Vulnerability Disclosure Policy

1. Scope

1.1. Assets

The below websites and mobile applications operated by MSC Cruises:

• MSC For Me Mobile Application, available both on the Apple Store (IOS) and Play Store (Android);
• B2B website;
• B2C website, including local markets websites;
• Explora Journeys website;
• Family & Friends website.

1.2. Vulnerabilities

MSC Cruises' Vulnerability Disclosure policy encompasses all existing vulnerabilities, with the exception of those expressly excluded in section 1.3.1. For this purpose, a non-exhaustive list of potential vulnerabilities within MSC Cruises' operating environment is provided for informational purposes only.

• Unauthorized access to a guest’s reservation or account;
• Application bugs resulting in unintended cabin rate changes;
• Authentication bypass vulnerabilities;
• Unauthorized access to back-end systems via front-end systems;
• Business logic flaws potentially leading to financial gain for an attacker (e.g., forced rate change);
• Large-scale bypass of account recovery systems;
• Container escape vulnerabilities within our infrastructure;
• Discovery of MSC Cruises data on public cloud storage services managed by the company;
• Unauthorized elevation of customer’s membership tier status;
• Improper use or unauthorized access to MSC Cruises loyalty points;
• Highly creative methods for automating account checking or rate scraping (e.g., botting);
• Creative techniques for discovering origin IP addresses;
• Techniques for spoofing email messages effectively;
• Unauthorized online changes to account or award reservation names;
• Exposure of publicly available cloud systems containing MSC Cruises information;
• SQL Injection vulnerabilities;
• Cross-Site Request Forgery (CSRF) vulnerabilities;
• Exploitable Cross-Site Scripting (XSS) vulnerabilities;
• Web Application Firewall (WAF) bypass techniques;
• Exposure of sensitive personal information (e.g., personal data, full payment card information, passport information, precise geolocation, health data, phone numbers);
• Combinations of multiple data elements that increase the severity of the vulnerability.

This list is not exhaustive but serves as a guide to the types of vulnerabilities we are particularly concerned about. If you identify any other issues that you believe could impact the security of our customers, partners, or systems, we encourage you to report them responsibly. Your proactive engagement is essential in helping us ensure a secure environment for everyone.

1.3. Out of Scope

1.3.1. Prohibited actions

The following activities are considered prohibited and are out of the scope of this Policy:

• Any activity that could lead to the disruption of our service/infrastructure (Denial of Service, DoS), including onboard our ships;
• Attacks requiring Man-In-The-Middle (MITM) or physical access to a user's device;
• Attacks requiring physical access to a MSC Cruises’ employee, contractor, or guest device;
• Issues related to autocomplete on web forms;
• Clickjacking on pages with no sensitive actions unless an effective exploit can be demonstrated;
• Client-side browser vulnerabilities;
• Comma Separated Values (CSV) injection without demonstrating a vulnerability;
• Content spoofing and text injection issues without showing an attack vector or the ability to modify HTML/CSS;
• Data entry-based cabin rate errors;
• Denial of inventory;
• Password and account recovery policy issues, including complexity requirements;
• Social engineering attacks (such as phishing or spear-phishing attacks);
• POST-based reports requiring a victim to request files hosted on out-of-scope assets;
• Reports concerning previously known vulnerable libraries without a working Proof of Concept (PoC);
• Reports originating from automated tools or scanners (e.g., Burp, sqlmap, Acunetix, etc.) without manual verification;
• Self-exploitation;
• Software version disclosure without demonstrating a vulnerability;
• Issues related to SSL/TLS best practices;
• Unauthenticated/logout/login Cross-Site Request Forgery (CSRF);
• Vulnerabilities that cannot be reproduced;
• Interaction with an individual account (including modifying or accessing data from the account) without the account owner's consent;
• Violation of any applicable laws or regulations, including those prohibiting unauthorized access to data, such as personal data (data related to an identified or identifiable natural person), except where such access is expressly permitted for the sole purpose of the vulnerability disclosure under the terms of this Policy and the accompanying Data Processing Agreement (DPA).
• Publicly disclosing a vulnerability, directly or indirectly (e.g., posting it in public video streams, listed or not);
• Attempting to affect a property's (e.g., MSC Cruises ships) availability by making unintended reservations;
• Sending reports from automated tools without verifying a working PoC;
• Modification or deletion of any files or data, including permissions;
• Interrupting normal operations (e.g., triggering a reboot);
• Creating and maintaining a persistent connection to the server;
• Intentionally viewing any files or data beyond what is needed to prove the vulnerability;
• Contacting MSC Cruises employees directly for support, sales, or requests related to a submitted report;
• Mass creation of users, groups, and projects;
• Typo-squatting or other name-squatting activities;
• Spam-like or other high-volume activities;
• Using automated scanning tools to scan MSC Cruises assets;
• Using malicious payloads while confirming stored XSS vulnerabilities;
• Data Exfiltration: Transferring, storing, or sharing any data accessed during security testing, especially personal or sensitive information.

The above prohibited actions are put in place to ensure the security and stability of our services while allowing for responsible and effective vulnerability reporting. Any activities that fall outside the permitted scope may result in the consequences outlined in section 6.

2. Confidentiality Requirements and Disclosure Policy

You must not share your findings with any third parties until MSC Cruises has had the chance to respond and address the reported vulnerabilities. Any disclosure requests must be coordinated with and explicitly approved by MSC Cruises. If you decide to disclose information about a vulnerability that has been fixed after approval from MSC Cruises, you must remove all identifying information and avoid using MSC Cruises’ name, trademarks, or logos. Additionally, do not state or imply that your work was approved or endorsed by MSC Cruises.

This ensures that all activities are performed responsibly and within the boundaries of our coordinated vulnerability disclosure framework. Your cooperation is vital for maintaining the integrity of our systems and the trust of our community.

3. Reporting a Vulnerability

3.1. Reporting Channel and Structure

To report a vulnerability, please use the link below. Kindly be aware that by submitting a vulnerability disclosure report, you expressly agree to the terms of this Vulnerability Disclosure Policy and the accompanying Data Processing Agreement (DPA). Your submission constitutes acceptance of all obligations and requirements set forth in these documents. If you do not agree to these terms, please do not submit a report.

Your submission should include:

• A detailed description of the vulnerability and its potential impact;
• Evidence and explanations of all steps needed to reproduce the vulnerability, such as:
  • CVSS 4.0 Vector & Score;
  • CVE ID (if available);
  • Screenshots;
  • Videos;
  • Exploit code/payload;
  • Web/API requests and responses;
  • Email address or user ID of any test accounts;
  • IP address used during testing;
  • Suggested workarounds or mitigation strategies.

3.2. Privacy Obligation

While identifying vulnerabilities may inevitably lead to access to confidential information and personal data of our organization or its data subjects, participants acting in good faith and following this Policy will not face punitive actions.

The objective of this Policy is also granting you the authorization to process personal data strictly as necessary to identify, research, or investigate vulnerabilities within the defined scope and following the instructions provided for within this Policy. Any additional or unnecessary access to personal data, including that resulting from prohibited actions, is not permissible.

As a participant in this Policy, you are contractually obliged to handle any personal data you access with the utmost care and in accordance with Annex I of this Policy and applicable data protection law. Circumventing this Policy may result in you being considered an independent data controller for any further use of impacted personal data, thereby exempting MSC Cruises from any liability, including the application of any legal measures outlined in Section 6.

We cannot collaborate with anyone who violates laws or regulations or attempts to exploit a security issue maliciously. When researching security issues that may compromise user privacy, always use test accounts. If you cannot reproduce an issue with a test account, you may use a real account (except for automated testing). In such cases, you must strictly adhere to this Policy and only access personal data if it is absolutely necessary. MSC Cruises reserves the right to take the necessary legal actions against those who access the systems outside the perimeter of this Policy.

If you accidentally cause a privacy violation or disruption while investigating an issue or identifying a vulnerability, you must disclose this in your report.

3.3. Coordination and Response

Upon receiving a vulnerability report, we are committed to ensuring a structured and responsive process.

First, we will acknowledge receipt of your report, ensuring you are aware that we have begun reviewing your submission.

Following this, we will provide an initial assessment of the vulnerability, outlining the potential impact and an expected timeline for resolution. Throughout the investigation and remediation process, we will maintain communication with you in case we require further input.

This approach ensures transparency and collaboration, allowing us to address vulnerabilities and solutions efficiently.

Furthermore, we will outline the timelines for triage and processing. We will also try to address questions you may have during the investigation, at our discretion, to the extent we consider it helpful for the handling of the vulnerability. To ensure a thorough evaluation, each report must include a detailed description of the vulnerability along with clear reproduction steps. If this information is not detailed or cannot be verified, we will classify the report as “incomplete” or “unsubstantiated.”

We aim to ensure a swift and efficient handling of your submission. Your detailed and timely information is essential for us to effectively address the reported vulnerability.

4. Compensation

At this time, we do not offer monetary or non-monetary rewards for vulnerability reports. However, we deeply appreciate your efforts in identifying and reporting security issues. Your contributions play a crucial role in enhancing our security posture, and we are grateful for your support.

4.1. Eligibility

MSC Cruises reserves the exclusive right to determine the severity and validity of reported vulnerabilities, including whether a vulnerability has been previously reported.

For your submission to be eligible, you must meet the following criteria:

• Be the first to report the vulnerability;
• Adhere to all guidelines outlined in section 3;
• Ensure the reported vulnerability affects one of the domains listed in scope;
• Refrain from performing any actions listed under 'Prohibited Actions', including any other actions that could disrupt, degrade, or otherwise negatively impact our services;
• Engage in testing activities strictly within the scope defined by this Policy;
• Disclose the vulnerability report directly and exclusively to MSC Cruises;
• Without prejudice to section 3, refrain from publicly disclosing vulnerability details before we have had the opportunity to address and resolve them.

By following these guidelines, you help us ensure a secure and effective vulnerability reporting process, making it possible for us to recognize your valuable contributions appropriately.

5. Legal Safe Harbor

We are committed to fostering a collaborative and secure environment for vulnerability research. To this end, we authorize security research that adheres to this Policy and assure you that we will not pursue legal action against you, provided you act in good faith and within the boundaries set by this Policy.

Participants acting in good faith play a crucial role in enhancing our security posture. We recognize the importance of your contributions and are committed to protecting those who responsibly disclose vulnerabilities. As long as you follow the guidelines outlined in this Policy, we will not initiate legal proceedings based on your research activities or the vulnerabilities you uncover.

MSC Cruises acknowledges that the intention behind these activities is to improve security and protect our users. Therefore, we will not take legal action against researchers who inadvertently access personal data or other information during their investigation, provided any privacy violation, disruption or security incident is promptly disclosed in their report and that activities were not conducted maliciously, strictly following the indications and instructions outlined in this Policy. Nevertheless, depending on the circumstances of the case, we may have to report the data breach to the data subject or the authority as required by the applicable law.

We value the collaborative efforts of the security research community and encourage open, constructive communication to continually improve the security of our systems. Your ethical and responsible behavior in identifying and reporting vulnerabilities is vital to our ongoing efforts to safeguard our users and infrastructure.

6. Consequences of Non-Compliance

The failure by any individual or entity to adhere to the guidelines and instructions set forth in this Policy, particularly when acting in bad faith, will result in one or a combination of the following consequences:

1. Forfeiture of Recognition: Any recognition associated with the vulnerability report will be forfeited if the guidelines and instructions of this Policy are not followed.
2. Revocation of Safe Harbor Protections: Safe harbor protections are provided to those who act in good faith and adhere to this Policy. Any unauthorized activities or violations of scope may result in the immediate revocation of these protections, exposing you to legal actions by MSC Cruises.
3. Legal Actions: Non-compliance may result in MSC Cruises taking appropriate legal actions, including civil litigation, injunctive relief, reporting to law enforcement authorities, and criminal prosecution where applicable.

7. Indemnification

You agree to indemnify, defend, and hold harmless MSC Cruises, its officers, directors, employees, agents, and affiliates from and against any claims, liabilities, damages, losses, and expenses, including reasonable legal fees and costs.

8. Reporting Non-Compliance

If you suspect or become aware of any activities that violate this Policy, please report them immediately to MSC Cruises.

9. Contact Us

If you have any questions, need further clarification, or wish to report a vulnerability, please do not hesitate to contact us.

For urgent matters or to report a critical vulnerability, please mark your submission as "URGENT" in the subject line.

1. Introduction

This Data Processing Agreement ("DPA") is an integral part of the Cyber Vulnerability Disclosure Policy ("Policy") and is concluded between MSC Cruises S.A. ("MSC Cruises" or "Data Controller") and the "Participants" who report vulnerabilities in accordance with the Policy ("Data Processor").

This DPA applies to all processing of personal data that may be exceptionally accessed or processed by Participants while investigating and reporting vulnerabilities under the Policy. By submitting a vulnerability report, Participants agree to adhere to this DPA and the clauses laid out herein.

2. Obligations and Rights of the Data Processor

2.1 Instructions

Data Processor shall process personal data only on documented instructions from the Data Controller contained in the Policy. This includes any transfers of personal data to a third country or an international organization, unless required by applicable law that the Data Processor is subject to.

In that regard, the transfer of personal data to third countries shall be carried out only on the basis of adequate legal safeguards.

2.2 Security Measures

Data Processor shall implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. Such measures must meet the requirements of Articles 32 to 36 GDPR, where applicable, and ensure a level of security appropriate to the risk, including:

• Encryption of personal data;
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems;
• Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
• Regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
• Secure management of maintenance and support activities, ensuring minimal data processing, use of secure channels for data migration, and proper data deletion after use.

2.3 Sub-processors

Participants shall not engage any sub-processors to process personal data without the prior specific written authorization of MSC Cruises.

2.4 Data Subject Rights

Data Processor shall assist Data Controller in responding to data subject requests under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection.

2.5 Data Breach Notification

Data Processor shall notify Data Controller without undue delay upon becoming aware of a personal data breach, providing sufficient information to allow the Data Controller to meet any obligations to report or inform data subjects of the breach as per applicable data protection law.

2.6 Data Retention and Deletion

Data Processor shall delete or return all personal data it may have accessed immediately after reporting the vulnerability, in accordance with the Policy.

2.7 Assistance with Compliance

Data Processor shall assist Data Controller in ensuring compliance with GDPR Articles 32 to 36, sharing all relevant information described in the Policy.

2.8 Liability

If Data Processor infringes this DPA by determining the purposes and means of processing, it shall be considered a Data Controller in respect of that processing and shall bear full responsibility for it. Section 6 of the Policy shall apply as well.

3. Obligations and Rights of the Data Controller

3.1 Instructions

Data Controller provides documented instructions for data processing activities via the Policy.

4. Contact Information for Data Protection Matters

4.1 Data Controller

All communications regarding data protection matters shall be directed to the Data Protection Officer at dpo@msccruises.com.

5. Governing Law

This DPA is governed by the laws of Switzerland. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Geneva, Switzerland.