At Aon, we welcome contributions from security researchers. If you believe you’ve discovered a vulnerability, please submit a report. Our team will investigate and do our best to respond in a timely manner. To ensure all parties' expectations are met, please review the entirety of this policy before submitting a report. By making a submission or otherwise participating in this program, you acknowledge your agreement to the terms set forth below. We thank you in advance for your contributions to our vulnerability disclosure program.

Response Targets

Aon will make reasonable efforts to meet the following SLAs for hackers participating in our program:

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.

Program Rules

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Automated scanning or testing is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Scope

All internet facing Aon assets

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Missing best practices in SSL/TLS configuration
• Any activity that could lead to the disruption of our service (DoS)
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Bruteforce issues on non-authentication endpoints
• Issues relating to rate limiting issues
• Missing best practices in Content Security Policy
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors)
• Tabnabbing
• Open redirect - unless an additional security impact can be demonstrated
• Issues that require unlikely user interaction
• Issues relating to password strength or complexity
• Vulnerabilities or weaknesses in third party applications that integrate with Aon

Testing

When testing, you can make it easier for us to identify your testing traffic against our normal data and the malicious actors out in the world. Please do the following when participating in Aon’s VDP Program:

• Where possible, register accounts using your [email protected] addresses. (see https://docs.hackerone.com/hackers/hacker-email-alias.html )
• Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
• Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily.
  • Identifier: Your HackerOne Username
  • Format: X-Aon-VDP: HackerOne-
  • Example: X-Aon-VDP: HackerOne-H4x0r

When testing for a bug, please also keep in mind:

• Only use authorized accounts so as not to inadvertently compromise the privacy of our users.
• When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:
  • Read: cat /proc/1/maps
  • Write: touch /root/
  • Execute: id, hostname, pwd (though, technically cat and touch also prove execution)
• Do not use automated scanners/tools. Such tools include payloads that could trigger state changes or damage production systems or data (e.g., do not execute Burp active scans). Any traffic causing latency to our services has the potential to blacklisted.
• Before causing damage or potential damage: stop, report what you've found, and request additional testing permission.

Coordinated Disclosure Requirements

Complying with our safe harbor policy requires researchers to adhere to a coordinated disclosure process. Coordinated disclosure requires that researchers abide by the following requirements:

• Share a detailed report that includes all information as it relates to the vulnerability
• Provide the Aon team with a reasonable amount of time to respond to details outlined in the report before providing any information to anyone other than Aon
• Do not access or modify our data or our users’ data without explicit permission. Only interact with your own accounts or test accounts for security research purposes
• Do not profit from or allow another party to profit from a vulnerability
• Do not defraud Aon or its customers in the process of participating in our program
• Act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including denial of service)
• If you inadvertently cause a privacy violation, or access, modify or destroy any user data, you must disclose this in your report
• Otherwise comply with all applicable laws

Legal Notice

You agree that by participating in this program and submitting information to Aon, you grant Aon and its affiliates and subsidiaries a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of this material. Any activity which involves the intentional compromise of the privacy of our clients, customers or employees or the intentional disruption of the operation of our products, services, or information technology infrastructure may result in Aon taking action, including but not limited to bringing legal claims, against you. We may collect information that could reasonably be used to identify you (e.g., IP address). Aon may use this information for several purposes, including to evaluate a reported vulnerability and protect Aon products, services, or information technology infrastructure. Aon reserves the right to modify or terminate the program in its sole discretion, at any time and without prior notice.