Responsible Disclosure Policy
J. Crew Group, LLC (including our brands and subsidiaries, J. Crew, Inc., J. Crew, crewcuts, J. Crew Factory, and Madewell) (collectively, “J. Crew,” “we,” or “us”) is committed to information technology (IT) security. J. Crew has adopted this Responsible Disclosure Policy (“Policy”) to give security researchers guidelines to disclose discovered vulnerabilities to us, including security vulnerabilities in our internet-accessible systems or services, such as our websites, mobile applications, and other online digital services.
Please review the terms of this Policy prior to conducting any research or submitting any vulnerability report (“Vulnerability Report”). By submitting a Vulnerability Report, you acknowledge that you have read, understood, and accept the terms of this Policy. Please report such vulnerabilities by following the submission process outlined in this Policy.
II. Safe Harbor
If you make a good faith effort to comply with this Policy during your security research, J. Crew will consider your research to be authorized, and we will not recommend or pursue legal action related to your research. J. Crew reserves all of its legal rights in the event of any noncompliance with this Policy or applicable laws.
III. Terms and Guidelines
The following applications and systems are in scope of this Responsible Disclosure Policy: dev-confluence.jcrew.com
Any service not expressly listed above is excluded from scope and is not authorized for testing. Additionally, vulnerabilities found in services managed or hosted by any third parties fall outside of this Policy’s scope and should be reported directly to the third parties according to their responsible disclosure policies (if any). If you are unsure whether a system is in scope or not, please inquire at Responsible.Disclosure@jcrew.com. If at any time you have concerns or questions as to whether your testing is consistent with this Policy, or if there is a particular system not in scope that you think merits testing, please contact us to discuss it first at Responsible.Disclosure@jcrew.com before continuing to test. We may increase the scope of this Policy over time.
V. Submitting a Vulnerability Report
J. Crew accepts Vulnerability Reports at this email address: Responsible.Disclosure@jcrew.com. What to include in your email:
If possible, please use English to report a vulnerability. Describe in detail the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots of methodology are helpful): Vulnerability description Vulnerability classification/severity Steps to reproduce the vulnerability Location where the vulnerability was discovered (target URL) Recommendations to remediate the vulnerability Do not include any PII or financial data. Your contact information (name, email address, phone number), unless you prefer to remain anonymous.
VI. Processing Disclosures
What you can expect from us:
We will acknowledge that your Vulnerability Report has been received. We may contact you to discuss and validate your Vulnerability Report and supporting information. We may choose not to respond to any Vulnerability Reports that do not comply with this Policy or that concern out-of-scope systems or applications.
How we will process your Vulnerability Report:
We request that security researchers not share information about any suspected vulnerability for ninety (90) calendar days after we confirm receipt of your Vulnerability Report. Public disclosure of a vulnerability without available remediation or other mitigation could increase the security risk to our potentially affected systems.
We do claim ownership rights to Vulnerability Reports. However, by providing a Vulnerability Report to J. Crew, and as the security researcher submitting the report, the security researcher (on its own behalf or on behalf of its employer) hereby grants J. Crew and its related companies an irrevocable, perpetual, royalty-free, worldwide, sub-licensable right and license to the intellectual property in the Vulnerability Report to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of the Vulnerability Report in any manner and using any means now known or later discovered. The security researcher agrees to sign any documentation that may be required for us or our designees to confirm the rights granted herein. J. Crew reserves the right to share the Vulnerability Report with third parties, including any relevant governmental authority.
We require advanced coordination with any security researcher that believes others should be informed of the suspected vulnerability before remediation. We will communicate with such researcher the steps being taken during the remediation process to address such reported vulnerabilities.
VII. Legal Compliance
Security researchers must comply with all applicable federal, state, and local laws in connection with security research activities and vulnerability reporting covered by this Policy. We do not authorize, permit, or otherwise allow (expressly or implied) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this Policy or applicable laws. For purposes of this Policy, unauthorized access or acquisition includes access by an employee or agent of another entity, or other third party, who is not the individual user of the application or system within the scope of this Policy for purposes of commercial advantage or private financial gain. This Policy is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the J. Crew or related entities, its officers, employees, or agents, or any other person.
This Policy is effective as of: January 9, 2024.
J. Crew may modify this Policy or terminate this Policy at any time in its sole and absolute discretion.
Questions regarding this policy may be sent to Responsible.Disclosure@jcrew.com. We also invite you to contact us with suggestions for improving this policy.