Responsible Vulnerability Disclosure Guidelines

Responsible Vulnerability Disclosure Guidelines

The security team at Cigna strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients, members, and partners. If you believe you have discovered a security vulnerability on a Cigna, or any of its subsidiaries or affiliates, website, mobile application, or other property, we strongly encourage you to inform us as quickly as possible. Disclosures may be made to: security@cigna.com

Cigna’s Responsible Disclosure Program is governed by these Responsible Vulnerability Guidelines (the “Guidelines”). By submitting a vulnerability to Cigna, you agree to be bound by these Guidelines.

Scope: Software Built by Cigna

Our Responsible Disclosure Program relates only to applications built by Cigna, its subsidiaries, and affiliates. For third party built applications, please reach out to relevant third parties.

Only security vulnerabilities should be reported through this program.

Vulnerabilities related to Cigna and its subsidiaries are in scope.

The following are out of scope of Cigna’s Responsible Disclosure Program, do not qualify as valid vulnerabilities under these Guidelines, and should not be reported:

  • Outdated versions of libraries or other components
  • Self-XSS
  • Missing DNS security configurations (e.g. SPF records, DKIM, etc.)
  • Missing or misconfigured HTTP headers (e.g. HSTS, X-Frame Options, CSP, etc.)

Researcher Guidelines

The privacy of our clients, members, and partners must be maintained during the disclosure of any vulnerability. 

This page includes instructions on how to securely report vulnerabilities to Cigna’s security team. Cigna does not accept disclosures that do not follow these Guidelines. 

We ask you to:

  • Do not delete any data hosted by Cigna or its subsidiaries or affiliates.
  • Do not access any data or applications that are not necessary to show impact.
  • Do not perform denial of service attacks, disrupt services, or degrade internal or external services.
  • Do not exfiltrate any data during your research.
  • Any confidential information obtained through this research remains the confidential information of Cigna, and its subsidiaries or affiliates as applicable, and is not to be shared with any external parties. Any sensitive (e.g. protected health information or personally identifiable information) obtained through this research should be kept for only as long as necessary to complete the research and must be securely deleted upon resolution of the vulnerability and/or at the direction of Cigna.
  • Do not run any automated tools against our servers.
  • Do not try to abuse our servers' resources, including but not limited to, sending unsolicited or unauthorized email.
  • Social engineering attacks including but not limited to phishing are out of scope.
  • Please provide us a minimum of 90 days from the date we acknowledge receipt of your disclosure to review and remediate reported issues. After this 90 day period, you may publically disclose your research around the vulnerability, with the exception of any personally identifiable information or protected health information which must at all times remain confidential even after remediation.
  • You acknowledge and agree that there may be situations where Cigna has a reasonable and legitimate interest in understanding the nature of any public disclosure you may make. When reasonable under the circumstances, you agree to work together with Cigna to coordinate any such public disclosure.
  • Only publically disclose vulnerabilities after remediation in compliance with these Guidelines.

Responsible Vulnerability Disclosure Submission

A vulnerability disclosure must include the following information to be deemed a valid disclosure under these Guidelines and Cigna’s Responsible Disclosure Program:

  • Reasonable amount of information regarding the technical vulnerability that will allow Cigna to reproduce your steps.
  • Working Proof of Concept code.
  • How the vulnerability can be exploited in a real world scenario.
  • Your email address.
    • We are happy to receive anonymous disclosures but we will not be able to thank you or provide any recognition for your submission.
  • Your name and twitter handle, if you’d like to be included in our Researcher Hall of Fame.
    • Researchers will be included in Cigna’s Researcher Hall of Fame at Cigna’s discretion.
    • If you do not want to be included in our Researcher Hall of Fame, please let us know through email.

Vulnerability information is extremely sensitive. Please email your vulnerability disclosure to us using the following PGP key:

Key fingerprint: 2A9A28E3A3B75F4F63F9EB56251AF5E27E30FA80

Please direct these emails to security@cigna.com

Cigna will use reasonable efforts to acknowledge the receipt of your disclosure within seven (7) business days and will provide next steps. If requested, and where reasonable under the circumstances, we will notify you when the vulnerability has been fixed.

The validity of the disclosure will be evaluated at Cigna’s sole discretion. We will of course make a reasonable effort to work with you to better understand the submission. Cigna and its subsidiaries and affiliates are free to use and incorporate any feedback, suggestions, or recommendations you provide to Cigna.

Recognition

We recognize the importance of white hat researchers who are helping make the digital space safer for everyone. Vulnerabilities disclosed according to these Guidelines may be included in our Researcher Hall of Fame at Cigna’s sole discretion. We do not otherwise compensate researchers for identifying potential or confirmed vulnerabilities.

We will not pursue legal action against you if you act in good faith when conducting your research, comply with these Guidelines, do not engage in any illegal conduct, do not attempt to harm Cigna, or our subsidiaries, affiliates, clients, members, partners, or others, or otherwise infringe or misuse Cigna property.

Researcher Hall of Fame

We thank the following researchers for their help in making our products better: