Therefore, the security of our online platforms and applications is of great importance to us. We ask that you disclose information security issues in a responsible way and in accordance with this Responsible Disclosure Process. We will then validate and fix vulnerabilities following our vulnerability management program.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve any vulnerabilities found quickly, and DHL Group will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Avoid privacy violations, confidentiality breaches, degradation of user experience, disruption to production systems, and destruction or manipulation of data. Do not cause harm to DHL Group, employees, customers, and users.
• Do not attempt to gain access to another user’s account or compromise any confidential information of DHL Group.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use any exploit to compromise or exfiltrate data, establish command line access and/or persistence, or to pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly. Disclosure or public discussion of the issues are not allowed without prior written consent (including proof of concepts (PoC) on e.g., YouTube, Github, Twitter and Vimeo).
• Do not include any sensitive or personal data in the disclosed vulnerability report.

Once you’ve established that a vulnerability exists or you encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, report here, and do not disclose this data to anyone else. Do not try to use the existence of a vulnerability to access, store and use the data. Do not share your findings and investigations knowledge with anyone except DHL Group.

Since we use various automatic scanners for vulnerability management and gain those results as part of regular business, we cannot accept any submissions found by using automatic scanners.

Please consider below application related vulnerabilities and/or methods out of scope for this program:

• Self-XSS that can't be used to exploit other users
• Verbose messages/files/directory listings without disclosing any sensitive information
• CORS misconfiguration on non-sensitive endpoints
• Missing cookie flags except session related ones
• Missing security headers
• Cross-site Request Forgery with no or low impact
• Presence of autocomplete attribute on web forms
• Best practices violations (password complexity, expiration, re-use, etc.)
• Clickjacking on pages with no sensitive actions
• Cross-domain referrer leakage except links that are for sensitive operations (password reset, etc.)
• Anything related to email spoofing, SPF, DMARC or DKIM
• Email bombing
• HTTP Request smuggling without any proven impact
• Banner grabbing/Version disclosure
• Open ports without an accompanying proof-of-concept demonstrating vulnerability
• Weak SSL configurations and SSL/TLS scan reports
• Not stripping metadata of images
• Disclosing API keys without proven impact
• Same-site scripting
• Subdomain takeover without taken over the subdomain
• Arbitrary file upload without proof of the existence of the uploaded file
• Blind SSRF without proven business impact (DNS pingback only is not sufficient)
• F5 BIG-IP Cookie Information Disclosure without proven impact
• HTML injection without proven impact

• In case that a reported vulnerability was already known to us from our own tests or sources of vulnerabilities, it will be flagged as a duplicate.
• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded, or be lowered in severity.
• Following tests and methods are also not authorized:
  
  1. Spam, social engineering, and physical intrusion
  2. DoS/DDoS attacks or brute force attacks
  3. Vulnerabilities that are limited to non-current browsers (older than 3 versions)
  4. Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts
  5. Tests that are continued after a vulnerability was found and lead to the compromise of our systems.
• Reports that state that software is out of date/vulnerable without a proof-of-concept are not accepted.

Please consider below mobile related vulnerabilities and/or methods out of scope for this program:

• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• Sensitive data in URLs/request bodies when protected by TLS
• Lack of obfuscation
• Path disclosure in the binary
• Lack of jailbreak & root detection
• Crashes due to malformed URL Schemes
• Lack of binary protection (anti-debugging) controls, mobile SSL pinning
• Snapshot/Pasteboard leakage
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• Attacks requiring physical access to the victim's device

This policy applies to all DHL Group Systems, including the following systems and services:

• *.dhl
• *.dhl.com
• *.dpdhl.com
• *.deutschepost.de
• *.dhl.de
• Any other domain from DHL Group companies
• Mobile apps owned by DHL Group companies

Anyservice not expressly listed above, such as any connected services, areexcluded from the scope and arenot authorized for testing. Additionally, vulnerabilities found in systems fromour vendors fall outside of this policy’s scope and should be reported directlyto the vendor according to their Vulnerability Disclosure Policy (if any).

Though we developand maintain other internet-accessible systems or services, we ask that activeresearch and testing only be conducted on the systems and services covered bythe scope of this document. If there is a particular system not in scope thatyou think merits testing, please contact us to discuss it first. We willincrease the scope of this policy over time. 

What we would like to see from you:

To help us process submissions, we recommend that your reports:

• Describe the location (URL) of the vulnerability that was discovered and the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
• Are in English, if possible.

Please send you reports to our Vulnerability Disclosure Program.

What you can expect from us:

When you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible.

We will acknowledge that your report has been received.

To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including issues or challenges that may delay resolution.

DHL Group does not provide payment to reporters for submitting vulnerabilities.

Reporters submitting vulnerabilities to DHL Group, in so doing, waive any claims to compensation.

By sending us a vulnerability report to our Vulnerability Disclosure Program, you agree to the above policy.