Skip to main navigation Skip to main content Skip to footer For Medicare For Providers For Brokers For Employers Español For Individuals & Families: For Individuals & Families Medical Dental Other Supplemental Explore coverage through work How to Buy Health Insurance Types of Dental Insurance Open Enrollment vs. Special Enrollment See all topics Shop for Medicare plans Member Guide Find a Doctor Log in to myCigna
Home Legal Legal and Privacy InformationResponsible Vulnerability Disclosure

Responsible Vulnerability Disclosure Guidelines

The security team at Cigna strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients, members, and partners. If you believe you have discovered a security vulnerability on a Cigna, or any of its subsidiaries or affiliates, website, mobile application, or other property, we strongly encourage you to inform us as quickly as possible. Disclosures may be made to: security@cigna.com

Cigna’s Responsible Disclosure Program is governed by these Responsible Vulnerability Guidelines (the “Guidelines”). By submitting a vulnerability to Cigna, you agree to be bound by these Guidelines.

Scope: Software Built by Cigna

Our Responsible Disclosure Program relates only to applications built by Cigna, its subsidiaries, and affiliates. For third party built applications, please reach out to relevant third parties.

Only security vulnerabilities should be reported through this program.

Vulnerabilities related to Cigna and its subsidiaries are in scope.

The following are out of scope of Cigna’s Responsible Disclosure Program, do not qualify as valid vulnerabilities under these Guidelines, and should not be reported:

  • Outdated versions of libraries or other components
  • Self-XSS
  • Missing DNS security configurations (e.g. SPF records, DKIM, etc.)
  • Missing or misconfigured HTTP headers (e.g. HSTS, X-Frame Options, CSP, etc.)

Researcher Guidelines

The privacy of our clients, members, and partners must be maintained during the disclosure of any vulnerability.

This page includes instructions on how to securely report vulnerabilities to Cigna’s security team. Cigna does not accept disclosures that do not follow these Guidelines.

We ask you to:

  • Do not delete any data hosted by Cigna or its subsidiaries or affiliates.
  • Do not access any data or applications that are not necessary to show impact.
  • Do not perform denial of service attacks, disrupt services, or degrade internal or external services.
  • Do not exfiltrate any data during your research.
  • Any confidential information obtained through this research remains the confidential information of Cigna, and its subsidiaries or affiliates as applicable, and is not to be shared with any external parties. Any sensitive (e.g. protected health information or personally identifiable information) obtained through this research should be kept for only as long as necessary to complete the research and must be securely deleted upon resolution of the vulnerability and/or at the direction of Cigna.
  • Do not run any automated tools against our servers.
  • Do not try to abuse our servers' resources, including but not limited to, sending unsolicited or unauthorized email.
  • Social engineering attacks including but not limited to phishing are out of scope.
  • Please provide us a minimum of 90 days from the date we acknowledge receipt of your disclosure to review and remediate reported issues. After this 90 day period, you may publicly disclose your research around the vulnerability, with the exception of any personally identifiable information or protected health information which must at all times remain confidential even after remediation.
  • You acknowledge and agree that there may be situations where Cigna has a reasonable and legitimate interest in understanding the nature of any public disclosure you may make. When reasonable under the circumstances, you agree to work together with Cigna to coordinate any such public disclosure.
  • Only publicly disclose vulnerabilities after remediation in compliance with these Guidelines.

Responsible Vulnerability Disclosure Submission

A vulnerability disclosure must include the following information to be deemed a valid disclosure under these Guidelines and Cigna’s Responsible Disclosure Program:

  • Reasonable amount of information regarding the technical vulnerability that will allow Cigna to reproduce your steps.
  • Working Proof of Concept code.
  • How the vulnerability can be exploited in a real world scenario.
  • Your email address.
    • We are happy to receive anonymous disclosures but we will not be able to thank you or provide any recognition for your submission.
  • Your name and twitter handle, if you’d like to be included in our Researcher Hall of Fame.
    • Researchers will be included in Cigna’s Researcher Hall of Fame at Cigna’s discretion.
    • If you do not want to be included in our Researcher Hall of Fame, please let us know through email.

Vulnerability information is extremely sensitive. Please email your vulnerability disclosure to us using the following PGP key

Key fingerprint: 2A9A28E3A3B75F4F63F9EB56251AF5E27E30FA80

Please direct these emails to security@cigna.com

Cigna will use reasonable efforts to acknowledge the receipt of your disclosure within seven (7) business days and will provide next steps. If requested, and where reasonable under the circumstances, we will notify you when the vulnerability has been fixed.

The validity of the disclosure will be evaluated at Cigna’s sole discretion. We will of course make a reasonable effort to work with you to better understand the submission. Cigna and its subsidiaries and affiliates are free to use and incorporate any feedback, suggestions, or recommendations you provide to Cigna.

Recognition

We recognize the importance of white hat researchers who are helping make the digital space safer for everyone. Vulnerabilities disclosed according to these Guidelines may be included in our Researcher Hall of Fame at Cigna’s sole discretion. We do not otherwise compensate researchers for identifying potential or confirmed vulnerabilities.

We will not pursue legal action against you if you act in good faith when conducting your research, comply with these Guidelines, do not engage in any illegal conduct, do not attempt to harm Cigna, or our subsidiaries, affiliates, clients, members, partners, or others, or otherwise infringe or misuse Cigna property.

Researcher Hall of Fame

Hall of Fame researchers are security researchers who have responsibly disclosed a security issue following the above guidelines. We’d like to thank the following researchers for their help in making our products better:

Muhammad Zain Khan

Rishav Dhakrey

Mitchell Robson

Noor Mohammad Gagguturi and Kandukuru Sai Jaswanth

Nikhil Rane

Max Chee

Related Links

Accessibility Statement

Affiliated Covered Entities (ACE) [PDF]

Cigna Company Names

Legal Disclaimers

Product Disclosures

State Policy Disclosures, Exclusions, and Limitations

Page Footer

I want to...

Get an ID card File a claim View my claims and EOBs Check coverage under my plan See prescription drug list Find an in-network doctor, dentist, or facility Find a form Find 1095-B tax form information View the Cigna Glossary Contact Cigna

Audiences

Individuals and Families Medicare Employers Brokers Providers

Secure Member Sites

myCigna member portal Health Care Provider portal Cigna for Employers Client Resource Portal Cigna for Brokers

The Cigna Group Information

About The Cigna Group Company Profile Careers Newsroom Investors Suppliers The Cigna Group Third Party Administrators International Evernorth

 Cigna. All rights reserved.

Privacy Legal Product Disclosures Cigna Company Names Customer Rights Accessibility Non-Discrimination Notice Language Assistance [PDF] Report Fraud Sitemap

Disclaimer

Individual and family medical and dental insurance plans are insured by Cigna Health and Life Insurance Company (CHLIC), Cigna HealthCare of Arizona, Inc., Cigna HealthCare of Illinois, Inc., Cigna HealthCare of Georgia, Inc., Cigna HealthCare of North Carolina, Inc., Cigna HealthCare of South Carolina, Inc., and Cigna HealthCare of Texas, Inc. Group health insurance and health benefit plans are insured or administered by CHLIC, Connecticut General Life Insurance Company (CGLIC), or their affiliates (see a listing of the legal entities that insure or administer group HMO, dental HMO, and other products or services in your state). Accidental Injury, Critical Illness, and Hospital Care plans or insurance policies are distributed exclusively by or through operating subsidiaries of Cigna Corporation, are administered by Cigna Health and Life Insurance Company, and are insured by either (i) Cigna Health and Life Insurance Company (Bloomfield, CT); (ii) Life Insurance Company of North America (“LINA”) (Philadelphia, PA); or (iii) New York Life Group Insurance Company of NY (“NYLGICNY”) (New York, NY), formerly known as Cigna Life Insurance Company of New York. The Cigna name, logo, and other Cigna marks are owned by Cigna Intellectual Property, Inc. LINA and NYLGICNY are not affiliates of Cigna.

All insurance policies and group benefit plans contain exclusions and limitations. For availability, costs and complete details of coverage, contact a licensed agent or Cigna sales representative. This website is not intended for residents of New Mexico.

Selecting these links will take you away from Cigna.com to another website, which may be a non-Cigna website. Cigna may not control the content or links of non-Cigna websites. Details