adidas Vulnerability Disclosure Policy
Adidas takes great care in providing the upmost security to our customer. We take vulnerabilities that pose a security risk seriously, and we appreciate the global security research community’s help identifying risks. You can help us by identifying vulnerabilities, so we can address them.
If security researchers find vulnerability in our websites, we encourage you to contact us. Our security team will get back to you.
Program Rules
• We utilize code written and hosted by third parties and we cannot grant you permission to perform any testing on third party code, application, system and services.
• We are not responsible for your actions performed on third parties.
• Always comply with your local laws and act lawfully and in good faith as well as in a way that is beneficial to the overall security researcher community.
• Use best efforts to avoid any privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security analysis.
• Perform security analysis only within the scope set out below.
• Everything not explicitly listed in-scope is out-of-scope.
• If a vulnerability gives you access to anyone’s Personally identifiable information (PII) or other data, stop testing immediately, report the vulnerability to us, and delete any of such information which has been saved outside of our systems.
• Only target, access, view, or edit your own adidas account. Never attempt to access anyone else’s data or adidas account.
• Use exploits only to the extent necessary to confirm the presence of a vulnerability and once established, do not abuse the vulnerability further.
• Do not exfiltrate data, establish command line access and/or persistence, or pivot/perform post-exploitation attacks after finding a vulnerability.
• Keep the details regarding the vulnerability confidential until our security team remediates the issue or rolls out countermeasures before you disclose information publicly or to any third party (outside of adidas).
Scope
In Scope application/systems:
• *.adidas.*
• *.runtastic.*
• Adidas Android Ecommerce application
• Adidas iOS Ecommerce application
• Runtastic iOS application
• Runtastic Android application
In Scope Vulnerabilities:
• OWASP Top 10 Application Security vulnerabilities
• Remote Code Execution
• Sensitive Data Exposure
• Broken Authentication
Out of Scope applications/systems:
• Application/service managed or hosted by a third-party.
• Some of adidas-branded services may be operated by our third-party vendors or partners. We cannot authorize you to test these systems on behalf of these third parties. Please examine domain and IP WHOIS records to confirm. If in doubt, talk to us first!
• Do not test third-party integrations. If at any time you have concerns or uncertainty whether your research is consistent with this policy, please confirm with us first before continuing testing.
Out of Scope Vulnerabilities:
• Findings from physical testing (e.g. open doors, tailgating)
• Findings from social engineering (e.g. phishing, vishing)
• UI and UX bugs and spelling mistakes
• Network level Denial of Service (DoS/DDoS) vulnerabilities
• Any vulnerability not expressly listed in-scope
Submitting Vulnerability Report
adidas has established an email address that should be used for reporting a vulnerability. Please send descriptions of any vulnerabilities found to mbx_adidas_it_secu@adidas-group.com
What we expect from you:
• If possible, please use English to report vulnerability, as reports in other languages might take significant more time for us to reply.
• Detailed description of the steps required to reproduce your findings (POC scripts, screenshots, and compressed screen captures are all helpful to us). Following information must be shared:
o Vulnerability description
o Vulnerability classification/severity
o Steps to reproduce the vulnerability
o Target URL
• If applicable, a log of all activity related to your discovery, including your IP address(es) and timestamped requests to aid us in validation and investigation.
• Our security team will acknowledge receiving your report and get back to you as soon as they are able to. Please do not contact business units through other means such as social media posts or private email addresses to get attention.
Please note the following:
• Reports that include systems/application not in-scope may be ignored.
• We don’t want to receive Personally identifiable information (PII) or Financial data (such as credit card or bank account numbers).
• adidas uses Common Vulnerability Scoring System (CVSS) to evaluate potential vulnerabilities. The resulting score helps quantify the severity of the issue and to prioritize our response.
What you can expect from us:
• When acting in accordance with the adidas vulnerability disclosure policy, we do not initiate any legal action against researchers for security testing or finding vulnerability in our systems.
• A timely response to your email or submission
• Work with you to understand and validate your report