Allbirds Responsible Disclosure Program

Allbirds places a high priority on the security of its digital systems and the protection of information entrusted to it by customers, employees, and partners. The company treats security as a continuous responsibility and recognizes the important role that independent security researchers play in identifying potential vulnerabilities. By welcoming responsible reports from the research community, Allbirds seeks to ensure that its products, platforms, and technical assets remain safe, reliable, and trustworthy for all users.

Individuals who identify possible security issues are encouraged to share their findings directly with Allbirds. Responsible disclosure enables the company to address vulnerabilities efficiently while minimizing risk. Reports should be made in good faith, with the understanding that the objective is to strengthen security rather than exploit weaknesses. Allbirds values the effort and expertise researchers contribute, acknowledging that their input is essential for maintaining the integrity of the company’s systems.

It is important to note that Allbirds does not operate a public bug bounty program or offer financial incentives for reports. Participation in the responsible disclosure process is voluntary and driven by a mutual interest in improving security practices. While no monetary rewards are provided, the company commits to maintaining open and respectful communication with researchers throughout the review and remediation process.

Researchers are expected to conduct their work without causing harm. Activities that could disrupt service, compromise data, interfere with system performance, or negatively affect users should be avoided. Testing should never involve manipulation of financial transactions or misuse of platform functionality. All research must comply with applicable laws and regulations in the relevant jurisdictions.

Data privacy is a fundamental aspect of responsible disclosure. Researchers must not store, copy, share, alter, or delete any company or customer information encountered during testing. Any sensitive or personal data that is accessed unintentionally should only be examined to the extent necessary to identify the issue and must be reported immediately to Allbirds to allow for proper handling.

Researchers are also asked to provide the company sufficient time to review and resolve reported vulnerabilities before discussing them publicly or sharing with third parties. This allows the security team to validate findings, assess potential impacts, and implement necessary fixes in an orderly manner, reducing the risk of exploitation.

In return for adherence to these principles, Allbirds commits to acting in good faith. When researchers follow the responsible disclosure guidelines, the company will not pursue legal action related to the reported activity. However, Allbirds reserves the right to take appropriate action if the submitted reports involve activities that fall outside the expected scope or violate applicable laws.

Once a report is received, the security team works to acknowledge it promptly, review it thoroughly, and address confirmed issues as quickly as possible. Researchers can expect updates on the status of their submissions, reflecting the company’s commitment to transparency and collaboration.

Certain types of testing are outside the scope of this process, including physical security assessments, social engineering, phishing attempts, denial-of-service attacks, and resource exhaustion methods. Reports involving these approaches will not be considered part of the responsible disclosure program.

To facilitate effective evaluation, submissions should include clear and detailed information, such as a description of the issue, the affected system, steps to reproduce the vulnerability, and any tools or evidence used during discovery. Visual documentation can also be helpful. Reports should be sent privately to the designated security contact, ensuring that Allbirds can assess risks efficiently and implement solutions that enhance the safety of its digital ecosystem. Through this cooperative approach, Allbirds and the security research community can work together to maintain secure and reliable experiences for all users.