Vulnerability Disclosure Policy
Last updated on September 30, 2021
Root, Inc. is committed to ensuring the security of our customers and partners by protecting their information. We recognize and encourage the contributions of external security researchers to help us achieve this goal.
Guidelines
We require that researchers:
Notify us as soon as possible after you discover a real or potential security issue.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing.
Perform research only within the scope set out below.
Keep information about any vulnerabilities you’ve discovered confidential between yourself and Root, Inc. unless we’ve provided written permission to publicly disclose.
Safe Harbor
As long as you follow our guidelines, we will not recommend or pursue legal action related to your research.
Test methods
The following test methods are not authorized:
Network denial of service (DoS or DDoS) tests or other tests that degrade access to or damage our applications
Intentionally accessing, modifying, or destroying others’ Personally Identifying Information (PII). If you encounter PII, you must report the vulnerability immediately to us as stated below.
Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing, smishing), or any other non-technical vulnerability testing
Scope
This policy applies to the following systems and services:
*.joinroot.com
*.root-enterprise.com
Root Insurance mobile app for iOS and Android
Any service not expressly listed above, including third-party dependencies or integrations, are excluded from scope and are not authorized for testing. Vulnerabilities found in third-party systems should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@joinroot.com before starting your research.
Reporting a vulnerability
We accept vulnerability reports via email. In order to help us triage and prioritize submissions, please include the following in your report:
Description of the location where the vulnerability was discovered and the potential impact of exploitation.
Detailed description of steps to reproduce the vulnerability, and any helpful supporting material (PoC scripts, screenshots, etc).
If the vulnerability you wish to report involves PII, do not submit any records containing PII. Instead, purge any related data from your system, contact Root with a general description of the vulnerability, and ensure that all PII is redacted from any screenshots you include.
We ask that you do not publicly disclose any details on the vulnerability without our written permission to do so. This will ensure we have sufficient time to complete our investigation and deploy any necessary remediations.
What you can expect from us
When you report a vulnerability to us, we commit to coordinating with you as openly and as quickly as possible.
Within 3 business days, we will acknowledge that your report has been received.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.
Other Terms and Conditions
Only use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
Avoid privacy violations, destruction of data, and interruption or degradation of our service.
Do not engage in any activity that can potentially or actually cause harm to Root, our customers, or our employees.
Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.
Questions / Feedback
If you have any questions regarding this policy, you can contact us at security@joinroot.com.