- type of vulnerability;
- service or URL or IPs affected;
- requirements to reproduce the issue;
- information necessary to reproduce the issue;
- impact of the vulnerability, together with an explanation of how an attacker could find it and exploit it.
- Do not take advantage of the vulnerability or problem you have discovered.
- Do not perform any activity that can damage us or our customers, disrupt the impacted system or service, or cause any data leakage/loss.
- Do respect the privacy of our users: you are not allowed to use any personal data for purposes other than to protect our users and their data, in accordance with this policy.
- Do keep confidential any information about discovered vulnerabilities for up to 90 calendar days after you have notified Gucci, unless mutually agreed otherwise.
- Do not demand financial compensation in order to disclose any vulnerabilities.
- Do not place a backdoor in a system. By placing a backdoor in a system, that system becomes even more insecure.
- Do not make changes to the system or application.
- Do not use Denial-of-Service attacks or brute force access.
- Do not use aggressive automated scanning.
- Do not physically attack our staff or infrastructure.
- Do not use social engineering techniques with regard to our employees or contractors.
Understand that reports about TLS ciphers, email spam, volumetric attacks, missing web security headers and ‘best practices’ in general will NOT be considered as valid submissions, unless you are able to identify a way to exploit and leverage the lack of such headers or configurations.
- We will respond to a valid submission within 10 business days with our evaluation of the report.
- If you have followed the instructions above, we will not take any legal action against you concerning the report.
- We will not pass on your personal details to third parties without your permission, unless it is necessary to do so to comply with a legal obligation. Reporting under a pseudonym or anonymously is possible.
- We will keep you informed of the progress towards resolving the problem.
- For major issues, ranked so at our discretion, we can mention (if you desire) your name or acronym as the discoverer of the reported vulnerability in our hall of fame.
- As of now, we do NOT offer bounties for valid submissions.
- gucci.com and all related subdomains
- guccidigital.io and all related subdomains
- regiongold.com and all related subdomains
- gucciosteria.com and all related subdomains
- .gucci TLD and all related subdomains
- In general: any mobile app, service, domain or IP owned and/or related to Guccio Gucci SpA and Gucci America Inc.