Responsible Disclosure Policy
I. Introduction
J. Crew Group, LLC (including our brands and subsidiaries, J. Crew, Inc., J.
Crew, crewcuts, J. Crew Factory, and Madewell) (collectively, “J. Crew,” “we,”
or “us”) is committed to information technology (IT) security. J. Crew has
adopted this Responsible Disclosure Policy (“Policy”) to give security
researchers guidelines to disclose discovered vulnerabilities to us, including
security vulnerabilities in our internet-accessible systems or services, such as
our websites, mobile applications, and other online digital services.
Please review the terms of this Policy prior to conducting any research or
submitting any vulnerability report (“Vulnerability Report”). By submitting a
Vulnerability Report, you acknowledge that you have read, understood, and accept
the terms of this Policy. Please report such vulnerabilities by following the
submission process outlined in this Policy.
II. Safe Harbor
If you make a good faith effort to comply with this Policy during your security
research, J. Crew will consider your research to be authorized, and we will not
recommend or pursue legal action related to your research. J. Crew reserves all
of its legal rights in the event of any noncompliance with this Policy or
applicable laws.
III. Terms and Guidelines
This Policy does not authorize you to access data that does not belong to you. Promptly notify us after you discover a real or potential security vulnerability on our internet-accessible systems or services. If a vulnerability can be exploited to obtain access to anyone’s sensitive data (including personally identifiable information (“PII”), financial information, or proprietary data or trade secrets of any party) or other non-public data (“Sensitive Data”), stop testing immediately. Promptly report the vulnerability to us by submitting a Vulnerability Report via email at Responsible.Disclosure@jcrew.com and do not retrieve such data. Do not submit specific PII with the Vulnerability Report. If such Sensitive Data was acquired in error or in good faith, immediately delete any such Sensitive Data saved outside of our systems. Do not access, retrieve, or attempt to access or retrieve Sensitive Data. Only use exploits to the extent necessary to confirm a vulnerability’s presence. Everything not explicitly listed as in-scope is out-of-scope. (See Section IV of this Policy.) You are not authorized under this Policy to: Violate our Terms of Use; Make changes to our websites; Execute or attempt to execute a denial of service (DoS), Distributed Denial – of – Service (DDoS), "Resource Exhaustion" attacks, or tests that impair access to or damage a system or data; Execute or attempt to execute malicious code or script, such as malware; Engage in a privacy violation, such as by accessing or acquiring PII; Perform or attempt to perform any degradation or disruption of the user experience or the performance of the potentially vulnerable production system; Destroy, download, copy, screenshot, or manipulate data; Use an exploit to compromise or exfiltrate data or establish a persistent command line or pivot to other systems (lateral movement); Disclose or publish vulnerability information except as set forth in this Policy (i.e., submitting a Vulnerability Report); Engage in any physical testing of facilities or resources, or any other non-technical vulnerability testing; Engage in social engineering, or sending any unsolicited electronic mail to our user community, including any "phishing" messages; or Test third-party internet-accessible systems or services that integrate with or link to or from our systems; or Test any system other than the systems that are within the scope (Section IV) of this Policy. Keep the details regarding the vulnerability and the Vulnerability Report confidential pursuant to Section VI of this Policy. Do not submit a high volume of low-quality Vulnerability Reports. Once you establish that a vulnerability exists or encounter any Sensitive Data, stop your test, notify us immediately, and do not disclose this data to anyone else.
IV. Scope
The following applications and systems are in scope of this Responsible Disclosure Policy: dev-confluence.jcrew.com
dev-jira.jcrew.com
plm-qa.jcrew.com
plmqa.jcrew.com
qa-print.jcrewimports.com
qa-www.jcrewimports.com
staging-dev-confluence.jcrew.com
staging-dev-jira.jcrew.com
staging-plm-qa.jcrew.com
staging-plmqa.jcrew.com
staging-qa-print.jcrewimports.com
staging-qa-www.jcrewimports.com
confluence.jcrew.com
jcss.jcrew.com
jira.jcrew.com
plm-prod.jcrew.com
plm.jcrew.com
print.jcrewimports.com
prod-print.jcrewimports.com
staging-confluence.jcrew.com
staging-jcss.jcrew.com
staging-jira.jcrew.com
staging-plm-prod.jcrew.com
staging-plm.jcrew.com
staging-print.jcrewimports.com
staging-webmail.jcrew.com
staging-webmaildr.jcrew.com
staging-www.jcrewimports.com
webmail.jcrew.com
webmaildr.jcrew.com
www.jcrewimports.com
jira-poc.jcrew.com
vertex-qa.jcrew.com
vertex.jcrew.com
Any service not expressly listed above is excluded from scope and is not authorized for testing. Additionally, vulnerabilities found in services managed or hosted by any third parties fall outside of this Policy’s scope and should be reported directly to the third parties according to their responsible disclosure policies (if any). If you are unsure whether a system is in scope or not, please inquire at Responsible.Disclosure@jcrew.com. If at any time you have concerns or questions as to whether your testing is consistent with this Policy, or if there is a particular system not in scope that you think merits testing, please contact us to discuss it first at Responsible.Disclosure@jcrew.com before continuing to test. We may increase the scope of this Policy over time.
V. Submitting a Vulnerability Report
J. Crew accepts Vulnerability Reports at this email address: Responsible.Disclosure@jcrew.com. What to include in your email:
If possible, please use English to report a vulnerability. Describe in detail the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots of methodology are helpful): Vulnerability description Vulnerability classification/severity Steps to reproduce the vulnerability Location where the vulnerability was discovered (target URL) Recommendations to remediate the vulnerability Do not include any PII or financial data. Your contact information (name, email address, phone number), unless you prefer to remain anonymous.
VI. Processing Disclosures
What you can expect from us:
We will acknowledge that your Vulnerability Report has been received. We may contact you to discuss and validate your Vulnerability Report and supporting information. We may choose not to respond to any Vulnerability Reports that do not comply with this Policy or that concern out-of-scope systems or applications.
How we will process your Vulnerability Report:
We request that security researchers not share information about any suspected vulnerability for ninety (90) calendar days after we confirm receipt of your Vulnerability Report. Public disclosure of a vulnerability without available remediation or other mitigation could increase the security risk to our potentially affected systems.
We do claim ownership rights to Vulnerability Reports. However, by providing a Vulnerability Report to J. Crew, and as the security researcher submitting the report, the security researcher (on its own behalf or on behalf of its employer) hereby grants J. Crew and its related companies an irrevocable, perpetual, royalty-free, worldwide, sub-licensable right and license to the intellectual property in the Vulnerability Report to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of the Vulnerability Report in any manner and using any means now known or later discovered. The security researcher agrees to sign any documentation that may be required for us or our designees to confirm the rights granted herein. J. Crew reserves the right to share the Vulnerability Report with third parties, including any relevant governmental authority.
We require advanced coordination with any security researcher that believes others should be informed of the suspected vulnerability before remediation. We will communicate with such researcher the steps being taken during the remediation process to address such reported vulnerabilities.
VII. Legal Compliance
Security researchers must comply with all applicable federal, state, and local laws in connection with security research activities and vulnerability reporting covered by this Policy. We do not authorize, permit, or otherwise allow (expressly or implied) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this Policy or applicable laws. For purposes of this Policy, unauthorized access or acquisition includes access by an employee or agent of another entity, or other third party, who is not the individual user of the application or system within the scope of this Policy for purposes of commercial advantage or private financial gain. This Policy is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the J. Crew or related entities, its officers, employees, or agents, or any other person.
VIII. Effectiveness
This Policy is effective as of: January 9, 2024.
J. Crew may modify this Policy or terminate this Policy at any time in its sole and absolute discretion.
Questions regarding this policy may be sent to Responsible.Disclosure@jcrew.com. We also invite you to contact us with suggestions for improving this policy.