Policy Effective as of November 15, 2019

Responsible Disclosure Policy

The security and privacy of clients' confidential information are important to Northwestern Mutual. The company takes its responsibility to protect this information seriously and uses technical, administrative, and physical controls to safeguard its data. How can you help Northwestern Mutual enhance the security of our digital experience?

We want to hear from security researchers (“You” or “Your”) who have information related to suspected security vulnerabilities (“Vulnerability” or “Vulnerabilities”) of any Northwestern Mutual services exposed to the internet. We value Your work and are committed to working with You. Please report Vulnerabilities to us in accordance with this Responsible Disclosure Policy (“Policy”). Thank you in advance for Your contribution.

Reporting a Vulnerability

Please email Your Vulnerability to security@northwesternmutual.com. Please use our PGP key for secure reporting. The report should include sufficient information to permit us to validate and reproduce the issue, including:

• The service affected, such as the URL, IP address, or product version
• A detailed description of the Vulnerability
• A description of how the Vulnerability was discovered (including tools that were used) or what steps You were taking when You encountered the Vulnerability
• A description of the impact of the Vulnerability and likely attack scenario
• Proof of concept (PoC) code, if applicable. Alternatively, please supply reproduction instruction demonstrating how the Vulnerability might be exploited
• OPTIONAL: Ideally, a suggested patch or remediation action if You are aware of how to fix the Vulnerability, if available

If You identify a Vulnerability in accordance with this Policy, Northwestern Mutual commits to working with You to understand, validate, and address the Vulnerability appropriately per the assessed risk.

By submitting Your report to Northwestern Mutual:

• You agree not to publicly disclose the Vulnerability until Northwestern Mutual agrees to a public disclosure
• You agree to keep all communication with Northwestern Mutual confidential
• You represent the report is original to You and that You did not copy the report or any part of it from another third party
• You allow Northwestern Mutual and its subsidiaries the unconditional ability to use, distribute, and/or disclose information provided in Your report

Northwestern Mutual,in its sole determination, may reward and/or recognize reports made in accordance with this Responsible Disclosure policy.

Our Expectations with Your Discovery

If You are considering submitting a Vulnerability report, Your values clearly align with ours here at Northwestern Mutual. You know how critical security is and You want to protect consumer information. Understanding this shared perspective, we do not want You to take on or create unnecessary risk in order to discover a Vulnerability.

While we support acts taken in good faith to discover and report vulnerabilities, we expressly prohibit any of the following conduct:

• Taking any action that will negatively affect Northwestern Mutual, its subsidiaries or agents
• Destruction or corruption of data, information or infrastructure, including any attempts to do so
• Discovery dependent on social engineering techniques of any kind (any verbal or written interaction with anyone affiliated with or working for Northwestern Mutual) is strictly prohibited
• Any exploitation actions, including accessing or attempting to access Northwestern Mutual data or information, beyond what is required for the initial “Proof of Vulnerability”. For the avoidance of doubt, this means your actions to obtain and then evidence the Proof of Vulnerability must stop immediately after initial access to data or a system.
• Attacks on third-party services
• Denial of Service attacks (DoS) or Distributed Denial of Services (DDoS) attacks
• Any attempt to gain physical access to Northwestern Mutual property or data centers is strictly prohibited
• Use of assets that You do not own or are not authorized or licensed to use when discovering a Vulnerability
• Violation of any laws or agreements in the course of discovering or reporting any Vulnerability

Out of Scope Vulnerabilities

The following vulnerabilities are considered out of scope for our Responsible Disclosure Program:

• Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit
• Third-party applications, websites, or services that integrate with or link to Northwestern Mutual
• Discovery of any in-use service (vulnerable 3rd-party code, for example) whose running version includes known vulnerabilities without demonstrating an existing security impact

Northwestern Mutual reserves all of its rights, including but not limited to, related to Vulnerability discovery that are not in compliance with this Policy.

Security Researcher Hall of Fame

Northwestern Mutual thanks all those who help us secure and protect consumer data. The following individuals/organizations are recognized for responsibly disclosing valid security Vulnerabilities to us:

• Rutik Sangle