This policy provides security researchers with guidelines for conducting security testing and reporting vulnerabilities. We at PCFG Insurance value the contributions of the security research community in helping us maintain a secure environment for our users.
Scope
In-Scope Systems and Services
Primary domain (pcfginsurance.com) and all subdomains
Mobile applications (iOS and Android)
Public-facing APIs
Web applications and services
Production infrastructure
Out-of-Scope Systems
Third-party services and applications not owned by PCFG Insurance
Physical security testing
Social engineering attacks
Denial of Service (DoS) testing
Systems or services hosted by our vendors
Employee or customer personal accounts
Safe Harbor
We support good-faith security research and will not initiate legal action against researchers who:
Follow this policy
Make good-faith efforts to avoid privacy violations, data destruction, or service interruption
Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the issue
Guidelines for Testing
Security researchers MUST:
Only test against test accounts you own
Not modify, delete, or store any data
Not disclose vulnerabilities to third parties prior to our remediation
Not use automated testing tools that may impact system availability
Cease testing and notify us immediately if you encounter sensitive data
This policy was last updated on December 13, 2024. We reserve the right to update this policy at any time. Major changes will be announced through our security mailing list.