Levi Strauss & Co.'s Responsible Disclosure Policy

Levi Strauss & Co. (LS&Co.) cares about protecting the information of our consumers. In addition to employing physical, technical, and administrative safeguards to maintain the trust consumers have placed in us, we value the expertise that is available in the public research community. LS&Co. encourages security researchers to promptly report discovered vulnerabilities in accordance with our Responsible Disclosure Policy and Terms of Use. LS&Co. reserves all legal rights in the event of noncompliance with these policies.

Reporting Security Vulnerabilities

If you believe you have discovered a security vulnerability, please share the details with LS&Co. promptly by filling in the form below. Please do not contact LS&Co. directly (e.g. email, customer support) to report your finding.

Your report will be forwarded to our partner (Bugcrowd) for acknowledgement and verification. Initial Technical Severity should be set according to the Bugcrowd Vulnerability Rating Taxonomy. Depending on the impact specific to LS&Co., the severity may be adjusted at our discretion.

LS&Co. will work with you to validate and respond to submissions, but your initial report should contain sufficient details to allow our teams to re-produce and investigate the issue.

Our Commitment

If you identify a security vulnerability in compliance with this Responsible Disclosure Policy, LS&Co. commits to:

• Communicating with you to understand and validate the issue
• Providing an assessment on the priority of the issue from LS&Co.’s perspective
• Working to resolve the finding (if deemed appropriate by LS&Co.)

Noncompliance

To protect our consumers, employees, and business, we require security researchers maintain compliance with this policy. LS&Co. will consider any submission as noncompliant if the submission is publicly disclosed without the express written consent of LS&Co. Additionally, any testing must avoid impacting the confidentiality, integrity, and availability of LS&Co. systems. Examples of noncompliance include, but are not limited to:

• Accessing, downloading, or modifying data residing in an account that does not belong to you
• Downloading, collecting, or otherwise retaining personal information of LS&Co. customers or employees encountered in the course of your research
• Executing, or attempting to execute any “Denial of Service” attack
• Interacting with any LS&Co. consumers or business partners (e.g. unsolicited email)
• Using Phishing or Social Engineering techniques
• Attempting to compromise third party platforms or services that integrate with LS&Co. systems
• Posting, transmitting, uploading, linking to, sending, or storing any malicious software
• Requiring monetary compensation in exchange for vulnerability submissions

By submitting this form, you agree to LS&Co.’s Terms of Use.