Allbirds Responsible Disclosure Program

Allbirds is deeply committed to maintaining the security of its digital infrastructure and ensuring the protection of the information entrusted to it by its customers, partners, and employees. Recognizing the critical role that security researchers play in identifying potential vulnerabilities, the company actively encourages responsible disclosure of any security concerns related to its products, systems, or technologies. By collaborating with the research community, Allbirds strives to uphold a secure, reliable, and trustworthy environment for everyone interacting with its services.

Those who believe they have discovered a security issue are invited to share their findings directly with Allbirds. The company emphasizes the importance of responsible disclosure, where vulnerabilities are reported in a manner that prioritizes quick resolution while minimizing risks. Reports should be submitted thoughtfully and with good intentions, aiming to strengthen security rather than exploit any weaknesses. Allbirds appreciates the time and effort security researchers contribute toward enhancing the overall integrity of the system.

It is important to note that Allbirds does not operate a public bug bounty or reward-based program. While reports are welcomed, the company does not offer financial compensation or other rewards for the submission of security concerns. Participation in this process is voluntary and stems from a shared interest in improving security practices. Despite the absence of financial incentives, Allbirds is committed to maintaining open and respectful communication with researchers throughout the evaluation and resolution stages.

Researchers must conduct their work with care to avoid any actions that could disrupt services, damage systems, compromise data, or affect the experience of customers or employees. Allbirds expects researchers to ensure their activities do not interfere with the functionality or performance of the platform. Testing should not involve attempts to manipulate transactions or misuse system capabilities. All activities must also comply with relevant legal regulations in all applicable jurisdictions.

Respecting data privacy is a key principle of responsible disclosure. Any data encountered during testing must not be retained, altered, shared, or destroyed. If sensitive or personal information is accessed unintentionally, it should only be viewed to the minimum extent required to identify the security issue. Researchers are asked to immediately report any such incidents to Allbirds so appropriate steps can be taken to protect the data.

Allbirds also requests that researchers allow ample time for the company to review and address any reported issues before discussing them with third parties or making public disclosures. This ensures that the security team has sufficient time to confirm the findings, evaluate their impact, and implement necessary fixes. Coordinated disclosure reduces the chances of exploitation and ensures that vulnerabilities are addressed effectively.

In exchange for following these guidelines, Allbirds commits to acting in good faith and assures that it will not take legal action against researchers who follow the responsible disclosure process. However, the company reserves the right to pursue appropriate actions if any activity deviates from these standards or violates applicable laws.

Upon receiving a vulnerability report, Allbirds aims to acknowledge the submission promptly. The security team will thoroughly review the report, and if the issue is validated, remediation will be prioritized. Researchers can expect periodic updates regarding the status of their submissions, reflecting the company’s commitment to transparency and collaboration throughout the resolution process.

Certain activities, such as physical testing, social engineering, phishing attempts, denial-of-service attacks, resource exhaustion, and other nontechnical testing methods, are not considered part of the responsible disclosure program. Reports involving these methods are outside the scope of the program.

To assist the security team in evaluating and reproducing potential issues, researchers should provide detailed and clear information in their reports. This might include a description of the issue, the affected system or feature, steps taken to identify the problem, and any tools or evidence used. Visual aids, when relevant, can also be helpful.

Researchers are encouraged to report any suspected vulnerabilities privately via email to the designated security contact. By providing comprehensive and accurate details, researchers help Allbirds quickly assess the risks and take steps to enhance the security of its systems. Through this collaborative approach, Allbirds and the security research community can work together to create a safer digital environment for everyone involved.