Report an issue to our security partners
About Us
At H&R Block, we’re committed to living our purpose — to provide help and inspire confidence in our clients and communities everywhere. We’ve been true to that purpose since brothers Henry and Richard Bloch founded our company in 1955.
Overview
Vulnerability disclosure is the act of initially providing vulnerability information to a party that was not believed to be previously aware. The individual or organization that performs this act is called the reporter or security researcher. This Vulnerability Disclosure Policy (VDP) describes the activities that can be undertaken by security researchers to find and report vulnerabilities in internet-accessible systems and services associated with H&R Block in a legally authorized manner. This policy is effective as of April 1, 2022.
Scope
All internet-accessible, public facing systems or services of H&R Block are covered within the scope of this VDP.
Program Guidelines
Under the VDP, “research” activities require that:
- Security researchers provide detailed reports in accordance with the guidelines referenced in the “Reporting a Vulnerability” section below.
- Security researchers make every effort to protect personal information, avoid degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Security researchers must only use exploits to the extent necessary to confirm a vulnerability’s presence. Security researchers must not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
- Security researchers provide H&R Block a reasonable amount of time (90 calendar days) to resolve the issue before requesting permission to disclose it publicly.
- Security researchers submit high-quality reports.
What Security Researchers Should Expect from H&R Block
- H&R Block commits to coordinating with security researchers as openly and as quickly as possible.
- H&R Block will acknowledge that a report has been received within three (3) business days.
- H&R Block will acknowledge that a report has been triaged within five (5) business days.
- H&R Block will, to the best of its ability, confirm the existence of the vulnerability to the security researcher and be transparent about what steps are being taken during the remediation process.
- H&R Block will maintain an open dialogue to discuss issues.
Testing Methods
Security researchers must not:
- Test any system other than the systems set forth in the ‘Scope’ section above.
- Engage in physical testing of facilities or resources.
- Engage in social engineering.
- Send unsolicited electronic mail to H&R Block users, including “phishing” messages.
- Disclose any PII found to any third party.
- Execute or attempt to execute “Denial-of-Service (DoS)”, Distributed Denial-of-Service (DDoS) or “Resource Exhaustion” attacks.
- Introduce malicious software.
- Test in a manner which could degrade the operation of H&R Block systems.
- Intentionally impair, disrupt, or disable H&R Block systems.
- Test third-party internet-accessible systems or services that integrate with or link to or from H&R Block systems.
- Delete, alter, share, retain, or destroy H&R Block data, or render H&R Block data inaccessible.
- Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on H&R Block systems, or “pivot” to other H&R Block systems.
Security researchers should:
- Terminate testing and notify H&R Block immediately upon discovery of a vulnerability.
- Terminate testing and notify H&R Block immediately upon discovery of an exposure of nonpublic data.
Reporting a Vulnerability
Security researchers’ reports are accepted here. Submissions must include:
- A detailed description of the vulnerability found by the security researcher.
- Identification of the vulnerability’s location and the potential impact.
- Technical information needed to reproduce the vulnerability (Scripts or exploit code should be embedded into non-executable file types).
Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability. Images, e.g., screen captures, and other documents may be attached to reports. It is helpful to give attachments illustrative names. Reports may include proof-of-concept code or screenshots that demonstrate exploitation of the vulnerability.
By submitting a report to H&R Block, security researchers represent that, to the best of their knowledge, the report and any attachments do not violate the intellectual property rights of any third party or H&R Block.
Security researchers may submit reports anonymously or security researchers may provide contact information, and any preferred methods or times of day to communicate, as they see fit. H&R Block may contact security researchers to clarify reported vulnerability information or other technical interchange.
Disclosure Policy
H&R Block is committed to the timely correction of vulnerabilities. However, it is recognized that the public disclosure of a vulnerability in the absence of a readily available corrective action likely increases risk rather than decreases risk. Accordingly, H&R Block requests that security researchers refrain from sharing information about discovered vulnerabilities for ninety (90) calendar days after receiving an acknowledgement of receipt for the vulnerability as well as explicit permission from H&R Block to publicize.
If a security researcher believes others should be informed of the vulnerability prior to the implementation of corrective actions, H&R Block requires advanced coordination with the security researcher. H&R Block pledges to be as transparent as possible with security researchers about what steps are being taken during the remediation process to address the vulnerabilities brought to H&R Block’s attention.
Recognition and Rewards
There will be no cash rewards offered. Security researchers will not and do not receive any compensation from H&R Block for the submission of vulnerabilities and by submitting vulnerabilities, security researchers waive any claims to compensation of any kind now or at any later date.
Legal Exposure
For those security research activities conducted in accordance with the restrictions and guidelines set in this policy, and that H&R Block concludes represents a good faith effort to follow this policy, H&R Block will deem such activities authorized and (1) will not recommend or pursue legal action, and (2) in the event of legal action initiated by a third party against you, H&R Block will make its authorization of your research findings known.
Thank you for helping to keep H&R Block and its customers safe!