Allbirds Responsible Disclosure Program

Allbirds treats the protection of its digital systems and user data as a continuous and evolving responsibility. The company understands that maintaining a secure environment requires not only internal expertise but also collaboration with the broader security community. Independent researchers often bring fresh perspectives and technical insight, and their contributions can play a meaningful role in identifying vulnerabilities before they can be exploited. For this reason, Allbirds encourages responsible reporting of potential security issues across its platforms, applications, and infrastructure.

If an individual believes they have identified a weakness within any Allbirds system, they are invited to report their findings in a responsible and ethical manner. The goal of this process is to strengthen security, not to take advantage of flaws. Submissions should be made in good faith, with a clear intention to help improve system integrity and user safety. Allbirds recognizes the effort involved in vulnerability research and values the role that responsible disclosure plays in maintaining trust and reliability across its services.

It is important to note that Allbirds does not operate a public bug bounty program or provide financial rewards for submitted reports. Participation in this process is entirely voluntary and based on a shared interest in improving digital security. While monetary compensation is not offered, the company aims to maintain open and respectful communication with those who submit valid concerns, providing updates and acknowledgment where appropriate.

Researchers are expected to conduct all testing in a manner that avoids disruption or harm. Activities that could interfere with service availability, degrade system performance, or negatively impact customers or employees are strictly discouraged. Testing should never involve attempts to manipulate transactions, gain unauthorized access to accounts, or misuse system functionality. All actions must remain within the boundaries of applicable laws and ethical standards.

Protecting user privacy is a fundamental requirement throughout this process. If any sensitive or personal information is encountered during research, it must not be stored, shared, or altered. Access to such data should be limited only to what is necessary to confirm the existence of an issue, and any exposure should be reported immediately. Respect for confidentiality ensures that the disclosure process does not inadvertently create additional risks.

Allbirds also requests that researchers allow sufficient time for reported vulnerabilities to be reviewed and resolved before making any public statements. This coordinated approach helps prevent potential exploitation and allows the company to implement fixes in a controlled and effective manner. Responsible timing is essential to maintaining the safety of users and the stability of systems.

In return, Allbirds commits to acting in good faith when engaging with researchers who follow these guidelines. The company does not pursue legal action against individuals who conduct their work responsibly and within the outlined expectations. However, actions that fall outside these boundaries, particularly those that involve malicious intent or legal violations, may result in appropriate consequences.

Once a report is submitted, the security team works to acknowledge receipt and begin evaluation. Verified issues are prioritized and addressed as efficiently as possible, with reasonable efforts made to keep the reporting party informed throughout the process. Transparency and cooperation are central to building a productive relationship between the company and the research community.

Certain types of activities are considered outside the scope of this process. These include physical security testing, social engineering attempts, phishing campaigns, denial-of-service attacks, and other methods that could disrupt operations or compromise safety. The focus remains on identifying technical vulnerabilities through safe and controlled means.

To assist with efficient review, reports should include clear and detailed information. This may involve a description of the issue, affected systems, steps to reproduce the problem, and any supporting evidence such as screenshots or logs. Providing thorough documentation helps the security team validate findings and implement solutions more quickly.

All potential vulnerabilities should be reported through the designated private communication channel, typically via email. By sharing accurate and complete information in a responsible manner, researchers contribute to a stronger, safer digital environment. Through ongoing collaboration and mutual respect, Allbirds continues to enhance its security practices and protect the experience of everyone who interacts with its platforms.