Vulnerability Disclosure Policy
State Farm is dedicated to maintaining the confidentiality, integrity and availability of State Farm systems and information. We care about protecting our customers and associates from the security risks of everyday life. If you have noticed an information security issue in a State Farm system while using www.statefarm.com or a State Farm mobile application, we want to hear about it.
We ask that you disclose information security issues in a responsible way and in accordance with this Vulnerability Disclosure Policy. State Farm will work to address the issue in a timely fashion. As long as you comply with this policy in disclosing information security issues to State Farm, State Farm will not take legal action against you or revoke access to State Farm applications.
State Farm takes information security seriously. We reserve all legal rights in the event of noncompliance.
We will be as transparent with you as we can. We will work with you as necessary to understand the issue. If we see the issue as a false positive or if we already know about the issue, we will tell you.
If the issue can be validated:
- We will describe the priority of the issue as we see it.
- Where possible, we will send periodic updates regarding status.
One of our goals is to address issues as quickly as possible while limiting negative impacts to our customers. In order to do this, we need your help:
- Regardless of the impact, you agree not to compromise State Farm information or State Farm Information systems.
- Please disclose issues using the Vulnerability Disclosure Communication form located on this web page.
- For scoring, please follow Bugcrowd’s vulnerability taxonomy found here.
- Please provide valid contact information.
- Please respond when we have a question for you.
- Please include as much information as possible to help us to recreate the issue.
- Security researchers should include a detailed technical description of the issue.
- Examples of other pertinent technical details:
- Screen captures of the issue.
- URL where the issue occurs.
- The ID used to login with.
- The time of day you noticed the issue, etc.
- Your source IP.
- (To find your source IP, go to any major search engine, enter “what is my IP” in the search box, and search. The number returned will look something like this: 255.255.255.255).
If you have done (or could have done) harm to State Farm customers, the State Farm business, State Farm associates, or State Farm Vendors, you are in noncompliance with this policy.
Examples of noncompliance include, but are not limited to:
- Disclosure of an Information Security issue publicly (e.g. on social media) without the written consent of State Farm. This includes exploit methodology or code.
- Disclosure of any data (e.g. customer records, passwords) publicly (e.g. in a chat room, on social media, to your friends).
- Creating records that are fraudulent.
- Accessing or modifying data in an account that does not belong to you.
- Executing or attempting to execute a “Denial of Service” attack of any kind.
- Social Engineering (e.g. phishing, pretext calling).
- Using (e.g. uploading, emailing) malicious software or security tools.
- Any interaction with State Farm customers (e.g. unsolicited email).
- Any interaction (i.e. communications, testing) with State Farm vendors.
- Performing on-going testing after disclosure.
For your protection, please do not include sensitive personal information such as social security number, credit/debit card number, or health/medical information.