Zumiez Responsible Vulnerability Disclosure Policy
Thank you for your interest in our Responsible Vulnerability Disclosure Policy! Zumiez understands the hard work
that goes into security research and respects your time and effort spent making the world more secure. The purpose
of this policy is to lay out a clear process for reporting any potential vulnerabilities, but please reach out if
you have any questions.
If you believe you've discovered a vulnerability, please let us know by emailing us at respdisclosure[at]zumiez[dot]com.
Provide as much information as you can about the vulnerability so that we can validate and reproduce it, including:
- Location of the vulnerability
- Steps to reproduce it (screenshots are much appreciated!)
- Potential impact
- CVEs (or identifying vendor numbers if relevant)
We will investigate the potential vulnerability and do our best to quickly fix it. We will show our appreciation
based on the effort needed, criticality of the issue, and your responsible disclosure of the vulnerability by
adhering to this policy.
Scope and Exclusions
Currently, only Zumiez.com, Zumiez.ca and thezumiezstash.com (the “Sites”) are within scope.
Tests that are excluded from this scope:
- Any third-party providers and services
- UI & UX bugs and spelling mistakes
- Denial of Service (DoS) or Distributed Denial of Service (DDoS)
- Social engineering or phishing of Zumiez employees or contractors
- Any attacks against Zumiez physical property or data centers
When conducting vulnerability research, according to this policy, we consider this research conducted under
this policy to be:
Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against
you for accidental, good-faith violations of this policy;
Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for
circumvention of technology controls;
Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere
with conducting security research, and we waive those restrictions on a limited basis; and
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this
policy, please submit a report via the email address provided earlier before going any further.
Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this
policy, and that the policy does not bind independent third parties.
Thank you for all you do, and we look forward to working with you!
Zumiez Security and Compliance Team