Zumiez Responsible Vulnerability Disclosure Policy

Thank you for your interest in our Responsible Vulnerability Disclosure Policy! Zumiez understands the hard work that goes into security research and respects your time and effort spent making the world more secure. The purpose of this policy is to lay out a clear process for reporting any potential vulnerabilities, but please reach out if you have any questions.


If you believe you've discovered a vulnerability, please let us know by emailing us at respdisclosure[at]zumiez[dot]com.

Provide as much information as you can about the vulnerability so that we can validate and reproduce it, including:

  1. Location of the vulnerability
  2. Steps to reproduce it (screenshots are much appreciated!)
  3. Potential impact
  4. CVEs (or identifying vendor numbers if relevant)

We will investigate the potential vulnerability and do our best to quickly fix it. We will show our appreciation based on the effort needed, criticality of the issue, and your responsible disclosure of the vulnerability by adhering to this policy.

Scope and Exclusions

Currently, only Zumiez.com, Zumiez.ca and thezumiezstash.com (the “Sites”) are within scope.

Tests that are excluded from this scope:

  • Any third-party providers and services
  • UI & UX bugs and spelling mistakes
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Zumiez employees or contractors
  • Any attacks against Zumiez physical property or data centers
Safe Harbor

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;

Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;

Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and

You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report via the email address provided earlier before going any further.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

Thank you for all you do, and we look forward to working with you!

Zumiez Security and Compliance Team