This policy is intended to give security researchers and other participants in
the security community clear
guidelines under the Equifax Vulnerability Disclosure Program for conducting vulnerability discovery activities
directed at web properties owned or operated by Equifax Inc., its affiliates, or subsidiaries (“Equifax”), and
submitting discovered vulnerabilities to Equifax. Your participation in the program is voluntary and subject to the terms and conditions set forth on this page. By submitting a report, you acknowledge and agree to the terms and conditions contained in this Policy. You also acknowledge that, to the extent they are not inconsistent with this Policy; you are subject to:
Maintaining the security of our networks is a priority at Equifax. The security community regularly makes valuable contributions to the security of organizations and Equifax recognizes that fostering a close relationship with the community will help improve our own security. So if you have information about a vulnerability in an Equifax system or web application, we want to hear from you!
Information submitted to Equifax under this program will be used for defensive
purposes – to mitigate or
remediate vulnerabilities in our networks or applications, or the applications of our vendors.
As part of this program, you must review, understand, and agree to the
following terms and conditions before
conducting any testing of Equifax networks and before submitting a report. Thank you.
Any public-facing system owned, operated, or controlled by Equifax, including web applications hosted on those sites.
Please provide a detailed summary of the vulnerability, including:
Type of issue
Configuration of software containing the bug
Step-by-step instructions to reproduce the issue, and if applicable, to remediate it
*Impact of the issue
By clicking “Submit report” you are indicating that you have read, understand,
and agree to the terms and
conditions described in this Policy for the conduct of security research and disclosure of vulnerabilities or
indicators of vulnerabilities related to Equifax information systems, and consent to having the contents of the
communication and follow-up communications stored on an Equifax information system in the United States.
Equifax remains committed to coordinating with you as openly and quickly as possible under the circumstances. We will aim to respond to new reports within five business days. We will investigate reports based on information available and may contact you for further information. Please note, reports marked as triaged are subject to change pending our team’s final analysis. We’ll try to keep you informed about our progress throughout the process.
Equifax does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.
To the extent that any security research or vulnerability disclosure activity
involves the networks, systems,
information, applications, products, or services of a non-Equifax entity (e.g., Federal departments or agencies;
State, local, or tribal governments; other private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-Equifax third party may independently determine whether to pursue legal action or remedies related to such activities.
By submitting a report to Equifax, you grant to Equifax Inc., its subsidiaries
and its affiliates, a perpetual,
irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of
information or material submitted. You must notify us if any part of your report is not your own work or is the
intellectual property of a third-party.
Equifax may modify the terms of this policy or terminate the policy at any time.