Shop for Plans
Plans through your employer
- Learn about the medical, dental, pharmacy, behavioral, and voluntary benefits your employer may offer.
- Explore coverage through work
- How to Buy Health Insurance
- Types of Dental Insurance
- Open Enrollment vs. Special Enrollment
- See all topics
Looking for Medicare coverage?
- Shop for Medicare plans
Shop for Plans
Shop for Plans
Responsible Vulnerability Disclosure Guidelines
The security team at Cigna HealthcareSM strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients, members, and partners. If you believe you have discovered a security vulnerability on a Cigna Healthcare, or any of its subsidiaries or affiliates, website, mobile application, or other property, we strongly encourage you to inform us as quickly as possible. Disclosures may be made to: firstname.lastname@example.org
Our Responsible Disclosure Program is governed by these Responsible Vulnerability Guidelines (the “Guidelines”). By submitting a vulnerability to Cigna Healthcare, you agree to be bound by these Guidelines.
Scope: Software Built by Cigna Healthcare
Our Responsible Disclosure Program relates only to applications built by Cigna Healthcare, its subsidiaries, and affiliates. For third party built applications, please reach out to relevant third parties.
Only security vulnerabilities should be reported through this program.
Vulnerabilities related to Cigna Healthcare and its subsidiaries are in scope.
The following are out of scope of our Responsible Disclosure Program, do not qualify as valid vulnerabilities under these Guidelines, and should not be reported:
- Outdated versions of libraries or other components
- Missing DNS security configurations (e.g. SPF records, DKIM, etc.)
- Missing or misconfigured HTTP headers (e.g. HSTS, X-Frame Options, CSP, etc.)
The privacy of our clients, members, and partners must be maintained during the disclosure of any vulnerability.
This page includes instructions on how to securely report vulnerabilities to our security team. Cigna Healthcare does not accept disclosures that do not follow these Guidelines.
We ask you to:
- Do not delete any data hosted by Cigna Healthcare or its subsidiaries or affiliates.
- Do not access any data or applications that are not necessary to show impact.
- Do not perform denial of service attacks, disrupt services, or degrade internal or external services.
- Do not exfiltrate any data during your research.
- Any confidential information obtained through this research remains the confidential information of Cigna Healthcare, and its subsidiaries or affiliates as applicable, and is not to be shared with any external parties. Any sensitive (e.g. protected health information or personally identifiable information) obtained through this research should be kept for only as long as necessary to complete the research and must be securely deleted upon resolution of the vulnerability and/or at the direction of Cigna Healthcare.
- Do not run any automated tools against our servers.
- Do not try to abuse our servers' resources, including but not limited to, sending unsolicited or unauthorized email.
- Social engineering attacks including but not limited to phishing are out of scope.
- Please provide us a minimum of 90 days from the date we acknowledge receipt of your disclosure to review and remediate reported issues. After this 90 day period, you may publicly disclose your research around the vulnerability, with the exception of any personally identifiable information or protected health information which must at all times remain confidential even after remediation.
- You acknowledge and agree that there may be situations where Cigna Healthcare has a reasonable and legitimate interest in understanding the nature of any public disclosure you may make. When reasonable under the circumstances, you agree to work together with Cigna Healthcare to coordinate any such public disclosure.
- Only publicly disclose vulnerabilities after remediation in compliance with these Guidelines.
Responsible Vulnerability Disclosure Submission
A vulnerability disclosure must include the following information to be deemed a valid disclosure under these Guidelines and our Responsible Disclosure Program:
- Reasonable amount of information regarding the technical vulnerability that will allow Cigna Healthcare to reproduce your steps.
- Working Proof of Concept code.
- How the vulnerability can be exploited in a real world scenario.
- Your email address.
- We are happy to receive anonymous disclosures but we will not be able to thank you or provide any recognition for your submission.
- Your name and twitter handle, if you’d like to be included in our Researcher Hall of Fame.
- Researchers will be included in our Researcher Hall of Fame at our discretion.
- If you do not want to be included in our Researcher Hall of Fame, please let us know through email.
Vulnerability information is extremely sensitive. Please email your vulnerability disclosure to us using the following PGP key
Key fingerprint: 1032 993A B76C 4C63 FAF0 8DAC 605B 84FA CBD8 0994
Please direct these emails to email@example.com
Cigna Healthcare will use reasonable efforts to acknowledge the receipt of your disclosure within seven (7) business days and will provide next steps. If requested, and where reasonable under the circumstances, we will notify you when the vulnerability has been fixed.
The validity of the disclosure will be evaluated at our sole discretion. We will of course make a reasonable effort to work with you to better understand the submission. Cigna Healthcare and its subsidiaries and affiliates are free to use and incorporate any feedback, suggestions, or recommendations you provide to Cigna Healthcare.
We recognize the importance of white hat researchers who are helping make the digital space safer for everyone. Vulnerabilities disclosed according to these Guidelines may be included in our Researcher Hall of Fame at our sole discretion. We do not otherwise compensate researchers for identifying potential or confirmed vulnerabilities.
We will not pursue legal action against you if you act in good faith when conducting your research, comply with these Guidelines, do not engage in any illegal conduct, do not attempt to harm Cigna Healthcare, or our subsidiaries, affiliates, clients, members, partners, or others, or otherwise infringe or misuse Cigna Healthcare property.
Researcher Hall of Fame
Hall of Fame researchers are security researchers who have responsibly disclosed a security issue following the above guidelines. We’d like to thank the following researchers for their help in making our products better:
Muhammad Zain Khan
Noor Mohammad Gagguturi and Kandukuru Sai Jaswanth
Parag Bapu Bagul
Yaswanth Sai Boligarla
Eusebiu Daniel Blindu
I want to...
Secure Member Sites
The Cigna Group Information
Product availability may vary by location and plan type and is subject to change. All health insurance policies and health benefit plans contain exclusions and limitations. For costs and details of coverage, review your plan documents or contact a Cigna Healthcare representative.
All Cigna Healthcare products and services are provided exclusively by or through operating subsidiaries of The Cigna Group Corporation, including Cigna Health and Life Insurance Company, Cigna HealthCare of Arizona, Inc., Cigna HealthCare of Georgia, Inc., Cigna HealthCare of Illinois, Inc., Cigna HealthCare of North Carolina, Inc. and Cigna HealthCare of Texas, Inc. Group health insurance and health benefit plans are insured or administered by CHLIC, Connecticut General Life Insurance Company (CGLIC), or their affiliates (see a listing of the legal entities that insure or administer group HMO, dental HMO, and other products or services in your state). Accidental Injury, Critical Illness, and Hospital Care plans or insurance policies are distributed exclusively by or through operating subsidiaries of The Cigna Group Corporation, are administered by Cigna Health and Life Insurance Company, and are insured by either (i) Cigna Health and Life Insurance Company (Bloomfield, CT); (ii) Life Insurance Company of North America (“LINA”) (Philadelphia, PA); or (iii) New York Life Group Insurance Company of NY (“NYLGICNY”) (New York, NY), formerly known as Cigna Life Insurance Company of New York. The Cigna Healthcare name, logo, and other Cigna Healthcare marks are owned by Cigna Intellectual Property, Inc. LINA and NYLGICNY are not affiliates of The Cigna Group.