Barry Callebaut is committed to protecting the confidentiality of consumer and employee personal information and the availability of our information systems. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us for review. We encourage you to contact us to report vulnerabilities in our websites and systems.

If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve reported issues quickly. Barry Callebaut will not recommend or pursue legal action related to your research.

Please note that Barry Callebaut does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential security concerns or vulnerabilities.

Barry Callebaut suggests the following guidelines for researchers who may report a vulnerability or conduct legitimate research. Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems and destruction or manipulation of data
• Only use exploits to the extent necessary to confirm the presence of a vulnerability
• Do not use an exploit to compromise or exfiltrate data, establish persistent unauthorized access or use the exploit to pivot to other systems
• Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Please email [email protected] to report a vulnerability. To help us triage and prioritize submissions, we recommend that your report includes:

• When the vulnerability or issue was identified
• Describe the system or product for which the vulnerability was discovered
• Describe the steps needed to reproduce the vulnerability
• Any remediation suggestions or ideas to address the vulnerability
• Barry Callebaut commits to acknowledging all submissions within 3 business days and appreciates your participation.

The scope of this program includes all Barry Callebaut websites owned or licensed by the company; all Internet-facing business systems; and Internet-connected products and mobile-associated applications. The program does not include:

• Social engineering or phishing campaigns directed at Barry Callebaut employees
• Denial of Service (DoS) attacks against Barry Callebaut websites or business applications
• Any other unauthorized activities intended for malicious intent

Please contact Barry Callebaut at [email protected] with questions about this program or to report a vulnerability.

We reserve the right to change the content of this Policy at any time or to terminate the Policy.

What is not necessary to report on?

• Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
• Contact Forms without limit of submission
• Disclosure of known public files or directories (e.g. robots.txt)
• Banner disclosure on common/public services without a PoC
• Security header configurations or missing header
• Lack of Secure/HTTPOnly flags on non-sensitive cookies

What do you do with my personal data?

We also value privacy at Barry Callebaut, following data protection standards like GDPR, we keep the minimum amount of information about you, for a limited time and only for the sole purpose of communicating with you.

Therefore, when you communicate with us, we collect your name (or your given pseudonym) and your email address.  These are the only personal information that we need. We keep this information as long as we are dealing with your responsible disclosure. Once the case is closed, we will keep your data for as much as 1 year after the date of closing. After that, we delete your data.

When will I hear from you after making a disclosure?

Your submission should be acknowledged in due course normally within 72 hours. The disclosure will then need to be validated after which you will be contacted again usually within 10 business days. Please note that we might not be able to reply to low-quality reports.

Do you recruit?

We are constantly looking for skilled Security professionals! Feel free to consult our Job offers at https://jobs.barry-callebaut.com/.

Can I publish anything about the vulnerability after my disclosure?

We ask that all Disclosures be kept confidential to protect our community. Under very specific circumstances, and concerning Major disclosures, we can foresee a common public communication. However, this must be agreed upon beforehand at [email protected].