VULNERABILITY DISCLOSURE PROGRAM

At Edelman Financial Engines, data privacy and security are top concerns. One of the many ways that we safeguard our client data is by empowering security researchers to safely identify and report potential vulnerabilities.

Our vulnerability disclosure program is designed to support security research and incentivize efforts for eligible contributions. We appreciate your research and ask that you follow the guidelines we set out to keep our client data safe while doing your research:

• You will not disrupt and/or degrade the quality and/or availability of our services
• You will not perform any social engineering, SPAM, or phishing attempts
• You will not compromise any system, application, or user account
• You will allow a reasonable amount of time to investigate and mitigate any finding(s) before publicly disclosing any information or sharing such information with others
• You will cooperate with internal resources as needed to mitigate finding(s)
• You are not in violation of any local, national, and/or international laws
• You are not participating from a country that the United States has issued export sanctions against or other trade restrictions upon
• Edelman Financial Engines reserves the right to terminate or discontinue the program at its discretion

REPORTING

If you believe that you have found a security vulnerability, we encourage you to notify us by sending an email with all relevant findings to security@edelmanfinancialengines.com.

Please include (at a minimum) the following details in your email:

• A description of the security risk
• Steps to reproduce the vulnerability
• Screenshots showing the “proof of concept”
• URL’s affected