Our security team's priority is protecting the privacy and integrity of data for both our customers and company. We look forward to working with the security community to find & identify vulnerabilities in order to keep our business and customers safe
If you have a finding that fits the scope below – please contact us at disclosure@ae.com. We can then invite you to work with us through our HackerOne program page.
Program Guidelines & Scope
The Program applies to security vulnerabilities found within American Eagle's Environment, which includes the American Eagle website (www.ae.com), api.ae.com, and our mobile IOS and Android applications (AE +Aerie).
Typically, in-scope submissions will include critical/high impact vulnerabilities, or a vulnerability that could realistically place the online security of American Eagle or its customers at risk. Qualifying vulnerability characteristics include:
Program Interests
Areas we are interested include:
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced). Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
Program Exclusions
Below are examples outside the scope or guidelines detailed here are not eligible for this program.
Please do not contact us about low-severity bugs, findings from automated scanners, false reports, reports lacking evidence of a vulnerability, or hypothetical vulnerabilities.
Responsible Disclosure Policy
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep American Eagle and our users safe!