Responsible Disclosure

At BlackRock, we take cybersecurity seriously and value the contributions of the security community at large. The responsible disclosure of potential issues helps us ensure the security and privacy of our customers and their data.

If you believe you have identified a potential security issue, please send it to us in accordance with our Responsible Disclosure Guidelines and include the following information:

• A description of the issue and where it is located.

• A description of the steps required to reproduce the issue.

Responsible Disclosure Guidelines

Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

• Do not engage in any activity that can cause harm to BlackRock, our customers, or our employees.

• Do not engage in any activity that can stop or degrade BlackRock services or assets.

• Do not initiate a fraudulent financial transaction.

• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.

• Do not store, share, compromise or destroy BlackRock or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact BlackRock. This step protects any potentially vulnerable data, and you.

• No automated scanning or testing.

• Provide BlackRock reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.

By responsibly submitting your findings to BlackRock in accordance with these guidelines BlackRock agrees not to pursue legal action against you. BlackRock reserves all legal rights in the event of noncompliance with these guidelines.

Once a report is submitted, BlackRock commits to provide prompt acknowledgement of receipt of all reports and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Scope

We have listed the assets in scope for this program, however, if you have found a potential vulnerability (excluding the out of scope vulnerabilities listed below) on any product, system or asset you believe belongs to BlackRock, please submit it through this program as we would like to hear about it.

Out of Scope Vulnerabilities

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:

• Physical testing

• Social engineering or phishing

• Denial of service attacks

• Resource Exhaustion Attacks

• Clickjacking on pages with no sensitive actions

• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

• Attacks requiring MITM or physical access to a user's device.

• Previously known vulnerable libraries without a working Proof of Concept.

• Missing best practices in SSL/TLS configuration.

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

• Missing best practices in Content Security Policy.

• Missing HttpOnly or Secure flags on cookies

• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

• Open redirect - unless an additional security impact can be demonstrated

• Issues that require unlikely user interaction

Please also note that BlackRock employs third party vendors and some subdomains may be managed by third parties. Security issues found in third-party assets which are not managed by BlackRock are considered out of scope and should be reported to the affected party directly. When issues reported to the BlackRock program originate in a different vendor's service, BlackRock reserves the right to forward submissions to the affected party without further discussion. Please be sure to check our publicly published IP ranges and conduct all necessary due diligence to determine ownership of an asset prior to testing.