WHAT IS NIKE’S RESPONSIBLE DISCLOSURE PROGRAM?
Nike’s mission is to bring inspiration and innovation to every athlete in the world. For athletes to thrive, they track their performance and they need to know their data is being protected. We're obsessed with protecting their data. We take vulnerabilities that pose a security risk seriously, and we appreciate the global security research community’s help identifying risks.
Our responsible disclosure policy provides clear research guidelines—we ask that you play by the rules and within the scope of our program.
FIRST THINGS FIRST
- This is not a bug bounty program. We make no offer of reward or compensation for identifying issues. But at our discretion, we may still choose to thank you for exceptional insights.
- If you encounter Personally Identifiable Information (PII), please stop and contact us immediately. Do not proceed with access and immediately purge any local information—this protects you as well as our data.
- Our disclosure policy applies to all submissions.
- Our submission procedure is not intended for employees or affiliates (they should get in touch with Information Security directly).
THE PLAYING FIELD
We accept submissions for the following domains and systems.
- Note: In cases where multiple sites share a common code base, duplicate submissions aren’t necessary (and may be rejected).
Apps (iOS and Android)
- NRC (Nike Run Club)
- NTC (Nike Training Club)
Submissions should be for vulnerabilities that pose a demonstrable risk potentially affecting our systems, users, or data. Best practice submissions are appreciated but may not receive a response.
Remember, if you encounter any sensitive information or PII, stop and notify us immediately.
- Do not save, store, transfer, or otherwise access any Nike information after initial discovery.
- Only view information to the extent required to identify the vulnerability and do not retain information or data.
- Only use information obtained from our systems or services to facilitate reporting security vulnerabilities directly to us.
- Promptly return any sensitive information or PII and do not retain information or data.
Only interact with accounts you own or have explicit permission from the account owner. Feel free to create your own accounts for testing purposes.
Actions affecting the integrity or availability of authorized systems are prohibited. If you notice performance interruption or degradation, immediately suspend all use of automated tools.
The following methods are not authorized and constitute unacceptable conduct:
- Denial of service attacks
- Phishing or spear phishing
- Social engineering
- Physical exploits of our servers or network
- Any other nontechnical vulnerability testing
- Local network-based exploits such as DNS poisoning or ARP spoofing
- Testing or submissions on any domains, applications, or services not expressly listed above, including any connected systems
THE RULES OF ENGAGEMENT
Here’s what we expect from you:
- Fair play. If you are uncertain if conduct is acceptable or unacceptable, please reach out to firstname.lastname@example.org for clarification before engaging in the conduct.
- Sufficient information to replicate the vulnerability. We encourage you to provide the clearest submission possible. You can submit supplemental screen grabs and video through our submission form.
- Quality, clear research. Reports that include only crash dumps or other automated tool output will not be considered and may not receive a response. Please submit clearly written reports in English so we can swiftly take appropriate action.
- Further information when requested. Submissions may be closed if you don’t respond to requests for information within seven days.
- Confidentiality. We’re committed to patching in-scope vulnerabilities in 90 days or less. Please refrain from sharing your report with others while we work on our patch—disclosure in the absence of a readily available patch can increase risk rather than reduce it. By submitting your report, you agree to treat the report as confidential for 90 days after submission.
And here’s what you can expect from us:
- Timely response (within two business days)
- Open dialogue to discuss issues without fear of reprisal
- Notification when our vulnerability analysis is complete
- Expected timeline for patches and fixes (usually within 90 days)
HOW TO SUBMIT
Please use our Responsible Disclosure Form to submit the requested information.