Vulnerability Disclosure Policy
SharkNinja and its affiliates (“SharkNinja”) are committed to protecting the confidentiality of consumer and employee personal information and the availability of its websites and information systems. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us for review. We encourage you to contact us to report vulnerabilities in our websites, systems and products.
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized we will work with you to understand and resolve reported issues quickly. SharkNinja will not recommend or pursue legal action related to your research.
Please note that SharkNinja does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential security concerns or vulnerabilities.
Guidelines
SharkNinja suggests the following guidelines for researchers who may report a vulnerability or conduct legitimate research. Under this policy, “research” means activities in which you:
- Notify us as soon as possible after you discover a real or potential security issue
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems and destruction or manipulation of data
- Only use exploits to the extent necessary to confirm the presence of a vulnerability
- Do not use an exploit to compromise or exfiltrate data, establish persistent unauthorized access or use the exploit to pivot to other systems
- Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.
Reporting a Vulnerability
Please email privacy@sharkninja.com to report a vulnerability. To help us triage and prioritize submissions, we recommend that your report includes:
- When the vulnerability or issue was identified
- Describe the system or product for which the vulnerability was discovered
- Describe the steps needed to reproduce the vulnerability
- Any remediation suggestions or ideas to address the vulnerability
SharkNinja commits to acknowledging all submissions within 3 business days and appreciates participation in this program.
For vulnerability disclosures related to connected (or “IoT”) products, SharkNinja will provide regular updates until the reported vulnerability is resolved.
Scope
The scope of this program includes all SharkNinja websites owned or licensed by the company; all Internet-facing business systems; and Internet-connected products and mobile associated applications. The program does not include:
- Social engineering or phishing campaigns directed at SharkNinja employees
- Denial of Service (DoS) attacks against SharkNinja websites or business applications
- Any other unauthorized activities intended for malicious intent
Please contact SharkNinja at privacy@sharkninja.com with questions about this program or to report a vulnerability.