Inditex Responsible Disclosure Policy
Brand Promise
The safety and security of our customers, suppliers and employees’ data and any sensitive information, as well as the reliability of the IT services we use to manufacture and market our products, are of utmost importance to the Inditex Group (hereinafter, “Inditex”). It is our compromise to deter any action directed against the confidentiality, integrity and availability of our computer systems, networks, and computer data as well as the misuse of such systems, networks and data for fraudulent activities, cybercrime offences or against the safety and security of our customers, suppliers, and employees.
An effective fight against these matters requires, on the one hand, to collaborate with institutions and authorities to try to assist in order to mitigate the commission of cybercrimes or illegal actions; on the other, to design and implement this Vulnerability Disclosure Policy (hereinafter, “Policy”), which describes the Inditex’s terms and conditions with regard to any unsolicited report related to potential IT vulnerabilities which can be exploited by threat actors against us, our customers, suppliers or employees.
Inditex cares deeply about maintaining trust and confidence and strongly believes that close collaboration ith researchers and reporters improves security. If you are a security researcher or a reporter who has found a vulnerability in a Inditex service, we would like to hear from you.
According with ENISA definition, vulnerability is ‘flaws’ or ‘mistakes’ in computer-based systems that may be exploited to compromise the network and information security of affected systems.
Reporters must review, understand, and abide by the following terms and conditions included in the Policy before conducting any research or testing. In addition, Inditex encourages reporters to act in a responsible way in the reporting process.
Reporter compliance with terms and conditions of this Policy will be considered by Inditex as an authorized conduct in accordance with regulations included in national laws. Failure to abide terms and conditions will result in the loss of being considered a security researcher or reporter under the Policy.
Inditex reserves all legal rights in the event of any non-compliance with this Policy or in case of not compliance with local laws.
Company
Inditex is one of the world's largest fashion retailers, with eight brands (Zara, Pull & Bear, Massimo Dutti, Bershka, Stradivarius, Oysho, Zara Home and Uterqüe) selling in 202 markets through its online platform and over 7,000 stores in 96 markets.
Scope
Customers, users, researchers, partners, and any other person that interacts with Inditex’s IT services may voluntarily report in good faith any potential security vulnerabilities to us. Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from Inditex will deem the submission as noncompliant with this Policy.
Inditex do not accept, review, or consider any unsolicited ideas, works, materials, proposals, suggestions, or the like, including for products, services, technologies, product enhancements, processes, marketing strategies, product names, content, or creative materials (all the foregoing “unsolicited idea submissions”). Do not send or provide any unsolicited idea submissions in any form to Inditex. Should you ignore our request and you still submit them, then regardless of what your correspondence says, you agree that: (1) your unsolicited idea submissions and their contents along with related intellectual property rights will automatically become the property of Inditex, without any compensation to you; (2) Inditex may use or redistribute the unsolicited idea submissions and their contents for any purpose and in any way on an unrestricted basis; (3) there is no obligation for Inditex to review the submissions; and (4) there is no obligation to keep any submissions confidential.
Out of Scope
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or bruteforce issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tabnabbing
For further information on the program scope please visit the Responsible Disclosure details page
Disclosure Policies
The following principles are considered key aspects of this Policy:
- Good faith.
- Lawfulness of activity.
- Data Protection.
- Security of information.
- No extortion nor bribery.
- Security improvement: don’t leave any system more vulnerable than before the test.
- Third party ownership: don’t disturb, compromise, or damage data or property owned by third parties.
Inditex encourages to not do harm and not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exist or to identify an indicator related to a vulnerability. Avoid accessing the content of any communication, data or info transiting or stored on Inditex domains and info systems above mentioned except to the extent that is directly related to a vulnerability.
Once reporter finds vulnerability or encounters sensitive data must stop testing and notify findings to Inditex.
How to report Vulnerabilities
We encourage security researchers and reporters to share the details of any suspected vulnerabilities with Inditex. Your submission will be reviewed and validated to determine if the finding is valid and has not been previously reported. The preferred method for contacting Inditex regarding such vulnerabilities is by using the form present on this page. The form allows prevent reporters from having to spend valuable time and resources looking for appropriate contact. By submitting it you confirm that you have read, understand, and agree with the terms and conditions of this Policy.
We require security researchers to include detailed information with steps for us to reproduce the vulnerability. If you identify a valid security vulnerability in compliance with this Policy, Inditex commits to working with you to understand and validate the issue and addressing the risk (if deemed appropriate by Inditex).
Inditex highly appreciates the efforts made by the reporting party in identifying the vulnerability. Reporting of such vulnerabilities as soon as possible are detected will contribute to improving the security and reliability of our services.
- Supplying your contact information with your report is entirely voluntary and at your discretion.
- Inditex will make use of all reports that are submitted; both those submitted anonymously and those with contact information.
- If you do submit your contact information, the data controller will be Industria de Diseño Textil, S.A. (Inditex, S.A.), with postal address Avda. de la Diputación, Edificio Inditex, 15143, Arteixo (A Coruña), España, which will only use such information to get in touch with you regarding clarifying the details of your report, if that is necessary, and for any other kind of managements related to the report. The legal basis for the data processing is the execution of the conditions established in this Policy. We may share your contact information with services providers and collaborators that give us support with the management and the execution of this Policy. You may contact the data protection officer through the email address dataprotection@inditex.com, and contact the data controller in the same email address to exercise your data protection rights, including the reference “Vulnerability Disclosure Policy”, and for further information about the processing of your personal data. Your contact information will be stored until it is necessary for the above-mentioned purpose and for the compliance of legal obligations. Likewise, we inform you that you have the right to file a claim before the responsible data protection regulatory authority (https://www.agpd.es/portalwebAGPD/index-ides-idphp.php).
Apart from the above and as part of your disclosure please provide the following information:
- Solid and adequate evidence to prove the existence of the vulnerability (screenshot, link, etc.)
- Timeline or some information about the moment the vulnerability was discovered.
- Any type of information deemed necessary to identify, locate and resolve the vulnerability in the fastest and most efficient way possible.
Your Commitment
By making a report to Inditex using the form on this page, or otherwise communicating a report to Inditex, regarding vulnerabilities, you agree to the following terms:
- Respect our privacy. Contact us immediately if you access anyone else’s data, personal or otherwise. This includes usernames, passwords, and other credentials. The mentioned data is confidential. You must not save, store, disclose or broadcast this information.
- Act in good faith. You should report the vulnerability to us with no conditions attached.
- You have not exploited or used in any manner and will not exploit or use in any manner (other than for the purposes of reporting to Inditex), the discovered vulnerabilities.
- You have not engaged, and will not engage, in testing/research of systems with the intention of harming Inditex, its customers, employees, partners or suppliers.
- You have not used, misused, deleted, altered, or destroyed, and will not use, misuse, delete, alter, or destroy, any data that you have accessed or may be able to access in relation to the vulnerability discovered.
- You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service, or resource-exhaustion attacks or unsolicited mail.
- You are not authorized to attack any device or account other than your own.
- You have not tested, and will not test, the physical security of any property, building, plant, or factory of Inditex.
- You have not breached, and will not breach, any applicable laws in connection with your report and your interaction with Inditex product or service that led to your report.
- You agree not to disclose to any third party any information related to your report, the vulnerabilities reported, nor the fact that a vulnerability has been reported to Inditex.
- You agree not to test in a manner that would degrade or affect the operation of any Inditex systems or compromise the privacy and security of our customers. You shall not test disturbing or corrupting Inditex operations or services.
- You agree not to post, transmit, upload, link to, send, or store any malicious software.
- You agree not to breach third party intellectual property right.
- You agree not to process any personal data to which you may have access except for the purpose of communicating it to Inditex. In this case, it will be done with the utmost confidentiality, in compliance with the data protection principles and applying the necessary technical and organizational security measures.
- You agree not to access, download, or modify data residing in an account that does not belong to you.
- Inditex does not guarantee that you will receive any response from Inditex related to your report. Inditex will only contact your regarding your report if Inditex deems it necessary.
- You agree that you are making your report for the common good, without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report, and without any expectation or requirement that the vulnerabilities reported are corrected by Inditex.
- You agree not to disclosure any vulnerability without written express consent from Inditex.
- You agree to submit vulnerabilities using the form included in this website.
- You agree not using relationship with Inditex for marketing or financing activities.
- You agree to destroy/delete any information regarding vulnerability once communicated to Inditex.
- Inditex may use your report for any purpose deemed relevant by Inditex, including without limitation, for the purpose of correcting any vulnerabilities that are reported and that Inditex deems to exist and to require correction. Should you propose any changes and/or improvements to an Inditex product or service in your report, you agree that you are submitting an “unsolicited idea submission” which shall be subject to the specific terms and conditions described in the Scope section of this Policy.
- Inditex reserves all its legal rights in the event of noncompliance with this Policy, but in accordance with safe harbor policy it does not intend to pursue legal civil or criminal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy
- You know and agree that Inditex does not take any responsibility nor liability as regards any participation of any other party (if applicable) that could happen as part of the process of verification or related in any manner whatsoever with this page and its aim. Inditex is not responsible for reporters’ liabilities coming from actions performed on third parties. Inditex cannot authorize any activity on third parties’ products or guarantee they will not pursue legal actions against reporters.
- You represent and warrant that the unsolicited idea submissions and the reports you deliver to us do not infringe upon any third parties’ rights, including, without limitation, intellectual property rights.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Responsible Disclosure Guidelines:
- Adhere to all legal terms and conditions outlined at responsibledisclosure.com
- Work directly with ResponsibleDisclosure.com on vulnerability submissions
- Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
- Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
- Do not engage in social engineering or phishing of customers or employees
- Do not request for compensation for time and materials or vulnerabilities discovered