Vulnerability Disclosure Program Policy

Great American Insurance Group

Please note this program does not provide monetary rewards for bug submissions. This

program is designed for responsible disclosure purposes only.

Introduction

Great American Insurance Group (“GAIG”, “us” or “we”) is committed to ensuring the

confidentiality, integrity, and availability of our customers’ data. This policy is intended to give

security researchers clear guidelines for conducting vulnerability discovery activities and to

convey our preferences in how to submit discovered vulnerabilities to us (“Vulnerability

Disclosure Program”).

This policy describes what systems and types of research are included in the Vulnerability

Disclosure Program and the method for submitting vulnerability reports to us.

We encourage you to reach out to us to report potential vulnerabilities in our systems.

Guidelines

Under this policy, “research” means activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.

• Make every effort to avoid privacy violations, degradation of user experience, disruption

to production systems, and destruction or manipulation of data.

• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not

use an exploit to compromise or exfiltrate data, establish persistent command line

access, or use the exploit to pivot to other systems.

• Provide us with a reasonable amount of time to resolve the issue before you disclose it

publicly.

• Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encountered any sensitive data (including

personally identifiable information, financial information, proprietary information or trade

secrets of any party), you must stop your research, notify us immediately, and not disclose

this data to anyone else.

Scope

This policy applies only to the following systems and services:

• www.greatamericaninsurancegroup.com

Any system or service not expressly listed above, such as any connected services, are

specifically excluded from scope and are not authorized for research. Additionally,

vulnerabilities found in systems from our vendors fall outside of the scope of this policy and

should be reported directly to the relevant vendor according to their disclosure policy (if any). If

you do not know whether a system or service is in scope of this policy, contact us at

vulnerability@gaig.com before starting your research.

Research methods

The following research methods are not authorized:

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or

damage a system or data;

• Large-scale vulnerability scanners, crawlers, or automated toolsets that produce

excessive amounts of traffic;

• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g.

phishing, vishing), or any other non-technical vulnerability testing

Reporting a vulnerability

We accept vulnerability reports at vulnerability@gaig.com. Reports may be submitted

anonymously. If you share contact information, we will acknowledge receipt of your report

within 3 business days.

By submitting a vulnerability, you acknowledge that you have no expectation of payment and

that you expressly waive any future payment or any other claims against Great American

Insurance Group related to your research or submission.

What we expect from you:

In order to help us triage and prioritize submissions, we recommend that your reports:

• Describe the type of potential vulnerability you have discovered. Name and CVE or CWE

would be sufficient.

• Describe the location the vulnerability was discovered and the potential impact of

exploitation.

• Offer a detailed description of the steps needed to reproduce the vulnerability (proof of

concept scripts or screenshots are helpful).

What you can expect from us:

When you choose to share your contact information with us, we commit to coordinating with

you as quickly as possible.

• Within 5-7 business days, we will acknowledge that your report has been received.

• To the best of our ability, we will confirm the existence of the vulnerability to you and

be as transparent as possible about what steps we are taking during the remediation

process, including issues or challenges that may delay resolution.

• We will maintain an open dialogue to discuss issues.

Out of Scope Vulnerabilities

• Unvalidated reports from automated scanning tools

• Any activity that could lead to the disruption of our service (DoS)

• Clickjacking on pages with no sensitive state changing actions

• Previously known vulnerable libraries without a working PoC

• Reports of insecure SSL / TLS ciphers without a working PoC

• Software library version disclosure

• Issues requiring physical access to hardware

• Any physical attempt against Great American Insurance Group property or facilities

• Flaws affecting out-of-date browsers and plugins

• Password complexity requirements, account/e-mail enumeration, or any report that

discusses how you can learn whether a given username or email address has a Great

American Insurance Group-related account

• CSP Policy Weaknesses that cannot be escalated into another vulnerability

• Email Spoofing

• Content spoofing and text injection issues without showing an attack vector/without

being able to modify HTML/CSS

• Missing security-related HTTP headers which do not lead directly to a vulnerability

• Presence of autocomplete attribute on web forms

• Missing secure cookie flags on non-sensitive cookies

• Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin: * or accepting of

custom Origin header that do not specifically show a valid attack scenario.

• IP Address Disclosure

• Descriptive error messages (e.g. Stack Traces, application or server errors) that have no

security implications.

• Email configuration issues (SPF, DKIM, DMARC)

• OPTIONS HTTP method enabled

• Web Application Firewall Bypassing

Questions

Questions regarding this policy may be sent to vulnerability@gaig.com. We also invite you to

Safe Harbor

Any research conducted in accordance with this policy will be considered “authorized conduct”

and we will not initiate legal action against you for such authorized conduct. If we are notified

that legal action has been initiated by a third party against you in connection with authorized

conduct, we will advise the third party that your research was conducted in accordance with

this policy, but we will not indemnify you.

Changes to this Vulnerability Disclosure Program Policy

This Vulnerability Disclosure Program Policy may be changed from time to time. We will post

any changes. The date noted on the policy indicates when it was revised.

Document Change History

Version

Date

Description

1.0

March 2024

First edition.