Responsible Disclosure Program

The Standard invites you to help the company bolster its existing security measures and adapt to new electronic threats. The security and privacy of clients' confidential information are important to us, and we take our responsibility of protecting this information seriously. We use technical, administrative and physical controls to safeguard this data.

We want to hear from security researchers who have information related to suspected security vulnerabilities on any of The Standard's services exposed to the internet. We value your work and are committed to working with you. Please report vulnerabilities to us in accordance with this Responsible Disclosure Program. Thank you in advance for your contribution.

Reporting a Vulnerability

Please send us vulnerabilities you identify. If you discover personally identifiable information while exploring a suspected security vulnerability, we ask that you cease your investigation and report the vulnerability that led to such discovery immediately.

The report should include sufficient information for us to validate and reproduce the issue, including:

  • The service affected, such as the URL, IP address or product version.
  • A detailed description of the vulnerability.
  • A description of how the vulnerability was discovered (including tools that were used) or what steps you were taking when you encountered the vulnerability.
  • A description of the impact of the vulnerability and likely attack scenario.
  • Proof of concept, or PoC, code, if applicable; alternatively, please supply reproduction instruction demonstrating how the vulnerability might be exploited.
  • A suggested patch or remediation action if you are aware of how to fix the vulnerability.

If you identify a vulnerability in accordance with this program, The Standard commits to working with you to understand, validate and address the vulnerability appropriately per the assessed risk.

By submitting your report to The Standard:

  • You agree not to publicly disclose the vulnerability until The Standard agrees to a public disclosure.
  • You agree to keep all communication with The Standard confidential.
  • You represent the report is original to you and that if you submit a third-party report, you represent that you have the permission to do so.
  • You allow The Standard and its subsidiaries the unconditional ability to use, distribute or disclose information provided in your report.
  • You agree that The Standard, in its sole determination, may reward or recognize reports made in accordance with this Responsible Disclosure Program.

Our Expectations With Your Discovery

If you are considering submitting a vulnerability report, your values clearly align with ours here at The Standard. You know how critical security is and you want to protect consumer information. Understanding this shared perspective, we do not want you to take on or create unnecessary risk in order to discover a vulnerability. While we support acts taken in good faith to discover and report vulnerabilities, we expressly prohibit any of the following conduct:

  • Taking any action that will negatively affect The Standard, its subsidiaries or agents.
  • Retaining any personally identifiable information discovered, in any medium. Any personally identifiable information discovered must be permanently destroyed or deleted from your device and storage.
  • Disclosing any personally identifiable information discovered to any third party.
  • Destruction or corruption of data, information or infrastructure, including any attempt to do so.
  • Discovery dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for The Standard).
  • Any exploitation actions, including accessing or attempting to access The Standard data or information, beyond what is required for the initial “Proof of Vulnerability.” This means your actions to obtain and validate the Proof of Vulnerability must stop immediately after initial access to the data or a system.
  • Attacks on third-party services.
  • Denial of Service attacks or Distributed Denial of Services attacks.
  • Any attempt to gain physical access to The Standard property or data centers.
  • Use of assets that you do not own or are not authorized or licensed to use when discovering a vulnerability.
  • Violation of any laws or agreements in the course of discovering or reporting any vulnerability.

Out of Scope Vulnerabilities

The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:

  • Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit.
  • Third-party applications, websites or services that integrate with or link to The Standard.
  • Discovery of any in-use service (vulnerable third-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact.

The Standard reserves all of its rights, especially regarding vulnerability discoveries that are not in compliance with this program. Vulnerability investigations and discoveries made or reported in compliance with this program are considered compliant with The Standard’s online Terms of Use.

 

Legal

The Standard is a marketing name for Standard Insurance Company (Portland, Oregon), licensed in all states except New York, and The Standard Life Insurance Company of New York (White Plains, New York), licensed only in New York. Products and availability vary by state and are solely the responsibility of the applicable insurance company.

© 2020 StanCorp Financial Group, Inc.