Vulnerability disclosure policy

Responsible disclosure

State Farm® is dedicated to maintaining the confidentiality, integrity and availability of State Farm systems and information. We care about protecting our customers and associates from the security risks of everyday life. If you find a potential security vulnerability while using www.statefarm.com or a mobile application, we want to hear about it.

State Farm’s expectations

When performing any actions relating to a potential security vulnerability, you must comply with all applicable laws and regulations, and act responsibly. For example, you should not take any action that has the potential to harm State Farm customers, associates, or business operations such as:

  • Compromising, destroying, altering, exfiltrating or publicly disclosing information of State Farm, or its customers, associates, or contractors.
  • Publicly disclosing the potential security vulnerability, including any exploit methodology or code, without the prior written consent of State Farm.
  • Creating false records.
  • Accessing data in any account that does not belong to you.
  • Executing or attempting to execute a “Denial of Service” attack of any kind.
  • Social engineering (e.g., phishing, pretext calling) or any other non-technical vulnerability testing.
  • Using (e.g., uploading, emailing) malicious software or security tools that may cause damage to State Farm’s systems.
  • Interacting with State Farm customers or contractors (e.g., unsolicited emails).
  • Performing on-going testing after disclosure.

In addition, you should immediately stop any activities and notify State Farm if you encounter any of the following:

  • Personally identifiable information.
  • Financial account information.
  • Trade secret, confidential, or proprietary information.

What you can expect from State Farm

State Farm takes all potential security vulnerability disclosures seriously and will review them in an expedited manner. We will take action to address a validated disclosure, as applicable.

How to submit a potential security vulnerability

To notify State Farm of a potential security vulnerability, please use the submission form below. When completing the submission form, please include as much information as possible to help us recreate the issue. Security researchers should include a detailed technical description of the issue (e.g., screen captures of the issue, applicable URL(s) and date and time issue was noticed).

Please do not include sensitive personal information such as a Social Security number, credit/debit card number, or health/medical information.

By submitting the form below, you permit State Farm to use, disclose, modify, or create derivatives of any information provided.

Submission form

Note: All fields are required unless marked optional.

Summary title

Help us get an idea of what this vulnerability is about.

Target

Select the vulnerable target. Targets that are not explicitly in scope may not be eligible for acceptance.

Technical severity
Vulnerability details

For example:https://secure.server.com/some/path/file.php

Description

Provide a proof of concept or replication steps.

Maximum 25,000 characters.
Attachments

Attach proof-of-concept scripts, screenshots, screen recordings, etc.

Please keep total upload size under 20MB.