Vulnerability Reporting Policy

At METRO our top priority is the safety, security and control of our customers' data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the METRO security team has committed to working with the community to verify, reproduce and respond to legitimate reports.

If you believe you've identified a potential security vulnerability in METRO services which are within the allowed scope of testing, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.

Please do not disclose any findings until we have had the opportunity to review and address them with you. We appreciate your help in keeping METRO secure for our community.

To encourage responsible disclosure, METRO will not initiate any legal action against security researchers for assessing vulnerabilities if they adhere to this policy, including the following guidelines:

• METRO has partnered with HackerOne Inc. (in further text HackerOne) for our vulnerability disclosure program. Notify METRO and provide all details of vulnerabilities you find solely by using the HackerOne form below.
• Any vulnerability is solely reported through the HackerOne platform.
• Provide all necessary details including at least the IP address and the date/timestamp, and, if applicable, the METRO account username of the vulnerability to support validation and reproduction of the issue.
• Employees of METRO and its affiliates (as defined in section 15 et seqq. of the German Stock Company Act – Aktiengesetz, jointly ‘METRO Group’) and any technology partners of METRO Group may not participate in this program.
• You may only test against accounts that you personally own. Do not interact with, access, or modify any account that does not belong to you.
• Do not access or attempt to access data that does not belong to you.
• Do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive data or probing for additional issues.)
• Do not perform actions that may negatively affect METRO or its users, such as executing or attempting to execute any “Denial of Service” attack, posting, transmitting, uploading, linking to, sending or storing any malicious software and/or file, testing third-party applications, websites or services that integrate with or link to METRO applications.
• Do not conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure and employees of METRO.
• Do not test the physical security of Metro offices, stores, employees, equipment, etc.
• Do not violate any law or disrupt or compromise any data that is not your own.
• By reporting a security bug or vulnerability, you warrant that your report does not violate the intellectual property rights of any third party and give us a royalty-free license to use your report for any related security purposes, such as remediation, internal analysis or improving security.

Any vulnerabilities must be reported through the HackerOne platform strictly following METRO’s defined scope, assets and guidelines as set out in this Vulnerability Reporting Policy and under the following link:

At this time, METRO does NOT maintain a public facing list of externally reported issues and reporters.

Monetary awards may be granted exclusively for resolved CRITICAL and HIGH vulnerabilities. Other reported vulnerabilities may be eligible for non-monetary recognition at the sole discretion of METRO. An internal monthly committee is responsible for reviewing submissions and determining the appropriate rewards.

The security vulnerabilities reported by you should not contain any personal data. In case the report needs to contain personal data to remediate a vulnerability, METRO AG is the data controller responsible for processing the personal data that you submit as part of a vulnerability report.

We process this information in order to validate, investigate, and manage reported security vulnerabilities and to improve the security of our systems. The legal basis for this processing is our legitimate interest in maintaining and enhancing the security of our digital services in accordance with Article 6(1)(f) of the General Data Protection Regulation (GDPR).

When you submit a report, we may process personal data such as your contact information, your IP address, relevant timestamps, and the technical details you provide regarding the vulnerability. We do not require any personal data relating to third parties, and we ask you not to include such information in your submission.

Your report will be reviewed by METRO’s internal security teams and, where applicable, by HackerOne.

We retain the personal data associated with your report only for as long as necessary to investigate and remediate the issue, to maintain accurate security records, and to comply with legal or regulatory obligations.

As a data subject, you have the right to request access to your personal data, as well as the right to request rectification, erasure, restriction of processing, and, in certain circumstances, to object to the processing. You may contact METRO’s Data Protection Officer using the contact details provided in METRO’s Privacy Policy to exercise these rights or to obtain more information about how METRO processes personal data.

For details on how METRO uses, processes, and protects personal data, please see METRO’s Privacy Policy.

METRO may cancel this program or change this policy at any time. Please review the current version of this policy before performing any vulnerability testing or taking any other action based on the policy.

Policy last updated on this date: 16/06/2025