Allbirds Responsible Disclosure Program

Allbirds places strong importance on protecting its digital infrastructure and safeguarding the information entrusted to it by customers, partners, and employees. Security is treated as an ongoing responsibility, and the company recognizes that independent security researchers play a vital role in identifying potential weaknesses that might otherwise go unnoticed. For this reason, Allbirds welcomes responsible reports of security concerns related to any of its products, systems, or technical assets. By working together with the research community, Allbirds aims to maintain a safe, reliable, and trustworthy environment for everyone who interacts with its services.

Individuals who believe they have discovered a possible security issue are encouraged to share their findings directly with Allbirds. Responsible disclosure allows vulnerabilities to be addressed efficiently while minimizing risk. Submissions should be made carefully and in good faith, with the understanding that the goal is to improve security rather than to take advantage of weaknesses. Allbirds values the time and effort researchers invest in these efforts and appreciates their contribution to strengthening overall system integrity.

It is important to understand that Allbirds does not run a public bug bounty or reward-based program. Reports are accepted without any promise of financial compensation or other incentives. Participation in the responsible disclosure process is voluntary and driven by a shared commitment to improving security practices. Although no rewards are offered, Allbirds does make an effort to communicate openly and respectfully with researchers throughout the review process.

Researchers are expected to conduct their activities in a way that avoids causing harm. Any actions that could disrupt services, damage systems, compromise data, or negatively affect customers or employees should be avoided. Testing should never interfere with the availability or performance of Allbirds platforms, nor should it involve attempts to manipulate financial transactions or misuse system functionality. All research activities must also comply with applicable laws and regulations in all relevant jurisdictions.

Respect for data privacy is a core requirement of responsible disclosure. Researchers must not retain, store, share, alter, or destroy any company or customer data encountered during testing. If sensitive information or personal data is unintentionally accessed, it should only be viewed to the minimum extent necessary to identify the issue and must not be copied or kept in any form. Such incidents should be reported to Allbirds immediately so appropriate steps can be taken.

Allbirds also asks researchers to allow sufficient time for reported issues to be reviewed and resolved before discussing them with third parties or making any public disclosure. This waiting period enables the security team to validate findings, assess impact, and implement fixes that protect users. Responsible coordination helps reduce the risk of exploitation and ensures that vulnerabilities are addressed in an orderly and effective manner.

In return for adherence to these principles, Allbirds commits to acting in good faith. When researchers follow the responsible disclosure guidelines, the company will not pursue legal action related to the reported activity. However, Allbirds retains the right to take appropriate action if reports involve behavior that falls outside these expectations or violates applicable laws.

Once a vulnerability report is received, Allbirds aims to acknowledge it promptly. The security team reviews submissions carefully and, when an issue is confirmed, works toward remediation as quickly as possible. Researchers can expect reasonable updates regarding the status of validated findings, reflecting Allbirds’ commitment to transparency and collaboration.

Certain activities are not considered part of this disclosure process. These include physical testing, social engineering tactics, phishing attempts, denial-of-service scenarios, resource exhaustion efforts, and other forms of nontechnical testing. Reports involving these methods are outside the intended scope of the program.

To help the security team evaluate and reproduce potential issues efficiently, reports should include clear and thorough information. Useful details may include a description of the issue, the affected system or feature, the steps taken to identify it, and any tools or evidence used during discovery. Visual materials can be helpful when appropriate.

Suspected vulnerabilities should be reported privately via email to the designated security contact. Providing complete and accurate information enables the Allbirds team to assess risks quickly and implement solutions that reinforce the security of its systems. Through this cooperative approach, Allbirds and the research community can work together to build safer digital experiences for everyone.