Vulnerability Disclosure Policy
Last updated on July 1, 2021
Root, Inc. is committed to ensuring the security of our customers and partners by protecting their information. We recognize and encourage the contributions of external security researchers to help us achieve this goal.
We require that researchers:
Notify us as soon as possible after you discover a real or potential security issue.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
Perform research only within the scope set out below.
Keep information about any vulnerabilities you’ve discovered confidential between yourself and Root, Inc. unless we’ve provided written permission to publicly disclose.
As long as you follow our guidelines, we will not recommend or pursue legal action related to your research.
The following test methods are not authorized:
Network denial of service (DoS or DDoS) tests or other tests that degrade access to or damage our applications
Intentionally accessing, modifying, or destroying others’ Personally Identifying Information (PII). If you encounter PII, you must report the vulnerability immediately to us, and must not attempt to access more data.
Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
This policy applies to the following systems and services:
Root Insurance mobile app for iOS and Android
Any service not expressly listed above, including third-party dependencies or integrations, are excluded from scope and are not authorized for testing. Vulnerabilities found in third-party systems should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at firstname.lastname@example.org before starting your research.
Reporting a vulnerability
We accept vulnerability reports via email. In order to help us triage and prioritize submissions, please include the following in your report:
Description of the location where the vulnerability was discovered and the potential impact of exploitation.
Detailed description of steps to reproduce the vulnerability, and any helpful supporting material (PoC scripts, screenshots, etc).
If the vulnerability you are reporting involves PII, do not submit this data, and ensure that any PII is redacted from screenshots.
We ask that you do not publicly disclose any details on the vulnerability without our written permission to do so. This will ensure we have sufficient time to complete our investigation and deploy any necessary remediations.
What you can expect from us
When you report a vulnerability to us, we commit to coordinating with you as openly and as quickly as possible.
Within 3 business days, we will acknowledge that your report has been received.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.
Questions or feedback
If you have any questions regarding this policy, you can contact us at email@example.com.