The Vulnerability Disclosure Program (VDP) was developed to partner with the security research community to help Consumers Energy Company (referred to throughout as ‘Consumers Energy’) enhance security through responsible disclosure of vulnerabilities affecting Consumers Energy owned web properties.
Services in Scope
Limited to bugs in Consumers Energy developed apps (published in Google Play or in the Apple App Store), as well as company websites. In principle, any web service that handles reasonably sensitive user data is intended to be in scope. This includes most all the content in the following domains:
Any design or implementation issue that substantially affects the confidentiality or integrity of Consumers Energy or its user data is likely to be in scope for the program. Some examples include:
- Authentication or authorization flaws
- Cross-site request forgery
- Cross-site scripting
- Injection vulnerabilities
- Server-side code execution
- Significant Security Misconfiguration
Depending on impact, some of the reported issues may not qualify for a disclosure reward. Some examples of low-risk issues that typically do not earn a monetary reward:
Reward Amounts for Qualifying Vulnerabilities
- Third-party websites – Some Consumers Energy branded services hosted may be operated by our vendors or partners. Consumers Energy is not authorized for testing these systems on behalf of their owners and will not reward such disclosures
- Bugs requiring unlikely user interaction – For example, a cross-site scripting flaw that requires the customer to manually type in an XSS payload into an Outage Map and then double-click an error message may not qualify
- Flaws affecting the users of out-of-date browsers and plugins– Vulnerabilities that affect customers of outdated or unpatched browsers. In particular, we exclude Internet Explorer prior to version 11
- Presence of banner or version information – Version information does not, by itself, expose the service to attacks. However, if outdated software is found and it poses a well-defined security risk, it may qualify
- Email spoofing of Company domains – We are aware of the risk presented by spoofed messages and are taking steps to ensure that Consumers Energy email defenses can deal with such attacks
- User enumeration – User enumeration on web applications are not within scope
Rewards for qualifying responsible disclosures range from $250 to $5,000, and are at Consumers Energy discretion. The following table outlines the usual rewards for the most common classes of vulnerabilities.
||Approximate Reward Amount
|Remote code execution
||Command and/or code injection
|Unrestricted file system or database access
||XXE/JSON, SQL injection
||$2000 - $2500
|Logic flaw or bypassing significant security controls
||Logic flaw or bypassing significant security controls Direct object reference, remote user impersonation
||$1750 - $2250
|Execute code on the client
||Execute code on the client Web: Cross-site scripting
Mobile / Hardware: Code execution
||$1000 - $1200
|Other valid security vulnerabilities
||Web: CSRF, Clickjacking;
Other: Sensitive information disclosure (Ex. GitHub, etc.)
||$250 - $1000
The following activities are expressly prohibited:
Vulnerability Disclosure Program Legal Information
- Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Consumers Energy data or data belonging to Consumers Energy’s business partners, customers, employees, shareholders, or any other party directly or indirectly affiliated (collectively, Company Data);
- Hacking, penetrating, or otherwise attempting to gain unauthorized access to applications, systems, or Company Data in violation of the Program Terms or applicable laws;
- Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;
- Mass creation of accounts to perform testing against applications and services;
- Disrupting or otherwise adversely affecting Consumers Energy business, the operation of any applications or systems, or the use and protection of Company Data;
- Extortion of any kind by asking for money or threatening disclosure of information.
Consumers Energy will not issue disclosure payments to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. There may be additional restrictions on your ability to submit disclosed vulnerabilities depending upon applicable local laws where you live or work.
This program can be cancelled at any time and the decision as to whether or not to pay a disclosure payment lies solely with Consumers Energy. Testing must not violate any law, or disrupt or compromise any data belonging to Consumers Energy.
Investigating and Reporting Vulnerabilities
Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to Consumers Energy customers.
If you have found a vulnerability, please contact us at firstname.lastname@example.org
When contacting Consumers Energy please provide concise steps to reproduce the vulnerability along with any pertinent detail that will assist our security team in validating and remediating the finding.