Submit bug report
WHAT IS NIKE’S RESPONSIBLE DISCLOSURE PROGRAM?
Nike’s mission is to bring inspiration and innovation to every athlete in the world. For athletes to thrive, they track their performance and they need to know their data is being protected. We're obsessed with protecting their data. We take vulnerabilities that pose a security risk seriously, and we appreciate the global security research community’s help identifying risks.
Our responsible disclosure policy provides clear research guidelines—we ask that you play by the rules and within the scope of our program.
FIRST THINGS FIRST
This is not a bug bounty program. We make no offer of reward or compensation for identifying issues. But at our discretion, we may still choose to thank you for exceptional insights.
If you encounter Personally Identifiable Information (PII), please stop and contact us immediately. Do not proceed with access and immediately purge any local information—this protects you as well as our data.
Our disclosure policy applies to all submissions.
Our submission procedure is not intended for employees or affiliates (they should get in touch with Information Security directly).
THE PLAYING FIELD
We accept submissions for the following domains and systems.
Sites
http://*.nike.com/*
http://*.converse.com/*
http://*.nike.net/*
Note: In cases where multiple sites share a common code base, duplicate submissions aren’t necessary (and may be rejected).
Apps (iOS and Android)
SNKRS
Nike
NRC (Nike Run Club)
NTC (Nike Training Club)
FAIR PLAY
Submissions should be for vulnerabilities that pose a demonstrable risk potentially affecting our systems, users, or data. Best practice submissions are appreciated but may not receive a response.
Remember, if you encounter any sensitive information or PII, stop and notify us immediately.
Do not save, store, transfer, or otherwise access any Nike information after initial discovery.
Only view information to the extent required to identify the vulnerability and do not retain information or data.
Only use information obtained from our systems or services to facilitate reporting security vulnerabilities directly to us.
Promptly return any sensitive information or PII and do not retain information or data.
Only interact with accounts you own or have explicit permission from the account owner. Feel free to create your own accounts for testing purposes.
FOUL PLAY
Actions affecting the integrity or availability of authorized systems are prohibited. If you notice performance interruption or degradation, immediately suspend all use of automated tools.
The following methods are not authorized and constitute unacceptable conduct:
Denial of service attacks
Phishing or spear phishing
Social engineering
Physical exploits of our servers or network
Any other nontechnical vulnerability testing
Local network-based exploits such as DNS poisoning or ARP spoofing
Testing or submissions on any domains, applications, or services not expressly listed above, including any connected systems
THE RULES OF ENGAGEMENT
Here’s what we expect from you:
Fair play. If you are uncertain if conduct is acceptable or unacceptable, please reach out to infosec@nike.com for clarification before engaging in the conduct.
Sufficient information to replicate the vulnerability. We encourage you to provide the clearest submission possible. You can submit supplemental screen grabs and video through our submission form.
Quality, clear research. Reports that include only crash dumps or other automated tool output will not be considered and may not receive a response. Please submit clearly written reports in English so we can swiftly take appropriate action.
Further information when requested. Submissions may be closed if you don’t respond to requests for information within seven days.
Confidentiality. We’re committed to patching in-scope vulnerabilities in 90 days or less. Please refrain from sharing your report with others while we work on our patch—disclosure in the absence of a readily available patch can increase risk rather than reduce it. By submitting your report, you agree to treat the report as confidential for 90 days after submission.
And here’s what you can expect from us:
Timely response (within two business days)
Open dialogue to discuss issues without fear of reprisal
Notification when our vulnerability analysis is complete
Expected timeline for patches and fixes (usually within 90 days)
