ID.me takes security very seriously. This includes investigating all reported vulnerabilities.
All submissions must show a risk related to the integrity and/or confidentiality of our service.
All other submissions will not be accepted.
If you have identified a flaw in our website, service, or product, please send an email to firstname.lastname@example.org and include the following:
- Date and Time that the vulnerability was identified
- Detailed steps to recreate the exploit
Once the report has been submitted, ID.me will work to validate the identified issue. Regardless of the outcome, you will receive a reply that it has been noted and is being investigated. ID.me is committed to being responsive and will work with you as we progress through our internal processes.
In order to protect our customers, we request that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.