Skip to Main ContentZumiez Responsible Vulnerability Disclosure
Select your store
Orders ship directly from our Canadian stores. Learn more nowOrders ship directly from our Canadian stores. Learn more now
Offline mode

Customer Care

Didn't find what you were looking for?
Zumiez Customer Care is ready to help you.

ZUMIEZ RESPONSIBLE VULNERABILITY DISCLOSURE POLICY

Thank you for your interest in our Responsible Vulnerability Disclosure Policy! Zumiez understands the hard work that goes into security research and respects your time and effort spent making the world more secure. The purpose of this policy is to lay out a clear process for reporting any potential vulnerabilities, but please reach out if you have any questions.

Process

If you believe you've discovered a vulnerability, please let us know by emailing us at [email protected].

Provide as much information as you can about the vulnerability so that we can validate and reproduce it, including:

  1. Location of the vulnerability
  2. Detailed steps to reproduce it, including links and screenshots
  3. Potential impact
  4. CVEs (or identifying vendor numbers if relevant)

We will investigate the potential vulnerability and do our best to quickly fix it. We will evaluate showing our appreciation based on the effort needed, criticality of the issue, and your responsible disclosure of the vulnerability by adhering to this policy.

Please note:

  • We will not consider reports that do not follow this process
  • There are multiple researchers sending in reports and we monitor our own products as well, so if your report calls out something that we are already aware of then it will not be considered

Scope and Exclusions

Currently, only Zumiez.com, Zumiez.ca and thezumiezstash.com (the “Sites”) are within scope.

Tests that are excluded from this scope:

  • Any third-party providers and services
  • UI & UX bugs and spelling mistakes
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS)\
  • Spamming
  • Social engineering or phishing of Zumiez employees or contractors
  • Any attacks against Zumiez physical property or data centers

Safe Harbour

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;

Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;

Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report via the email address provided earlier before going any further.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.


Thank you for all you do, and we look forward to working with you!

Zumiez Security and Compliance Team


Last Updated: June 2023