Security Vulnerability Disclosure Policy

Guidelines for security researchers and our commitment to maintaining a secure environment for our users.

Purpose

This policy provides security researchers with guidelines for conducting security testing and reporting vulnerabilities. We at PCFG Insurance value the contributions of the security research community in helping us maintain a secure environment for our users.

Scope

In-Scope Systems and Services

  • Primary domain (pcfginsurance.com) and all subdomains
  • Mobile applications (iOS and Android)
  • Public-facing APIs
  • Web applications and services
  • Production infrastructure

Out-of-Scope Systems

  • Third-party services and applications not owned by PCFG Insurance
  • Physical security testing
  • Social engineering attacks
  • Denial of Service (DoS) testing
  • Systems or services hosted by our vendors
  • Employee or customer personal accounts

Safe Harbor

We support good-faith security research and will not initiate legal action against researchers who:

  • Follow this policy
  • Make good-faith efforts to avoid privacy violations, data destruction, or service interruption
  • Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the issue
  • Do not disclose vulnerabilities to third parties prior to our remediation

Guidelines for Testing

Security researchers MUST:

  • Only test against test accounts you own
  • Not modify, delete, or store any data
  • Not disclose vulnerabilities to third parties prior to our remediation
  • Not use automated testing tools that may impact system availability
  • Cease testing and notify us immediately if you encounter sensitive data

Reporting Process

Submit reports through one of these channels:

  • Email: security@pcfginsurance.com
    (PGP key available)
  • Security reporting platform: email
  • Bug bounty platform: (if applicable)

Include in your report:

  • • Detailed description of the vulnerability
  • • Step-by-step reproduction instructions
  • • Proof of concept (if applicable)
  • • Impact assessment
  • • Screenshots or videos demonstrating the issue
  • • Discovery date
  • • Your contact information

Response Timeline

24 Hours
Initial Response
5 Days
Status Updates
(Every 5 business days)
3 Days
Vulnerability Triage
Based on Severity
Fix Implementation

Fix Implementation Timeline:

Critical
7 days
High
14 days
Medium
30 days
Low
90 days

Severity Classifications

Critical

  • • Remote code execution
  • • Access to production databases
  • • Exposure of authentication credentials
  • • Privilege escalation to admin

High

  • • SQL injection
  • • Authentication bypass
  • • Cross-site scripting (stored)
  • • Direct object references exposing sensitive data

Medium

  • • Cross-site scripting (reflected)
  • • Cross-site request forgery
  • • Server misconfiguration
  • • Information disclosure

Low

  • • Missing security headers
  • • SSL/TLS configuration issues
  • • Clickjacking
  • • Non-sensitive information disclosure

Rewards and Recognition

Acknowledgment

  • Researchers will be credited on our security acknowledgments page (with permission)
  • Detailed findings may be published after remediation (in coordination with the researcher)

Disclosure Policy

  • Please provide 90 days for remediation before any disclosure
  • Coordinate disclosure timing with our security team
  • Public disclosure must exclude sensitive details that could harm users

Contact Information

Security Team Email

security@pcfginsurance.com

PGP Key

https://pcfginsurance.com/pgp-key.txt

Emergency Contact

+1 (877) 717-7234

Policy Updates

This policy was last updated on December 13, 2024. We reserve the right to update this policy at any time. Major changes will be announced through our security mailing list.

Related Information

Learn more about our commitment to security and transparency

Privacy Policy

Learn how we protect and handle your personal information.

View Policy →

Terms of Service

Review our complete terms of service and usage policies.

Read Terms →

Contact Us

Have questions about our security practices? We're here to help.

Get in Touch →
Home Quote Services Portal Contact