Skip to main content
The Simons members:
free shipping over $50 and free returns (exceptions may apply)

Vulnerability Disclosure Policy

Introduction

Simons places great importance on information security and the privacy of its customers and
partners. We are grateful for the efforts of security researchers, who report any potential
vulnerabilities to us.

Eligibility

We encourage security researchers to confidentially disclose potential vulnerabilities that could
affect our digital products. However, testing must be performed on the latest version of the
application or website so that it may be eligible for our vulnerability disclosure program. We cannot
accept vulnerability reports on obsolete versions of our digital products. Simons asks those who
report vulnerabilities to keep them confidential for at least 90 days after the issue report has been
acknowledged as received.

Reward

We do not offer financial compensation or reward of any kind to researchers who find proven
vulnerabilities.

Introduction

We ask that you not:

  • Violate any applicable laws or regulations.
  • Access unnecessary, excessive, or significant amounts of data.
  • Change data in systems.
  • Use invasive or destructive high-intensity analysis tools to identify vulnerabilities.
  • Attempt or report any form of denial of service, such as flooding a service with a high
    volume of requests.
  • Interrupt Simons services or systems.
  • Communicate any vulnerabilities or related details using other means than those described
    in the published security.txt file.
  • Use social engineering techniques, phishing, or physical attacks on Simons personnel or
    infrastructure.
  • Demand financial compensation to disclose any vulnerabilities
We ask that you:
  • Always comply with data protection regulations and not violate the privacy of Simons users,
    staff, subcontractors, services, or systems. For example, you must not share, redistribute, or
    fail to adequately secure data extracted from systems or services.
  • Securely delete all data retrieved during your research as soon as it is no longer needed or
    within one month of the vulnerability's resolution, whichever comes first (or as otherwise
    required by the Privacy Act).

How do I report a vulnerability?

Our security.txt. file details all vulnerability reporting methods.

Please send a detailed report to the following email address: [email address].
Please provide as much information as possible, including:

  • A brief description of the vulnerability (e.g., SQL injection).
  • The full URL and IP address of the page where the vulnerability was observed.
  • The steps necessary to reproduce the erroneous behaviour or demonstrate the vulnerability, in the form of a benign, non-destructive proof of concept.
  • Information on project versions that may be affected (e.g., the date on which you were able to reproduce the faulty behaviour).

What happens after I submit a vulnerability report?

After submitting your report, a member of our team will respond within 15 business days. We will
also try to keep you informed of our progress.

We will notify you when the reported vulnerability is corrected and may ask you to provide more
information about it. In addition, we may contact you to confirm that the chosen solution
adequately resolves the vulnerability.

Confidentiality and non-disclosure

We commit to protecting the privacy of individuals who report vulnerabilities. We will not disclose
your name or email address unless you expressly authorize us to do so. If you prefer to remain
anonymous, we will respect your wishes and not disclose your identity.

We will not take legal action against security researchers who report vulnerabilities in good faith and
keep them confidential for at least 90 days. We commit to working with researchers to understand
and resolve safety issues.

Legal aspects

This policy is intended to be consistent with current best practices for vulnerability disclosure. It
does not give you permission to act in an illegal manner or in a way that could cause our
organization or our partners to violate any legal obligation.

Flag of the United States

Are you in the United States?

Visit simons.com