Equifax Vulnerability Disclosure Program Policy

Purpose

This policy is intended to give security researchers and other participants in the security community clear guidelines under the Equifax Vulnerability Disclosure Program for conducting vulnerability discovery activities directed at web properties owned or operated by Equifax Inc., its affiliates, or subsidiaries (“Equifax”), and submitting discovered vulnerabilities to Equifax. Your participation in the program is voluntary and subject to the terms and conditions set forth on this page. By submitting a report, you acknowledge and agree to the terms and conditions contained in this Policy. You also acknowledge that, to the extent they are not inconsistent with this Policy; you are subject to:

• HackerOne’s Disclosure Guidelines
• Finder Terms and Conditions
• General Terms and Conditions.

Overview

Maintaining the security of our networks is a priority at Equifax. The security community regularly makes valuable contributions to the security of organizations and Equifax recognizes that fostering a close relationship with the community will help improve our own security. So if you have information about a vulnerability in an Equifax system or web application, we want to hear from you!

Information submitted to Equifax under this program will be used for defensive purposes – to mitigate or remediate vulnerabilities in our networks or applications, or the applications of our vendors.

As part of this program, you must review, understand, and agree to the following terms and conditions before conducting any testing of Equifax networks and before submitting a report. Thank you.

Scope

Any public-facing system owned, operated, or controlled by Equifax, including web applications hosted on those sites.

Guidelines

• Your activities are limited exclusively to: 1. Testing to detect a vulnerability or identify an indicator related to a vulnerability; or 2. Sharing with, or receiving from, Equifax information about a vulnerability or an indicator related to a vulnerability.
• You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• You avoid intentionally accessing the content of any communications, data, or information transiting or stored on Equifax information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
• You do not exfiltrate, alter, or destroy any data under any circumstances.
• You do not compromise the privacy or safety of Equifax personnel or any third parties.
• You do not compromise the intellectual property or other commercial or financial interests of any Equifax personnel or entities, or any third parties.
• You do not publicly disclose or share with any third-party any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from Equifax.
• You do not conduct denial of service testing or other testing that impacts the availability of Equifax services.
• You do not conduct social engineering, including spear phishing, of Equifax personnel, contractors, customers.
• You do not attempt to gain physical access to any of our offices or data centers.
• You do not include any information that may identify an individual other than yourself (such as name, contact information, IP address, or other similar information) in your vulnerability report or any attachments thereto
• You do not submit a high-volume of low-quality reports.
• If at any point you are uncertain whether to continue testing, please engage with the HackerOne team at [email protected].

How to Submit a report

Please provide a detailed summary of the vulnerability, including: *Type of issue *Product *Version *Configuration of software containing the bug *Step-by-step instructions to reproduce the issue, and if applicable, to remediate it *Proof-of-concept *Impact of the issue

By clicking “Submit report” you are indicating that you have read, understand, and agree to the terms and conditions described in this Policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to Equifax information systems, and consent to having the contents of the communication and follow-up communications stored on an Equifax information system in the United States.

What You Can Expect From Us

Equifax remains committed to coordinating with you as openly and quickly as possible under the circumstances. We will aim to respond to new reports within five business days. We will investigate reports based on information available and may contact you for further information. Please note, reports marked as triaged are subject to change pending our team’s final analysis. We’ll try to keep you informed about our progress throughout the process.

Legal

You must comply with Equifax’s Terms of Use, security industry best practices, and all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program. You agree that any and all information acquired or accessed as part of this exercise is confidential to Equifax and you shall hold all such information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose such information to third parties or use such information for any purposes other than for the performance of your work or expressly authorized in writing by Equifax.

Equifax does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-Equifax entity (e.g., Federal departments or agencies; State, local, or tribal governments; other private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-Equifax third party may independently determine whether to pursue legal action or remedies related to such activities.

By submitting a report to Equifax, you grant to Equifax Inc., its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of information or material submitted. You must notify us if any part of your report is not your own work or is the intellectual property of a third-party.

Equifax may modify the terms of this policy or terminate the policy at any time.