Vulnerability Disclosure Program

Hy-Vee, Inc.(“Hy-Vee”) is a Midwestern grocery retailer with more than 275 stores across Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.

Hy-Vee’s Security Team is committed to protecting our users and their personal information. We encourage security researchers to work with us to find and mitigate security vulnerabilities in order to keep our businesses and customers safe. If you think you've found a vulnerability in one of our on our web sites or within our mobile apps, we kindly ask you that you disclose it to us as soon as possible in a responsible manner consistent with this Vulnerability Disclosure Program. We will investigate your report and respond to you as soon as possible. We look forward to working with you to resolve the issue.

Our Ask

Report the suspected vulnerability as soon as it is discovered.
Provide detailed reports with reproducible steps.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Do not disclose the vulnerability to others until it has been resolved and until Hy-Vee has provided its express consent to the disclosure.
Do not exploit or abuse the vulnerability discovered.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Our Commitment

We will promptly acknowledge the receipt of your vulnerability report
We will provide an estimate when the issue will be fixed.
We will notify you when the issue has been remediated.
We will publicly acknowledge your responsible disclosure only after the issue is resolved if you provide consent.

Out of Scope Vulnerabilities and Attacks

Social engineering (e.g. phishing, vishing, smishing)
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Comma Separated Values (CSV) injection without demonstrating a vulnerability.
Missing best practices in SSL/TLS configuration.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints
Missing best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require unlikely user interaction

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

Thank you for helping keep Hy-Vee and our users safe!

</p> </div> <div id="footer-react" class="footer-container"></div> </form> <script type="text/javascript" src="/js/bootstrap.min.js"></script> <script type="text/javascript"> $(document).ready(function () { const footerElement = React.createElement(window.navigation.Footer); ReactDOM.render(footerElement, document.querySelector('.footer-container')); var toggles = document.querySelectorAll(".js-hamburger"); for (var i = toggles.length - 1; i >= 0; i--) { var toggle = toggles[i]; toggleHandler(toggle); }; function toggleHandler(toggle) { toggle.addEventListener("click", function (e) { e.preventDefault(); (this.classList.toString().indexOf("is-active") > 0) ? this.classList.remove("is-active") : this.classList.add("is-active"); }); } $(".search-query-input").focus(function () { $(this).parent().addClass('maximize'); }).blur(function () { $(this).parent().removeClass('maximize'); }); $(".mobileSearch").click(function () { $(this).toggleClass('active'); $(".c-hamburger--htx").removeClass('is-active'); $('#header .collapse').collapse('hide'); }); $(".js-hamburger").click(function () { $(".mobileSearch").removeClass('active'); $('#header .collapse').collapse('hide'); }); }); </script> <script type="text/javascript"> // makes the parallax elements function parallaxIt() { // create variables var $fwindow = $(window); var scrollTop = window.pageYOffset || document.documentElement.scrollTop; var $contents = []; var $backgrounds = []; // for each of content parallax element $('[data-type="content"]').each(function(index, e) { var $contentObj = $(this); $contentObj.__speed = ($contentObj.data('speed') || 1); $contentObj.__fgOffset = $contentObj.offset().top; $contents.push($contentObj); }); // for each of background parallax element $('[data-type="background"]').each(function() { var $backgroundObj = $(this); $backgroundObj.__speed = ($backgroundObj.data('speed') || 1); $backgroundObj.__fgOffset = $backgroundObj.offset().top; $backgrounds.push($backgroundObj); }); // update positions $fwindow.on('scroll resize', function() { scrollTop = window.pageYOffset || document.documentElement.scrollTop; $contents.forEach(function($contentObj) { var yPos = $contentObj.__fgOffset - scrollTop / $contentObj.__speed; $contentObj.css('top', yPos); }) $backgrounds.forEach(function($backgroundObj) { var yPos = -((scrollTop - $backgroundObj.__fgOffset) / $backgroundObj.__speed); $backgroundObj.css({ backgroundPosition: '50% ' + yPos + 'px' }); }); }); // triggers winodw scroll for refresh $fwindow.trigger('scroll'); }; parallaxIt(); </script>  </body> </html>