Allbirds Responsible Disclosure Program

Allbirds is committed to maintaining a secure and dependable digital environment for everyone who interacts with its platforms. Protecting the systems that support its services, as well as the information shared by customers, partners, and employees, is an important responsibility. The company recognizes that the broader security community can play a valuable role in identifying weaknesses that internal teams may not always detect. Because of this, Allbirds encourages responsible security research and welcomes reports from individuals who believe they have discovered vulnerabilities within its online services or technical infrastructure.

Anyone who encounters a potential security concern is encouraged to communicate their findings directly to the company. Responsible disclosure helps ensure that issues can be addressed in an organized and effective way while minimizing potential risk to users and systems. Reports should be submitted with the intention of strengthening security rather than taking advantage of system weaknesses. Allbirds values the effort that independent researchers dedicate to identifying possible threats and acknowledges the positive impact their work can have on improving overall platform safety.

While the company accepts vulnerability reports from the public, it is important to note that Allbirds does not operate a formal bug bounty program that provides financial rewards. Participation in the disclosure process is entirely voluntary, and submissions are reviewed without the expectation of compensation or incentives. Even though no monetary rewards are offered, the company strives to maintain open and respectful communication with those who report valid concerns, recognizing that collaboration with the research community contributes to stronger security practices.

Researchers are expected to act responsibly when conducting any form of testing related to Allbirds systems. Activities should never result in damage to systems, interruption of services, or harm to customers, employees, or partners. Any actions that could compromise system stability or availability should be avoided. Testing must not involve attempts to alter transactions, misuse platform functionality, or interfere with normal operations. Individuals conducting research must also ensure that their activities comply with all relevant laws and regulations.

Respect for privacy and data protection is essential during the discovery and reporting process. If sensitive or personal information is encountered unintentionally while investigating a potential issue, it should only be viewed to the limited extent required to confirm the vulnerability. Such data must not be stored, copied, shared, modified, or destroyed under any circumstances. If access to confidential information occurs during testing, the situation should be reported immediately so the company can take appropriate steps to secure the affected systems.

Allbirds also requests that researchers allow sufficient time for the internal security team to investigate and resolve reported vulnerabilities before discussing them publicly or sharing details with third parties. Allowing this coordination period gives the company an opportunity to verify the issue, determine the scope of potential impact, and implement fixes that protect users. Responsible timing of disclosures helps reduce the risk of malicious exploitation and supports a safer resolution process.

In return for cooperation with these expectations, Allbirds approaches the disclosure process in good faith. When researchers act within the outlined guidelines and conduct their work responsibly, the company does not intend to pursue legal action related to the reported activity. However, the company reserves the right to respond appropriately if actions extend beyond responsible research or violate legal requirements.

Once a vulnerability report has been submitted, the security team reviews the information carefully. The company aims to acknowledge reports in a timely manner and evaluate whether the issue can be reproduced and confirmed. If the report identifies a valid vulnerability, efforts are made to resolve the problem as quickly as possible. Researchers may receive updates about the progress of their report when appropriate, reflecting the company’s commitment to transparency and cooperation.

Certain types of activities fall outside the scope of responsible vulnerability reporting. These include attempts to gain access through social engineering, phishing efforts, denial-of-service attacks, or any methods designed to overwhelm or disrupt services. Physical testing of facilities or attempts to manipulate individuals for access to systems are also excluded. Reports involving these types of activities are not considered part of the intended disclosure process.

To assist the security team in understanding and reproducing potential issues, reports should include detailed and accurate information. Helpful details may include a clear explanation of the suspected vulnerability, the systems or features affected, and the steps taken to identify the issue. Screenshots or other supporting materials can also help clarify the findings when relevant.

Security concerns should be shared privately with the company through the appropriate communication channel. Providing complete and precise information allows the team to review the situation efficiently and take corrective action where necessary. Through collaboration with responsible researchers, Allbirds seeks to continually strengthen its systems and maintain secure digital experiences for everyone who interacts with its services.