We’re sorry, we’re experiencing technical difficulties that are resulting in occasional payment errors. Please try again later.

We’re sorry, we’re experiencing technical difficulties that are resulting in occasional payment errors. Please try again later.

We’re sorry, we’re experiencing technical difficulties that are resulting in occasional payment errors. Please try again later.

We’re sorry, we’re experiencing technical difficulties that are resulting in occasional payment errors. Please try again later.

Please Note: Previously saved payment methods are currently not showing due to technical difficulties. Please use Guest Pay for the time being.

Please Note: Previously saved payment methods are currently not showing due to technical difficulties. Please use Guest Pay for the time being.

Outage alert icon

As of: 4:58 PM, 11/29/21

Vulnerability Disclosure Program

Introduction

The Vulnerability Disclosure Program (VDP) was developed to partner with the security research community to help Consumers Energy Company (referred to throughout as ‘Consumers Energy’) enhance security through responsible disclosure of vulnerabilities affecting Consumers Energy owned web properties.

Services in Scope

Limited to bugs in Consumers Energy developed apps (published in Google Play or in the Apple App Store), as well as company websites. In principle, any web service that handles reasonably sensitive user data is intended to be in scope. This includes most all the content in the following domains:

  • *.cmsenergy.com
  • *.consumersenergy.com
  • *.applianceserviceplan.com
  • *.cms-enterprises.com


Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of Consumers Energy or its user data is likely to be in scope for the program. Some examples include:
  • Authentication or authorization flaws
  • Cross-site request forgery
  • Cross-site scripting
  • Injection vulnerabilities
  • Server-side code execution
  • Significant Security Misconfiguration


Non-Qualifying Vulnerabilities

Depending on impact, some of the reported issues may not qualify for a disclosure reward. Some examples of low-risk issues that typically do not earn a monetary reward:
  • Third-party websites – Some Consumers Energy branded services hosted may be operated by our vendors or partners. Consumers Energy is not authorized for testing these systems on behalf of their owners and will not reward such disclosures
  • Bugs requiring unlikely user interaction – For example, a cross-site scripting flaw that requires the customer to manually type in an XSS payload into an Outage Map and then double-click an error message may not qualify
  • Flaws affecting the users of out-of-date browsers and plugins– Vulnerabilities that affect customers of outdated or unpatched browsers. In particular, we exclude Internet Explorer prior to version 11
  • Presence of banner or version information – Version information does not, by itself, expose the service to attacks. However, if outdated software is found and it poses a well-defined security risk, it may qualify
  • Email spoofing of Company domains – We are aware of the risk presented by spoofed messages and are taking steps to ensure that Consumers Energy email defenses can deal with such attacks
  • User enumeration – User enumeration on web applications are not within scope


Reward Amounts for Qualifying Vulnerabilities

Rewards for qualifying responsible disclosures range from $250 to $5,000, and are at Consumers Energy discretion. The following table outlines the usual rewards for the most common classes of vulnerabilities.
Category Examples Approximate Reward Amount
Remote code execution Command and/or code injection $5,000
Unrestricted file system or database access XXE/JSON, SQL injection $2000 - $2500
Logic flaw or bypassing significant security controls Logic flaw or bypassing significant security controls Direct object reference, remote user impersonation $1750 - $2250
Execute code on the client Execute code on the client Web: Cross-site scripting Mobile / Hardware: Code execution $1000 - $1200
Other valid security vulnerabilities Web: CSRF, Clickjacking; Other: Sensitive information disclosure (Ex. GitHub, etc.) $250 - $1000


Disclaimer

The following activities are expressly prohibited:
  • Downloading, copying, disclosing, destroying, altering, transferring, or using any proprietary or confidential Consumers Energy data or data belonging to Consumers Energy’s business partners, customers, employees, shareholders, or any other party directly or indirectly affiliated (collectively, Company Data);
  • Hacking, penetrating, or otherwise attempting to gain unauthorized access to applications, systems, or Company Data in violation of the Program Terms or applicable laws;
  • Engaging in any social engineering (e.g. phishing, vishing, smishing) or denial of service testing;
  • Mass creation of accounts to perform testing against applications and services;
  • Disrupting or otherwise adversely affecting Consumers Energy business, the operation of any applications or systems, or the use and protection of Company Data;
  • Extortion of any kind by asking for money or threatening disclosure of information.


Vulnerability Disclosure Program Legal Information

Consumers Energy will not issue disclosure payments to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. There may be additional restrictions on your ability to submit disclosed vulnerabilities depending upon applicable local laws where you live or work.
This program can be cancelled at any time and the decision as to whether or not to pay a disclosure payment lies solely with Consumers Energy. Testing must not violate any law, or disrupt or compromise any data belonging to Consumers Energy.

Investigating and Reporting Vulnerabilities

Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to Consumers Energy customers.

If you have found a vulnerability, please contact us at vulnerability_management@cmsenergy.com.

When contacting Consumers Energy please provide concise steps to reproduce the vulnerability along with any pertinent detail that will assist our security team in validating and remediating the finding.