Vulnerability Report

Rules of Engagement

Please review these terms before you take any action to test an ADP system. Unauthorized penetration testing of ADP systems is prohibited. For testing that requires authentication, please contact your ADP account team.

While we encourage researchers to report any potential vulnerabilities or incidental discoveries to us in a responsible manner, ADP does not permit the following actions:

  • Performing actions that may negatively affect ADP or its clients, or otherwise which may adversely impact service availability, including brute force, denial of service, and/or spam.
  • Destroying or corrupting, or attempting to destroy or corrupt, or otherwise adversely impact data or information that does not belong to you
  • Accessing, or attempting to access, data or information that does not belong to you
  • Sharing, disclosing or publicizing one or more unresolved vulnerabilities with or to third parties
  • Testing of participating services using anything other than test accounts
  • Conducting any physical or electronic attack on ADP personnel, property (intellectual or tangible) or data centers
  • Social engineering any ADP service desk, employee or contractor or any other person or system that connects, directly or indirectly to ADP
  • Violating any law or breaching any ADP Service Agreements in order to detect or discover potential vulnerabilities
  • Using the credentials of any individual which do not belong to you to access ADP's systems directly or indirectly
  • Using legitimate credentials to log onto ADP's systems directly or indirectly and then using third-party tools not authorized by ADP to detect vulnerabilities without ADP's express written consent

ADP’s Commitment to Researchers:

If you responsibly submit a vulnerability report without violating the above, ADP will use reasonable efforts to respond in a timely manner based on our then-available resources. Because ADP respects researchers' time and effort, we want to note that our vulnerability reporting process is not a paid program. It does not include compensation or public recognition. By submitting a vulnerability report, you are agreeing to the rules of engagement above.

Code cannot be submitted in the form below. ADP will reach out to you for more detailed information if necessary.

Vulnerability Disclosure Information

Do you work for an ADP client, or have you previously?
Have you told your employer about this issue?

Your privacy is assured.