Responsible Security Disclosure Program

As a global insurance company with operations in more than 80 countries, American International Group, Inc. (AIG) recognizes that threats to our corporate environment and customer information are ever present. We value the important role security researchers play in helping us protect our businesses’ and customers’ information.

If you have information about possible security concerns in any AIG product, service, or domain, please use this form to submit a report. By submitting a report, you agree not to disclose vulnerability details to anyone other than AIG and HackerOne (e.g. including but not limited to through Hacktivity or any other channels).

We may modify this policy or terminate this program at any time.

Program Eligibility

• You represent you are not located in or a resident of a country under United States sanctions, nor a person on, or working on behalf of a party identified on, any restricted party list maintained by the United States government.
• You acknowledge that a current or former employee, consultant, or agent of AIG may not qualify for our program.
• You consent to your information being stored and transferred to the United States if you are outside of the United States and to HackerOne sharing your personal information with us.
• You agree that any AIG information that you may encounter, view, acquire, or access, is owned by AIG or its customers, clients, or third-party providers. You agree you have no rights, title, or ownership in any such information.
• You agree that your research will be conducted for testing and research purposes only, and that you will not attempt to gain access to customer or user accounts or confidential information (including sensitive personal information) and will only interact with accounts you own.
• You understand that nothing in this policy, including submission of a report, shall be deemed to constitute the grant to you of any license or other right to or in respect of any AIG or third-party product, service, patent, trademark, trade secret, or other intellectual property.
• You hereby grant AIG a perpetual, worldwide, exclusive, fully-paid-up license to sublicense, copy, distribute, display, perform, transmit, and publish the report.

Requirements

• Your report must meet all of HackerOne’s Vulnerability Disclosure Guidelines, Code of Conduct, Finder Terms and Conditions and other referenced documentation.
• Submit one vulnerability per underlying issue.
• Provide detailed reports with reproducible steps.
• Comply with applicable federal, state, local, and international laws in connection with your participation in this vulnerability disclosure program.
• Avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Do not test the physical security of AIG property.

==Creating Accounts for Vulnerability Research==

**Please include a header X-Hackerone: <h1_username> when you test so we can identify your requests.**You can create match and replace the proxy rule in Burp by going to Proxy >> Options >> Match and Replace with the following options:

Type: Request header 
Match: ^User-Agent.*$ 
Replace: `User-Agent: aigrdpresearcheryourh1username` 

Scope

** Domains owned by AIG are in scope. These domains will identify the Registrant Organization, Admin Organization, or Tech Organization as “American International Group, Inc” or “American International Group Data Center, Inc. (AIGDC).” Domains owned by AIG but hosted by a third party are out of scope. Not sure what’s in scope? Send an email to [email protected].**

• Submissions related to Travel Guard will no longer be accepted due to the recent divesture. Ref: Press Release. If a submission is received related to Travel Guard, the AIG team will notify the researcher to self-close as appropriate

We reserve the right to determine whether to accept a report. For example, we may not accept:

• A report on a vulnerability with little security impact or exploitability or resulting from a violation of the program guidelines
• A vulnerability outside our control or discoverable through automated scans (e.g. Acunetix, Nessus, or Qualys) that have not been verified manually

Vulnerabilities typically in scope include items from the OWASP Top 10 and vulnerabilities with a confirmed security impact.

Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. These include:

• Clickjacking on pages with no sensitive actions
• Unauthenticated/logout/login CSRF
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS

#Safe Harbor Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep AIG safe!