Canada Goose Inc. looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe.

Response Targets

Canada Goose Inc. will make reasonable efforts to meet the following response targets for hackers participating in our program:

We’ll use reasonable efforts to keep you informed about our progress throughout the process.

Disclosure Policy

• Follow HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines.

Program Rules

• Do not conduct social engineering, (e.g, spearphishing, vishing, smishing) of Canada Goose personnel, third parties, contractors, or customers • Avoid privacy violations, destruction of data, and interruption or degradation of our service. • Only interact with accounts you own or with the explicit permission of the account holder. • Common Automated Tooling including Acunetix, Nessus, and Qualys should be avoided. Such tools include payloads that could trigger state changes or damage production systems or data • Do not compromise the privacy or safety of Canada Goose personnel or any third parties. • Do not compromise the intellectual property or other commercial or financial interests of any Canada Goose personnel or entities, or any third parties. • Do not include any information that may identify an individual other than yourself (such as name, contact information, IP address, or other similar information) in your vulnerability report or any attachments

#Out of scope vulnerabilities When reporting vulnerabilities, please consider (1) attack scenario/exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions. • Unauthenticated/logout/login CSRF. • Attacks requiring MITM or physical access to a user's device. • Previously known vulnerable libraries without a working Proof of Concept. • Comma Separated Values (CSV) injection without demonstrating a vulnerability. • Missing best practices in SSL/TLS configuration. • Any activity that could lead to the disruption of our service (DoS). • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS • Bugs requiring exceedingly unlikely user interaction (e.g., requiring a user to manually type in an XSS payload) • Any activity involving Canada Goose Inc. physical locations, including but not limited to conducting physical attacks against assets (e.g., any equipment within Canada Goose facilities, stores, locks, Point of Sale (POS) systems, kiosks) • Banner Exposure / Version Disclosure • Missing best practices in Content Security Policy

#Crafting a Report To help streamline our intake process, we ask that submissions include:

• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. • Description of the reported vulnerability. • Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity. • Steps to reproduce the reported vulnerability. • Proof of exploitability (e.g., screenshot, video). • Perceived impact to another user or the organization. • List of URLs and affected parameters. • Other vulnerable URLs, additional payloads, Proof-of-Concept code. • Browser, OS or app version used during testing. • Do not use tiny-urls in reports.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

We may collect information that could reasonably be used to identify you (e.g., IP address). Canada Goose Inc uses this information to evaluate a reported vulnerability and protect products, services or information technology infrastructure. Canada Goose reserves the right to modify or terminate this program at any time.

Thank you for helping keep Canada Goose Inc. and our customers safe!