Allbirds Responsible Disclosure Program

Allbirds places significant importance on maintaining the security of its digital systems and protecting the data shared by customers, partners, and employees. Security is approached as a continuous effort rather than a one-time task, and the company recognizes that external researchers can play a valuable role in identifying potential vulnerabilities. By encouraging responsible communication of security concerns, the company seeks to strengthen its systems and provide a dependable environment for all users.

Individuals who identify possible weaknesses in any aspect of the company’s platforms, products, or technical infrastructure are encouraged to report their findings directly. This process is intended to support responsible disclosure, allowing issues to be addressed in a controlled and efficient manner while reducing potential risks. Submissions should be made with the intention of improving system security, and researchers are expected to act in good faith throughout the process. The company acknowledges the effort involved in identifying such issues and values contributions that help enhance overall system reliability.

It is important to note that this process does not include a financial reward structure. The company does not operate a public bug bounty program, and reports are reviewed without any guarantee of compensation. Participation is entirely voluntary and driven by a shared interest in improving security standards. Despite the absence of monetary incentives, the company aims to maintain open and respectful communication with individuals who submit valid reports, keeping them informed when appropriate.

All testing activities must be conducted carefully to avoid causing harm. Actions that may disrupt services, damage infrastructure, or expose sensitive data are strictly discouraged. Researchers should not attempt to interfere with system performance, manipulate transactions, or exploit functionality for unintended purposes. All activities must comply with applicable laws and regulations, ensuring that the process remains ethical and lawful.

Protecting personal and sensitive information is a fundamental requirement during any security research. If data is encountered unintentionally, it should only be accessed to the extent necessary to confirm the issue and must not be copied, stored, or shared. Any such exposure should be reported immediately so that appropriate safeguards can be implemented. Respect for privacy is essential in maintaining trust and ensuring that the disclosure process remains responsible.

Researchers are also asked to allow adequate time for the company to investigate and resolve reported issues before sharing details publicly or with third parties. This period enables proper validation, risk assessment, and remediation, reducing the likelihood of misuse or exploitation. Coordinated disclosure helps ensure that vulnerabilities are addressed in a structured and secure manner.

In return for adherence to these expectations, the company commits to engaging in good faith. When reports are submitted responsibly and in line with the outlined guidelines, the company does not pursue legal action against the reporting party. However, actions that fall outside these expectations or violate laws may result in appropriate responses.

Upon receiving a report, the security team aims to acknowledge it in a timely manner and conduct a thorough review. Confirmed issues are prioritized for resolution, and reasonable updates may be shared with the reporting individual as progress is made. This approach reflects a commitment to transparency and constructive collaboration.

Certain forms of testing are considered outside the acceptable scope of this process. These include activities such as physical intrusion attempts, social engineering, phishing campaigns, denial-of-service attacks, or other methods that do not align with responsible technical testing. Reports based on such activities are not treated as part of the disclosure framework.

To assist with effective evaluation, submissions should include clear and detailed information. Descriptions of the issue, affected components, steps taken to reproduce the problem, and any supporting evidence can significantly improve the review process. Visual documentation may also be helpful when available.

Security concerns should be communicated privately through the designated contact channel, typically via email. Providing accurate and complete information allows the company to respond efficiently and strengthen its systems. Through cooperation between the organization and the research community, a more secure and reliable digital environment can be achieved for all users.