ID.me takes security very seriously, and investigates all reported vulnerabilities. This page describes our practice for addressing potential vulnerabilities in any aspect of our services.
Reporting Suspected Vulnerabilities
If you suspect that an ID.me resource (such as our website, service, or mobile application) are being used for suspicious activity, you can report it by contacting us at: firstname.lastname@example.org
PGP encrypted email may be sent using the information below:
Director of Cybersecurity and Risk Management
So that we may more effectively respond to your report, please provide any supporting material (proof-of-concept code, tool output, etc.) that would be useful in helping us understand the nature and severity of the vulnerability.
The information you share with ID.me as part of this process is kept confidential. It will not be shared with third parties without your permission.
ID.me will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.