Get a quote

Vulnerability Disclosure Policy

Last updated on September 30, 2021

Root, Inc. is committed to ensuring the security of our customers and partners by protecting their information.  We recognize and encourage the contributions of external security researchers to help us achieve this goal.

Guidelines

We require that researchers:

  • Notify us as soon as possible after you discover a real or potential security issue.

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

  • Perform research only within the scope set out below.

  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Root, Inc. unless we’ve provided written permission to publicly disclose.

Safe Harbor

As long as you follow our guidelines, we will not recommend or pursue legal action related to your research. 

Test methods

The following test methods are not authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that degrade access to or damage our applications

  • Intentionally accessing, modifying, or destroying others’ Personally Identifying Information (PII). If you encounter PII, you must report the vulnerability immediately to us as stated below.

  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing, smishing), or any other non-technical vulnerability testing

Scope

This policy applies to the following systems and services:

  • *.joinroot.com

  • *.root-enterprise.com

  • Root Insurance mobile app for iOS and Android

Any service not expressly listed above, including third-party dependencies or integrations, are excluded from scope and are not authorized for testing. Vulnerabilities found in third-party systems should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@joinroot.com before starting your research.

Reporting a vulnerability

We accept vulnerability reports via email. In order to help us triage and prioritize submissions, please include the following in your report:

  • Description of the location where the vulnerability was discovered and the potential impact of exploitation.

  • Detailed description of steps to reproduce the vulnerability, and any helpful supporting material (PoC scripts, screenshots, etc).

  • If the vulnerability you wish to report involves PII, do not submit any records containing PII. Instead, purge any related data from your system, contact Root with a general description of the vulnerability, and ensure that all PII is redacted from any screenshots you include.

We ask that you do not publicly disclose any details on the vulnerability without our written permission to do so. This will ensure we have sufficient time to complete our investigation and deploy any necessary remediations. 

What you can expect from us

When you report a vulnerability to us, we commit to coordinating with you as openly and as quickly as possible.

  • Within 3 business days, we will acknowledge that your report has been received.

  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.

  • We will maintain an open dialogue to discuss issues.

Other Terms and Conditions

  • Only use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.

  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

  • Avoid privacy violations, destruction of data, and interruption or degradation of our service. 

  • Do not engage in any activity that can potentially or actually cause harm to Root, our customers, or our employees.

  • Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.

Questions / Feedback

If you have any questions regarding this policy, you can contact us at security@joinroot.com.

Car insurance FAQCar insurance coverageRenters insuranceHomeowners insuranceClaimsTest driveReferralsContactInvestor relations
Mobile appAuto insurance by stateCustomer reviewsCar insurance comparisonHow to manage your policyCar insurance quoteCar insurance discountsCompanyCareersVulnerability Disclosure Policy
PressBlogTerms and conditionsPrivacy policyApp license agreementUGC privacy noticeWeather related eventsNon-weather emergenciesSitemapDo not sell or share my personal informationManage Cookies

Root Inc.

80 E. Rich Street

Suite 500

Columbus, OH 43215

Copyright ROOT 2024. ROOT is a registered servicemark of Root Insurance Company, Columbus, OH. Disclaimer for quotes: We reserve the right to refuse to quote any individual a premium rate for the insurance advertised herein. Disclaimer for coverage: Coverage is available in the event of a covered loss. Exclusions may apply. Not available in all states. Disclaimer for savings: Based on savings reported by actual customers who purchased a new Root policy between October 2019 - July 2020; changes in coverage levels not evaluated. For California residents: Telematics is not used and resulting represented savings are not applicable. Referral program not applicable. Roadside Assistance purchased as separate coverage. Visit joinroot.com/califaq for more information. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.