Get a quote

Vulnerability Disclosure Policy

Last updated on July 1, 2021

Root, Inc. is committed to ensuring the security of our customers and partners by protecting their information. We recognize and encourage the contributions of external security researchers to help us achieve this goal.

Guidelines

We require that researchers:

  • Notify us as soon as possible after you discover a real or potential security issue.

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.

  • Perform research only within the scope set out below.

  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and Root, Inc. unless we’ve provided written permission to publicly disclose.

Safe harbor

As long as you follow our guidelines, we will not recommend or pursue legal action related to your research. 

Test methods

The following test methods are not authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that degrade access to or damage our applications

  • Intentionally accessing, modifying, or destroying others’ Personally Identifying Information (PII). If you encounter PII, you must report the vulnerability immediately to us, and must not attempt to access more data.

  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing

Scope

This policy applies to the following systems and services:

  • *.joinroot.com

  • *.root-enterprise.com

  • Root Insurance mobile app for iOS and Android

Any service not expressly listed above, including third-party dependencies or integrations, are excluded from scope and are not authorized for testing. Vulnerabilities found in third-party systems should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@joinroot.com before starting your research.

Reporting a vulnerability

We accept vulnerability reports via email. In order to help us triage and prioritize submissions, please include the following in your report:

  • Description of the location where the vulnerability was discovered and the potential impact of exploitation.

  • Detailed description of steps to reproduce the vulnerability, and any helpful supporting material (PoC scripts, screenshots, etc).

  • If the vulnerability you are reporting involves PII, do not submit this data, and ensure that any PII is redacted from screenshots.

We ask that you do not publicly disclose any details on the vulnerability without our written permission to do so. This will ensure we have sufficient time to complete our investigation and deploy any necessary remediations. 

What you can expect from us

When you report a vulnerability to us, we commit to coordinating with you as openly and as quickly as possible.

  • Within 3 business days, we will acknowledge that your report has been received.

  • To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.

  • We will maintain an open dialogue to discuss issues.

Questions or feedback

If you have any questions regarding this policy, you can contact us at security@joinroot.com.

Car insurance FAQCar insurance coverageRenters insuranceHomeowners insuranceClaimsTest driveReferralsContactInvestor relations

Root Inc.

80 E. Rich Street

Suite 500

Columbus, OH 43215

Copyright ROOT 2021. ROOT is a registered servicemark of Root Insurance Company, Columbus, OH. Disclaimer for quotes: We reserve the right to refuse to quote any individual a premium rate for the insurance advertised herein. Disclaimer for coverage: Coverage is available in the event of a covered loss. Exclusions may apply. Not available in all states. Disclaimer for savings: Based on savings reported by actual customers who purchased a new Root policy between October 2019 - July 2020; changes in coverage levels not evaluated. For California residents: Telematics is not used and resulting represented savings are not applicable. Referral program not applicable. Roadside Assistance purchased as separate coverage. Visit joinroot.com/califaq for more information. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.