Responsible Disclosure Policy
This page is intended to help security researchers interested in responsibly reporting security vulnerabilities to Noon in accordance with this policy.
At Noon, we highly value security to keep our users' e-wallets safe and push the eCommerce ecosystem to a safer, more trusted future. We consider the protection of customer data a significant responsibility and make it our highest priority to deliver our customers a remarkable experience at every stage of their journey. To achieve that goal, we want to include the broader infosec community to take part in finding any potential security risks to our system. Noon embraces others' perspectives to build cyber resilience; together, we can achieve goals through communication and collaboration.
Guidelines for Responsible Disclosure
Principles of responsible disclosure include, but are not limited to:
- Ensure your submission has practical and clear exploitation steps. We highly discourage submitting low-severity, theoretical vulnerabilities, and best practices-related issues since they do not qualify as a part of this program.
- Perform research only within the “In Scope” set out in this Policy;
- Keep information about any vulnerability you've discovered confidential between yourself and Noon until we have had a reasonable amount of time to review and resolve the issue. It is important to note that the time to triage incoming reports may vary depending on the complexity of the vulnerability and the risk that the vulnerability may pose, among others;
- To be qualified as a part of this program, we expect researchers to make every effort to avoid any violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Please email your findings Submit Report to our security team and include (i) a description of the location and potential business/technical impact of the vulnerability and (ii) a detailed description of the steps required to reproduce the vulnerability, along with the remediation;
In Scope
We are only interested in vulnerabilities in the following scope domains:
Please note that *.noon.com doesn't include third-party subdomains, as they are generally not eligible for rewards unless the reported vulnerability somehow affects sensitive subdomains or Noon customer data.
Out Of Scope
We want to be transparent with our researchers and don't want them to invest time in the following issues. The following are excluded from the scope and will not be eligible as a part of this program:
- Submissions that are very theoretical in nature and do not pose any severe security threats to our platform, customers, and partners.
- Any attempt to modify or destroy production data;
- Findings that require excessive/unrealistic levels of social engineering (e.g., phishing) to be exploited;
- Findings from applications or systems not listed in the 'In Scope' section;
- Denial of Service (DoS/DDoS) vulnerabilities;
- Any attempts to access an existing customer's account or data; and
- Anything not permitted by applicable law.
- Out of scope applications and domains: Noon Instant, Noon Daily (Grocery), Noon Food, Third Party Subdomains (bandidos.noon.com, drivers.noon.com, etisalat.noon.com, partners.noon.com or any domains primarily running behind a third party application).
What You Can Expect From Us:
- We will work with you to understand and triage your report within a reasonable time.
- We would extend a private invitation to our HackerOne program to all hackers submitting valid critical or high-severity reports.
- For genuine ethical disclosures, we would be glad to publicly acknowledge your contribution in the Hall of Fame section on our website with your permission.
- While we appreciate the input of whitehat hackers, we may take legal recourse if the identified vulnerabilities are exploited for unlawful gains or getting access to restricted customer or system information, or impairing our systems.
If you would like to report a security vulnerability on any of our in-scope websites or apps, we request that you contact us immediately by emailing appsec at noon.com with clear details on how to reproduce the reported vulnerability. This may include screenshots, videos, or simple text instructions.
Thank you for helping keep Noon and our users safe!
FAQs
Can I get a reward if I report a vulnerability in your applications?
Yes, reproducible security bugs that are determined to be rated as high severity or above are eligible. Medium and lower severity bugs shall be considered on a case-by-case basis.
Can I get invited to your BugBounty Platform on HackerOne?
We would extend a private invitation to our HackerOne program to all hackers submitting valid critical or high-severity reports.
What services/applications are in scope?
The primary applications eligible under this program are *.noon.com, *.sivvi.com. For more details, please refer to the in-scope and out of scope section of the page.
Free & Easy Returns
Best Deals
![/fashion-men/jack_jones/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20240305/4ef48af441e2b44cea1673cd2e4aff67/en_dk-men-brands-04.png)
![/fashion-men/seventy_five/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20240305/4ef48af441e2b44cea1673cd2e4aff67/en_dk-womens-new-brands-01.png)
![/fashion-men/skechers/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20240305/4ef48af441e2b44cea1673cd2e4aff67/en_dk-womens-new-brands-02.png)
![/fashion-women/mango/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20240305/4ef48af441e2b44cea1673cd2e4aff67/en_dk-women-brands-05.png)
![/fashion-women/guess/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20240305/4ef48af441e2b44cea1673cd2e4aff67/en_dk-women-brands-09.png)
![/fashion-women/ella/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20241812/en_dk-nav-brands-01.png)
![/fashion-women/skechers/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20241812/en_dk-nav-brands-02.png)
![/fashion/view-all-kids-clothing/nike/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20240911/nav-web/en_mb_uae_brand-01.png)
![/fashion/view-all-kids-clothing/disney/disney_minnie_mouse/disney_frozen/disney_princess/disney_mickey_mouse/disney_baby/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20240911/nav-web/en_mb_uae_brand-03.png)
![/fashion/view-all-kids-clothing/new_balance/?sort[by]=popularity&sort[dir]=desc&limit=50](https://a.nooncdn.com/cms/pages/20240911/nav-web/en_mb_uae_brand-11.png)
![/music-movies-and-tv-shows/musical-instruments-24670/pianos-keyboards-synthesizers/chloris/?sort[by]=popularity&sort[dir]=desc&limit=50&page=1&isCarouselView=false](https://f.nooncdn.com/cms/pages/20250407/books-nav/en_uae_dk-nav-brands-04.png)
![/music-movies-and-tv-shows/musical-instruments-24670/pianos-keyboards-synthesizers/roland/?sort[by]=popularity&sort[dir]=desc&limit=50&page=1&isCarouselView=false](https://f.nooncdn.com/cms/pages/20250407/books-nav/en_uae_dk-nav-brands-05.png)
![/music-movies-and-tv-shows/musical-instruments-24670/pianos-keyboards-synthesizers/donner/?sort[by]=popularity&sort[dir]=desc&limit=50&page=1&isCarouselView=false](https://f.nooncdn.com/cms/pages/20250407/books-nav/en_uae_dk-nav-brands-06.png)
![/music-movies-and-tv-shows/musical-instruments-24670/pianos-keyboards-synthesizers/korg/?sort[by]=popularity&sort[dir]=desc&limit=50&page=1&isCarouselView=false](https://f.nooncdn.com/cms/pages/20250407/books-nav/en_uae_dk-nav-brands-07.png)
