Program Overview
Alshaya runs a vulnerability disclosure program on HackerOne. The program has 166 in-scope assets and is managed by HackerOne's triage team.
166
In-Scope Assets
7h
Avg Response
94%
Efficiency
119d
Avg Resolve
In-Scope Assets
| Asset | Type | Max Severity | Eligible |
|---|---|---|---|
| *.ahwetzeitounakuwait.com | WILDCARD | Critical | No Bounty |
| *.aloyoga.ae | WILDCARD | Critical | No Bounty |
| *.aloyoga.com.kw | WILDCARD | Critical | No Bounty |
| *.aloyoga.com.qa | WILDCARD | Critical | No Bounty |
| *.alshaya.com | WILDCARD | Critical | No Bounty |
| *.alshayaenterprises.com | WILDCARD | Critical | No Bounty |
| *.americaneagle.ae | WILDCARD | Critical | No Bounty |
| *.americaneagle.com.bh | WILDCARD | Critical | No Bounty |
| *.americaneagle.com.eg | WILDCARD | Critical | No Bounty |
| *.americaneagle.com.jo | WILDCARD | Critical | No Bounty |
| *.americaneagle.com.kw | WILDCARD | Critical | No Bounty |
| *.americaneagle.com.qa | WILDCARD | Critical | No Bounty |
| *.americaneagle.com.sa | WILDCARD | Critical | No Bounty |
| *.amitinoura.com | WILDCARD | Critical | No Bounty |
| *.aura-mena.com | WILDCARD | Critical | No Bounty |
| *.babelkwt.com | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.ae | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.com.bh | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.com.eg | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.com.kw | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.com.qa | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.com.sa | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.com.tr | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.jo | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.pl | WILDCARD | Critical | No Bounty |
| *.bathandbodyworks.ro | WILDCARD | Critical | No Bounty |
| *.bebabelkuwait.com/ | WILDCARD | Critical | No Bounty |
| *.bouchonbakeryme.com | WILDCARD | Critical | No Bounty |
| *.carrier.alshaya.com | WILDCARD | Critical | No Bounty |
| *.debenhams.ae | WILDCARD | Critical | No Bounty |
| *.debenhams.com.kw | WILDCARD | Critical | No Bounty |
| *.debenhams.sa | WILDCARD | Critical | No Bounty |
| *.footlocker.ae | WILDCARD | Critical | No Bounty |
| *.footlocker.com.bh | WILDCARD | Critical | No Bounty |
| *.footlocker.com.eg | WILDCARD | Critical | No Bounty |
| *.footlocker.qa | WILDCARD | Critical | No Bounty |
| *.kidzaniakuwait-tickets.com | WILDCARD | Critical | No Bounty |
| *.lepainquotidienme.com | WILDCARD | Critical | No Bounty |
| *.mothercare.ae | WILDCARD | Critical | No Bounty |
| *.mothercare.com.eg | WILDCARD | Critical | No Bounty |
| *.mothercare.com.kw | WILDCARD | Critical | No Bounty |
| *.mothercare.com.sa | WILDCARD | Critical | No Bounty |
| *.mothercare.qa | WILDCARD | Critical | No Bounty |
| *.muji.ae | WILDCARD | Critical | No Bounty |
| *.muji.bh | WILDCARD | Critical | No Bounty |
| *.muji.com.kw | WILDCARD | Critical | No Bounty |
| *.muji.com.sa | WILDCARD | Critical | No Bounty |
| *.muji.qa | WILDCARD | Critical | No Bounty |
| *.payless.com.kw | WILDCARD | Critical | No Bounty |
| *.paylessshoes.ae | WILDCARD | Critical | No Bounty |
Showing 50 of 166 in-scope assets. View all on HackerOne.
Out-of-Scope Assets
- *.thebodyshop.com.bh
- *.thebodyshop.com.kw
- *.thebodyshop.com.tr
- *.thebodyshop.pl
- *.thebodyshop.qa
- crm.alshayamarketing.com
- thebodyshop.cz
Tips for Hacking Alshaya
- Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
- Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
- Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
- Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
- Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.
Frequently Asked Questions
How do I start hacking Alshaya?
Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.
Does Alshaya pay bounties?
No, Alshaya runs a Vulnerability Disclosure Program (VDP) without monetary rewards. You may receive recognition or swag.
What types of vulnerabilities does Alshaya accept?
Alshaya accepts reports for vulnerabilities found in their 166 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.