In principle, all Acushnet Golf owned web services are in scope. If you have found this document by following the direction outlined in [FQDN]/.well-known/security.txt the site you came from is in scope.
To guarantee availability of our services to all, do not attempt to carry out DoS attacks, leverage black hat techniques, spam people, or perform other unethical testing or attacks. We also forbid the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
Any design or implementation issue that substantially affects the confidentiality or integrity of user data or Acushnet infrastructure is in scope. Common examples include:
We review all vulnerabilities on a case-by-case basis. Low risk vulnerabilities are not qualifying vulnerabilities, are out of scope of this program, and need not be reported. Some examples of such low risk vulnerabilities include:
When conducting research, do not ever target an account other than your own. Never attempt to access anyone else's information. Please be brief and provide a short proof of concept. A person of reasonable technical ability should be able to reproduce your results.
Messages must be submitted as PGP encrypted email messages sent to the contact email address noted within security.txt. Vulnerability reports should be in the .pdf file format, attached to the message, and also PGP encrypted.
Acushnet Holdings Corp. does not guarantee a monetary reward for reporting vulnerabilities. Reported vulnerabilities are examined on a case-by-case basis. The reported vulnerability must be of sufficient severity as to severely endanger the users of our web apps, our infrastructure, or our operations.