Официальный сайт Gucci International

Overview

At Gucci we consider the security of our customers a top priority. With this in mind we have introduced this policy to encourage the responsible reporting of suspected vulnerabilities or weaknesses in our IT services, systems, resources and/or processes that may potentially affect our customers and their data. We look forward to working with the research community to keep our services safe for all users.

We recommend reading this policy fully before you report a vulnerability and ask you to always act in compliance with it. Your personal data will be processed based on your consent and in accordance with our privacy policy.

We value those who take the time and effort to report security vulnerabilities according to the terms of this policy. However, we do not offer monetary rewards for vulnerability disclosures.

If you are the first to report a verifiable major security issue, we’ll thank you with a place in our hall of fame.

How to disclose a vulnerability

If you want to report a vulnerability, please e-mail your findings to security@gucci.com.

For each vulnerability, please give adequate information allowing the vulnerability to be reproduced, so we will be able to resolve it as quickly as possible. In particular, please make sure to include the following information:

- type of vulnerability;

- service or URL or IPs affected;

- requirements to reproduce the issue;

- information necessary to reproduce the issue;

- impact of the vulnerability, together with an explanation of how an attacker could find it and exploit it.

Guidelines

Below, please find a list of guidelines that we ask you to follow, should you detect a vulnerability:

- Do not take advantage of the vulnerability or problem you have discovered.

- Do not perform any activity that can damage us or our customers, disrupt the impacted system or service, or cause any data leakage/loss.

- Do respect the privacy of our users: you are not allowed to use any personal data for purposes other than to protect our users and their data, in accordance with this policy.

- Do keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified Gucci, unless mutually agreed otherwise.

- Do not demand financial compensation in order to disclose any vulnerabilities.

- Do not place a backdoor in a system. By placing a backdoor in a system, that system becomes even more insecure.

- Do not make changes to the system or application.

- Do not use Denial-of-Service attacks or brute force access.

- Do not use aggressive automated scanning.

- Do not physically attack our staff or infrastructure.

- Do not use social engineering techniques with regard to our employees or contractors.

Understand that reports about TLS ciphers, email spam, volumetric attacks, missing web security headers and ‘best practices’ in general will NOT be considered as valid submissions, unless you are able to identify a way to exploit and leverage the lack of such headers or configurations.

Response and recognition

Once a notice has been received, we are committed to following up as follows:

- We will respond to a valid submission within 10 business days with our evaluation of the report.

- If you have followed the instructions above, we will not take any legal action against you concerning the report.

- We will not pass on your personal details to third parties without your permission, unless it is necessary to do so to comply with a legal obligation. Reporting under a pseudonym or anonymously is possible.

- We will keep you informed of the progress towards resolving the problem.

- For major issues, ranked so at our discretion, we can mention (if you desire) your name or acronym as the discoverer of the reported vulnerability in our hall of fame.

- As of now, we do NOT offer bounties for valid submissions.

Scope

This policy applies to the following services directly developed or maintained by Gucci:

- gucci.com and all related subdomains

- guccidigital.io and all related subdomains

- regiongold.com and all related subdomains

- gucciosteria.com and all related subdomains

- .gucci TLD and all related subdomains

- In general: any mobile app, service, domain or IP owned and/or related to Guccio Gucci SpA and Gucci America Inc.

Thank you for helping keep Gucci and our customers safe!

We reserve the right to update this Responsible Disclosure Policy at any time.