Responsible Disclosure

Our security team's priority is protecting the privacy and integrity of data for both our customers and company. We look forward to working with the security community to find & identify vulnerabilities in order to keep our business and customers safe

If you have a finding that fits the scope below – please contact us at disclosure@ae.com. We can then invite you to work with us through our HackerOne program page.

Program Guidelines & Scope

The Program applies to security vulnerabilities found within American Eagle's Environment, which includes the American Eagle website (www.ae.com), api.ae.com, and our mobile IOS and Android applications (AE +Aerie).

Typically, in-scope submissions will include critical/high impact vulnerabilities, or a vulnerability that could realistically place the online security of American Eagle or its customers at risk. Qualifying vulnerability characteristics include:

• Directly or indirectly affect the confidentiality or integrity of user data or privacy

• Compromise the integrity of the system

• Enable unauthorized access to significant data or resources

• Enable the running of unauthorized code

• Interfere with or bypass security controls or mechanisms

• Are exploitable (i.e. not purely theoretical)

Program Interests

Areas we are interested include:

• Cross-site scripting (XSS)

• Cross-site request forgery (CSRF/XSRF)

• Remote command execution

• Improper Input Validation

• SQL Injection

• Authentication bypass resulting in access to a user's account and private data.

• Access to production secrets such as access tokens that can be used to copy sensitive data.

• Data exposure

• Alert/notification spoofing

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged. Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced). Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.

Program Exclusions

Below are examples outside the scope or guidelines detailed here are not eligible for this program.

• Do not disclose the potential security issue to any third party without written permission by American Eagle Outfitter's.

• Do not access customer or employee personal information - stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials

• Do not degrade the American Eagle user experience, disrupt production systems, or destroy data during security testing

• Attacks against American Eagle's infrastructure (DoS)

• Social engineering, Phishing, and physical attacks against American Eagle Users, Employee's, or data centers.

• When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account

Please do not contact us about low-severity bugs, findings from automated scanners, false reports, reports lacking evidence of a vulnerability, or hypothetical vulnerabilities.

Responsible Disclosure Policy

• As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

• Adhere to all guidelines and terms related to the program, including those on this page

• Follow HackerOne's disclosure guidelines.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep American Eagle and our users safe!