A business person using Paychex Flex

Responsible Disclosure

Integrity is one of the core values at Paychex. As such, the security of our systems, applications, and data is paramount. If you believe you have discovered a vulnerability, we appreciate your help in disclosing it to our Enterprise Data Security team in accordance with this Responsible Disclosure Policy.

If you believe an unauthorized party has accessed your account or information, please contact us immediately.

Report a vulnerability

Our Policy

Paychex encourages researchers to share with our team the details of any suspected vulnerability by submitting the form below. By clicking "Report Vulnerability", you acknowledge you have read, understand, and agree to the guidelines described in this policy for the conduct of security research and disclosure of potential vulnerabilities. Paychex will not take legal action against individuals who discover and report vulnerabilities provided they adhere to these guidelines.

Any information you receive or collect about Paychex, its clients, or their employees during the discovery of a suspected vulnerability must be kept confidential and only used in connection with the Responsible Disclosure Policy. You may not use, disclose, or distribute any such confidential information, including, but not limited to, information regarding your submission and information you obtain when researching Paychex sites, without prior written consent from Paychex.

While we encourage you to report any vulnerabilities you find in a responsible manner, the following conduct is expressly prohibited:

  • Executing, or attempting to execute, a Denial of Service (DoS) attack against any product or website;
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software or ransomware;
  • Any act of cyber extortion, including threatening the availability of Paychex data or Paychex client data unless a payment is received;
  • Social engineering of any Paychex employee, contractor, client, or prospective client including but not limited to phishing and any testing that would result in unsolicited email, spam, or messages;
  • Unapproved vulnerability or penetration testing;
  • Selling, bartering, or otherwise benefitting from a vulnerability or data that does not belong to you;
  • Downloading, exfiltrating, copying, or otherwise retaining Paychex data or Paychex client data that does not belong to you;
    • Please note that if data that does not belong to you is uncovered as the result of a vulnerability, it must be removed from unapproved systems and further attempts to exploit it must be ceased immediately.  
  • Deliberately destroying, corrupting, or modifying, or attempting to destroy, corrupt or modify data or information that does not belong to you;
  • Violating any applicable international, federal, state, and/or local laws or any applicable agreements
Working on a computer

Paychex commits to the following:

Working with you to understand and validate the suspected vulnerability (a valid email or claim form must be provided).

Addressing the vulnerability, if deemed appropriate by Paychex, in a timeframe to be determined by Paychex.

Paychex has partnered with Bugcrowd for the administration of this form. Responses and communication regarding submissions may come from Bugcrowd. This Responsible Disclosure program does not include monetary award or bounty.