Vulnerability Disclosure PolicyVulnerability Disclosure Policy

adidas Foundation

December 9th, 2025

Introduction

The adidas Foundation is committed to protecting the security and privacy of our users, partners, and the public. We work continually to identify, remediate, and prevent security vulnerabilities within our systems. This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and the adidas Foundation will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines for Researchers

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after discovering a real or potential security issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems and destruction or manipulation of data.
• Use exploits only to the extent necessary to confirm the presence of a vulnerability. Do not attempt to exfiltrate data, establish persistent or shell access, pivot to other systems, or abuse the vulnerability further.
• Provide us with a reasonable amount of time to remediate the issue before publicly disclosing it.
• Do not submit high-volume, low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Test Methods Not Authorized

The following activities are strictly prohibited:

• Network denial-of-service attacks (DoS/DDoS) or any test that degrades service availability.
• Physical security testing (e.g., office access, tailgating, open doors).
• Social engineering (e.g., phishing, vishing, impersonation).
• Actions targeting systems or services belonging to third-party vendors, unless explicitly authorized by them.
• Any testing that violates applicable laws or regulations.

Scope

Your testing must be limited to the systems and services explicitly listed below.

In Scope:

• adidasfoundation.org/*

In-Scope Vulnerability Types:

• OWASP Top 10 vulnerabilities
• Remote Code Execution
• Broken Authentication / Broken Access Control
• Sensitive Data Exposure
• Server-side or client-side injection flaws

Out of Scope:

• Any system, domain, service, or application not explicitly listed as in scope.
• Systems operated by third-party vendors or partners.
• Third-party integrations or managed services where we cannot authorize testing.
• Non-production or not publicly accessible, internal systems.
• Findings related to UI/UX issues, spelling mistakes, cosmetic defects, physical security, social engineering, DoS/DDoS or rate-limiting bypasses and vulnerabilities requiring physical access.

If you are unsure whether a system is in scope, contact us at af_sec_portals@inova.si before starting testing.

Future Scope Expansion

The adidas Foundation will expand the scope of this VDP over time. Newly launched internet-accessible systems may be added implicitly (via wildcards) or explicitly through policy updates.

Reporting a Vulnerability

We accept vulnerability reports at: af_sec_portals@inova.si. Reports may be submitted anonymously. We will acknowledge receipt within 3 business days.

Information submitted under this policy will be used for defensive purposes only. If your findings include a vulnerability that affects others beyond the adidas Foundation, we may share details with appropriate coordinated disclosure organizations. We will not share your name or contact information without your express permission.

What We Would Like to See From You

In order to help us triage and prioritize submissions, we recommend that your reports:

• Describe the vulnerability, its classification and severity.
• Describe the location where the vulnerability was discovered (URL).
• Describe the potential impact of exploitation.
• Offer a detailed description of the steps needed to reproduce the vulnerability (POC scripts, screenshots or screen captures are helpful).
• Include a log of all activity related to your discovery, including your IP address(es) and timestamped requests.
• Be written in English, if possible.

What You Can Expect From Us

If you choose to share your contact information with us:

• We will acknowledge your report within 3 business days.
• We will communicate with you transparently about the validation of the issue, our remediation efforts and any delays or challenges.
• We will maintain an ongoing dialogue as we work toward resolution.
• We will not pursue legal action if you follow this policy in good faith.

Questions

Questions regarding this policy may be sent to af_sec_portals@inova.si. We also invite you to contact us with suggestions for improving this policy.