Corebridge Financial
External Program
Submit bugs directly to this organization
Corebridge Financial
External Program
Submit bugs directly to this organization
Corebridge Financial is proactively advancing our security to identify new threats and help ensure the safety of customer accounts and information.
We value the important role the security community plays in helping us mitigate information security risk, therefore we leverage the security community and value the researchers' time to bring these issues to our attention.
If you have information about possible security vulnerabilities in any Corebridge Financial product or service, please submit a report using these guidelines.
Your report must meet all HackerOne's Vulnerability Disclosure Guidelines.
When reporting vulnerabilities, consider (1) the attack scenario or exploitability, and (2) the security impact of the bug.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
Provide details with reproducible steps in your report.
Comply with applicable federal, state, local, and international laws in connection with your participation in this vulnerability disclosure program.
We may modify the terms of this policy or terminate the policy at any time.
You agree not to disclose vulnerability details to anyone other than Corebridge Financial or HackerOne without Corebridge Financial written permission.
You represent you are not located in or a resident of a country under United States sanctions, nor a person on, or working on behalf of a party identified on, any restricted party list maintained by the United States government.
You consent to your information being stored and transferred to the United States and acknowledge you have read and accepted the terms of this policy and HackerOne's Vulnerability Disclosure Guidelines.
You agree that any Corebridge Financial information that you may encounter, view, acquire, or access, is owned by Corebridge Financial or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information.
You agree that your research will be conducted for testing and research purposes only, and that you will not attempt to gain access to customer or user accounts or confidential information and will only interact with accounts you own.
You agree that if you unintentionally access a customer or user account that you own, disconnect from the account, let Corebridge and HackerOne know immediately, and document your discovery.
You understand that nothing in this agreement, including submission of a report, shall be deemed to constitute the grant to you of any license or other right to or in respect of any Corebridge Financial or third-party product, service, patent, trademark, trade secret, or other intellectual property.
You hereby grant Corebridge Financial a perpetual, worldwide, exclusive, fully-paid-up license to sublicense, copy, distribute, display, perform, transmit, and publish the report.
Type: Request header
Match: ^User-Agent.*$
Replace: User-Agent: corebridgevdpresearcheryourh1username
Domains where Corebridge Financial are listed as the Registrant Organization, Admin Organization, or Tech Organization are in scope. Domains maintained by third parties, other than Corebridge Financial, are not in scope for this program. Not sure what's in scope? Send an email to [email protected].
Registrant Name: Domain Administrator Registrant Organization: Corebridge Financial, Inc. Registrant Street: 2919 Allen Parkway, Woodson Tower Registrant City: Houston Registrant State/Province: TX Registrant Postal Code: 77019 Registrant Country: US Registrant Phone: +1.8773752422 Registrant Email: [email protected]
Vulnerabilities typically in scope include items from the OWASP Top 10 and vulnerabilities with a confirmed security impact.
We reserve the right to determine whether to accept a report. For example, we may not accept:
A report of a vulnerability resulting from a violation of the program guidelines
A report on a vulnerability with little security impact or exploitability
A vulnerability discoverable through automated scans that have not been verified manually
Certain vulnerabilities are considered out of scope for our Vulnerability Disclosure Program. These include:
Clickjacking on pages with no sensitive actions
Unauthenticated/logout/login CSRF
Insecure Cookie Settings on non-sensitive cookies
Bugs requiring inordinate amounts of user interaction or prior knowledge of user secrets such as session tokens or CSRF values
Information regarding software versions or web server versions/banners where there is no evidence these versions are impacted by a security flaw
Attacks requiring MITM or physical access to a user's device
Previously known vulnerable libraries without a working Proof of Concept
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Common Automated Tooling including but not limited to Acunetix, Nessus, and Qualys should be avoided; however, use of Burp Suite and other custom tools are allowed
Any activity that could lead to the disruption of our service (DoS)
Content spoofing and text injection issues without showing an attack vector or without being able to modify HTML/CSS
Overly Permissive Google Maps API keys
Privacy violations, destruction of data, and interruption or degradation of our services
Social engineering (e.g. phishing, vishing, smishing) is prohibited
Missing SPF records
Do not test the physical security of Corebridge Financial property
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for assisting Corebridge Financial!