Vulnerability Reporting Policy

At METRO our top priority is the safety, security and control of our customers' data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the METRO security team has committed to working with the community to verify, reproduce and respond to legitimate reports.

If you believe you've identified a potential security vulnerability in METRO services which are within the allowed scope of testing, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.

Please do not disclose any findings until we have had the opportunity to review and address them with you. We appreciate your help in keeping METRO secure for our community.

To encourage responsible disclosure, METRO will not initiate any legal action against security researchers for assessing vulnerabilities if they adhere to this policy, including the following guidelines:

• METRO has partnered with HackerOne Inc. (in further text ‘HackerOne’) for our vulnerability disclosure program. Notify METRO and provide all details of vulnerabilities you find solely by using the HackerOne form below.
• Any vulnerability is solely reported through the HackerOne platform.
• Provide all necessary details including at least the IP address and the date/timestamp, and, if applicable, the METRO account username of the vulnerability to support validation and reproduction of the issue.
• Employees of METRO and its affiliates (as defined in section 15 et seqq. of the German Stock Company Act – Aktiengesetz, jointly ‘METRO Group’) and any technology partners of METRO Group may not participate in this program.
• You may only test against your own METRO accounts. Do not interact with an enterprise and/or personal METRO account that you don’t own (such as by modifying or accessing data from the account).
• Do not access or attempt to access data that does not belong to you.
• Do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive data or probing for additional issues.)
• Do not perform actions that may negatively affect METRO or its users, such as executing or attempting to execute any “Denial of Service” attack, posting, transmitting, uploading, linking to, sending or storing any malicious software and/or file, testing third-party applications, websites or services that integrate with or link to METRO applications.
• Do not conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure and employees of METRO.
• Do not test the physical security of Metro offices, stores, employees, equipment, etc.
• Do not violate any law or disrupt or compromise any data that is not your own.
• By reporting a security bug or vulnerability, you warrant that your report does not violate the intellectual property rights of any third party and give us the right to use your report for any related security purposes, such as remediation, internal analysis or improving security.

Any vulnerabilities must be reported through the HackerOne platform strictly following METRO’s defined scope, assets and guidelines as set out in this Vulnerability Reporting Policy and under the following link:

At this time, METRO does NOT maintain a public facing list of externally reported issues and reporters.

For details on how METRO uses, processes, and protects personal data, please see METRO’s Privacy Policy.

METRO may cancel this program or change this policy at any time. Please review the current version of this policy before performing any vulnerability testing or taking any other action based on the policy.

Policy last updated on this date: 16/06/2025