Walmart cares deeply about maintaining the trust and confidence that our customers place in us. Therefore, the security of our eCommerce platform is of paramount importance to us. If you are a security researcher and have discovered a security vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible manner. Walmart will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate and fix vulnerabilities in accordance with our commitment to security and privacy. We won’t take legal action against or suspend or terminate the accounts of those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Walmart reserves all of its legal rights in the event of any noncompliance.
Walmart runs a bug bounty program for many of our services. More services are also added to the program from time to time as needed. If you are already part of our bug bounty program, please go to https://www.walmart.com/bugreporting to report a security bug for a service covered by it. Otherwise, we encourage security researchers to share the details of any suspected vulnerabilities with the Walmart Information Security Team by sending an email. Walmart will review the submission to determine if the finding is valid and has not been previously reported. If the finding is accepted, Walmart may choose to extend an invitation to you to participate in our bug bounty program in order to be awarded with monetary compensation for your efforts. Publicly disclosing the submission details of any identified or alleged vulnerability without express written consent from Walmart will deem the submission as noncompliant with this Responsible Disclosure Policy. In reporting any suspected vulnerabilities via email, please include the following information:
- Detailed information with steps for us to reproduce the vulnerability
- Your email address
- Whether you would like to be considered for our bug bounty program
You are prohibited from:
- accessing, downloading, or modifying data residing in an account that does not belong to you or attempt to do any of the foregoing;
- executing or attempting to execute any “Denial of Service” attack;
- posting, transmitting, uploading, linking to, sending, or storing any malicious software;
- testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages;
- testing in a manner that would degrade the operation of any Walmart properties; or
- testing third-party applications, websites, or services that integrate with or link to Walmart properties.
Requests for monetary compensation in connection with any identified or alleged vulnerability will be deemed noncompliant with this Responsible Disclosure Policy. Monetary compensation will only be awarded through our bug bounty program. Please indicate if you would like to be considered for inclusion in our program.
If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, Walmart commits to:
- Acknowledge receipt of your vulnerability report
- Work with you to understand and validate the issue
- Address the risk as deemed appropriate by Walmart team