close popup
Skip to main content
Skip to footer
Back to Mobile Site
QuillPLUS Blue
Can you use an extra $850 annually? Become a member today.
Close

Help center

Vulnerability disclosure policy

Effective Date: February 1, 2021

Staples is committed to ensuring the security of our customers and the information they share with us via our online platforms and services. We also recognize the valuable efforts that security researchers play in highlighting cybersecurity vulnerabilities and concerns. The purpose of this policy is to provide clear guidelines for conducting vulnerability discovery activities and to convey how to submit discovered vulnerabilities.

Compliance

If you comply with this policy during your security research, and you discover and report security vulnerabilities in accordance with this policy, we will not take legal action against you. We reserve all legal rights in the event of any non-compliance with this policy.

Requirements

This policy requires that you:

  • Notify us as soon as possible after you discover a real or potential security issue;
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to systems and destruction or manipulation of data;
  • Only use exploits to the extent necessary to confirm a vulnerability's presence – do not use an exploit to collect, modify or delete data, establish persistent access or access and/or test other systems, networks or applications; and
  • Do not disclose the details of any alleged vulnerability to third parties without express written consent from Staples – unauthorized disclosure will deem the submission as noncompliant with this policy.

Once you've established that a vulnerability exists or encounter any confidential or sensitive data (including personal information, financial information, or proprietary information), you must stop your test, notify us immediately and not disclose this data to anyone else.

Test Methods

The following test methods are not authorized:

  • Denial of service (DoS or DDoS) tests or other tests that stress-test or have the potential to impair access to or damage systems, networks, applications or data, even if temporarily
  • Accessing, downloading or modifying data residing in an account that does not belong to you
  • Testing in a manner that would result in sending unsolicited or unauthorized junk mail, spam, e-mail notices, phone calls, text messages or other forms of unsolicited messages to other parties – including Staples associates, customers or partners
  • Social engineering, including but not limited to misrepresenting Staples or its personnel
  • Trespassing or other tests with a physical security aspect
  • Posting, transmitting, uploading, linking to, sending or storing any malicious software
  • Testing third-party systems, networks, applications, and services, even if operated on behalf of Staples

Scope

This policy applies to the following Staples family websites and services:

  • Staples.com
  • StaplesConnect.com
  • StaplesAdvantage.com
  • StaplesPromotionalProducts.com
  • Quill.com
  • HiTouchBusinessServices.com

Though we develop and maintain other Internet-accessible systems and services, research and testing under this policy is restricted to the systems and services listed in this section. If there is a particular system or service not in scope that you think merits testing, please contact us to discuss. We may change the scope of this policy over time.

Reporting a Vulnerability

We accept vulnerability reports via email to vulnerabilityreport@staples.com. Reports may be submitted anonymously.

What we would like to see from you

In order to help us triage and prioritize submissions, we recommend that your report:

  • Describes full details of the vulnerability and its location;
  • Provides step-by-step instructions for us to be able to validate and reproduce the finding; and
  • Includes any proof of concept scripts or resulting artifacts, such as screen captures.

What you can expect from us

If you submit a valid security vulnerability in compliance with this policy, we will:

  • Acknowledge the receipt of the report within 5 business days;
  • Communicate with you to understand and validate the issue as necessary; and
  • Address the submitted vulnerability as appropriate, as deemed by Staples.

Note that Staples does not operate a bug bounty program and we make no offer of compensation in exchange for submitting potential issues.

Staples may modify the terms of this policy or terminate this policy at any time.

Questions

If you are in doubt about the scope, acceptable test methods or any other provisions of this policy, you are encouraged to contact us first at vulnerabilityreport@staples.com. We also invite you to contact us with suggestions for improving this policy.

loadingLoading...