Vulnerability disclosure policy
Responsible disclosure
State Farm® is dedicated to maintaining the confidentiality, integrity and availability of State Farm systems and information. We care about protecting our customers and associates from the security risks of everyday life. If you find a potential security vulnerability while using www.statefarm.com or a mobile application, we want to hear about it.
State Farm’s expectations
When performing any actions relating to a potential security vulnerability, you must comply with all applicable laws and regulations, and act responsibly. For example, you should not take any action that has the potential to harm State Farm customers, associates, or business operations such as:
- Compromising, destroying, altering, exfiltrating or publicly disclosing information of State Farm, or its customers, associates, or contractors.
- Publicly disclosing the potential security vulnerability, including any exploit methodology or code, without the prior written consent of State Farm.
- Creating false records.
- Accessing data in any account that does not belong to you.
- Executing or attempting to execute a “Denial of Service” attack of any kind.
- Social engineering (e.g., phishing, pretext calling) or any other non-technical vulnerability testing.
- Using (e.g., uploading, emailing) malicious software or security tools that may cause damage to State Farm’s systems.
- Interacting with State Farm customers or contractors (e.g., unsolicited emails).
- Performing on-going testing after disclosure.
In addition, you should immediately stop any activities and notify State Farm if you encounter any of the following:
- Personally identifiable information.
- Financial account information.
- Trade secret, confidential, or proprietary information.
What you can expect from State Farm
State Farm takes all potential security vulnerability disclosures seriously and will review them in an expedited manner. We will take action to address a validated disclosure, as applicable.
How to submit a potential security vulnerability
To notify State Farm of a potential security vulnerability, please use the submission form below. When completing the submission form, please include as much information as possible to help us recreate the issue. Security researchers should include a detailed technical description of the issue (e.g., screen captures of the issue, applicable URL(s) and date and time issue was noticed).
Please do not include sensitive personal information such as a Social Security number, credit/debit card number, or health/medical information.
By submitting the form below, you permit State Farm to use, disclose, modify, or create derivatives of any information provided.
Submission form
Note: All fields are required unless marked optional.