You are: individual
Introduction
As part of Corebridge Financial’s information security program, we work with the global security research community to identify potential vulnerabilities in our information systems using a Vulnerability Disclosure Program (VDP) operated in partnership with HackerOne. The Corebridge VDP is described below, including program guidelines and our process for receiving and handling vulnerability reports submitted to HackerOne, which is the only allowable means for external security researchers to submit vulnerability reports.
Scope
This VDP applies to all Corebridge Financial products, services, data, information systems and infrastructure, and is subject to the guidelines outlined here and provided by HackerOne.
VDP Process and Reporting Vulnerabilities
To participate in the Corebridge VDP and report a vulnerability, please follow these steps:
- Review the Corebridge VDP Guidelines: Participation in the Corebridge VDP is your agreement to comply with the Corebridge VDP Guidelines. These Guidelines are also available through HackerOne.
- Create a HackerOne account: If you don't already have one, create a free account at Corebridge HackerOne
- Submit a report: Once you've created an account, submit a detailed report using HackerOne's reporting interface or using the form at the bottom of this page, providing as much detail as possible. Be sure to include:
- A clear, concise description that includes all relevant details
- Adequate information and steps required to locate and replicate the vulnerability
- Any potential impact or risks involved in testing or caused by the vulnerability
- Any relevant evidence or proof-of-concept code
Responsible Disclosure Practices
- We expect researchers to adhere to the following responsible disclosure practices:
- Do not exploit vulnerabilities in a way that could cause harm or disruption.
- Do not disclose vulnerabilities publicly before we have had a reasonable opportunity to address them.
- Respect our privacy and intellectual property rights.
- Coordinate with us through HackerOne to ensure a smooth and efficient disclosure process.
- Do not take advantage of the vulnerability or problem you have discovered. For example, do not download more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.
- Do not reveal the problem to others until it has been resolved. We ask that you refrain from disclosing this issue to third-parties or the public while we work toward resolution because disclosure may increase the potential risks associated with the vulnerability.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
- Provide sufficient information for Corebridge to reproduce the problem if needed. Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but complex vulnerabilities may require further explanation.
- Allow a reasonable amount of time [for us] to respond to the issue [once submitted]. Responses [typically] will be within one business day, while time to resolution depends on severity and complexity.
- Corebridge may choose not to contact or otherwise interact with reporters who decline to identify themselves when making the report [or do not otherwise follow our documented process and guidelines].
Compliance with Laws, Terms of Use and Prohibited Activities
Corebridge Financial does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity or in violation of the applicable Corebridge Financial Terms of Use. Therefore, we note that any party researching vulnerabilities under this Policy must do the following:
- Comply with all applicable laws relevant to security research activities. If you engage in any activities that are inconsistent with this Program, you may be subject to criminal and/or civil liabilities.
- Do Not:
- Access, acquire, remove, download, or modify data residing in an account that does not belong to you;
- Destroy or corrupt, or attempting to destroy or corrupt, data or information that does not belong to you;
- Execute or attempt to execute any “Denial of Service” attack;
- Post, transmit, upload, link to, send, or store any malicious software;
- Test in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages or degrade the operation of any Corebridge assets;
- Test third-party applications, websites, or services that integrate with or link to Corebridge; or
- Exploit any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists.
If you have found a potential vulnerability (excluding the out of scope vulnerability classes listed below) on any system or asset that you believe belongs to Corebridge, we request that you please submit it through this program.
Out of Scope Vulnerabilities and Attacks
The following vulnerability classes and attacks are out of scope for the Corebridge VDP and are prohibited:
- Physical Testing
- Social Engineering
- Phishing
- Denial of Service Attacks
- Resource Exhaustion Attacks
- Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Rate limiting or brute-force issues on non-authentication endpoints
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers
- Tabnabbing
- Issues that require unlikely user interaction
Vulnerability Reporting
When reporting potential vulnerabilities, please use the following form: HackerOne