Vulnerability Disclosure

Vulnerability disclosure program

ADP's philosophy on vulnerability disclosure

At ADP, protecting clients’ funds and their data has been, and always will be, a top priority. ADP values the work done by security researchers in improving the security of our products and service offerings. As a result, we encourage responsible reporting of any vulnerabilities that may be found in our site, products or applications. ADP is committed to working with security researchers to verify, reproduce and respond to potential vulnerabilities that are reported in accordance with the below requirements. If this policy and ADP’s procedures are followed, ADP pledges not to initiate legal action against researchers for penetrating or attempting to penetrate our systems, provided that the following conditions are met.

ADP’s Requirements
Please review these terms before you take any action to test an ADP system. For testing requiring authentication please contact your ADP account team.

While we encourage researchers to report to us any vulnerabilities in a responsible manner, ADP does not permit the following actions:

  • Sharing, disclosing or publicizing an unresolved vulnerability with or to third parties
  • Performing actions that may negatively affect ADP or its clients or otherwise impacting service availability, including spam, brute force, and/or denial of service
  • Accessing, or attempting to access, data or information that does not belong to you
  • Testing of participating services using anything other than test accounts
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
  • Conducting any kind of physical or electronic attack on ADP personnel, property or data centers
  • Social engineering any ADP service desk, employee or contractor
  • Violating any laws or breaching any ADP Service Agreements in order to discover vulnerabilities

ADP’s Commitment to Researchers:
If you responsibly submit a vulnerability report, ADP will use reasonable efforts to:

  • Respond in a timely manner confirming that we received your report
  • Provide an estimated time frame for addressing the vulnerability report
  • Notify you when the vulnerability has been fixed

Reporting a potential security vulnerability:

  • We expect you to privately share details of the suspected vulnerability with ADP by sending an email to vulnerabilityreporting@ADP.com. By sending an email to vulnerabilityreporting@ADP.com you confirm that you are meeting ADP’s requirements of the ADP Vulnerability Disclosure Program.
  • Provide full details of the suspected vulnerability so the ADP security team may validate and reproduce the issue – please be sure as much detail as possible including the product tested, date, account names etc.

Reporting a suspicious email
If you would like to report a suspicious email to ADP, please send it to abuse@adp.com

Reporting suspected fraudulent activity
If you would like to report suspected fraudulent activity, please contact your client service representative.