Responsible Vulnerability Disclosure Guidelines

The security team at Cigna Healthcare^SM strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients, members, and partners. If you believe you have discovered a security vulnerability on a Cigna Healthcare, or any of its subsidiaries or affiliates, website, mobile application, or other property, we strongly encourage you to inform us as quickly as possible. Disclosures may be made to: security@cigna.com

Our Responsible Disclosure Program is governed by these Responsible Vulnerability Guidelines (the “Guidelines”). By submitting a vulnerability to Cigna Healthcare, you agree to be bound by these Guidelines.

Scope: Software Built by Cigna Healthcare

Our Responsible Disclosure Program relates only to applications built by Cigna Healthcare, its subsidiaries, and affiliates. For third party built applications, please reach out to relevant third parties.

Only security vulnerabilities should be reported through this program.

Vulnerabilities related to Cigna Healthcare and its subsidiaries are in scope.

The following are out of scope of our Responsible Disclosure Program, do not qualify as valid vulnerabilities under these Guidelines, and should not be reported:

• Outdated versions of libraries or other components
• Self-XSS
• Missing DNS security configurations (e.g. SPF records, DKIM, etc.)
• Missing or misconfigured HTTP headers (e.g. HSTS, X-Frame Options, CSP, etc.)

Researcher Guidelines

The privacy of our clients, members, and partners must be maintained during the disclosure of any vulnerability.

This page includes instructions on how to securely report vulnerabilities to our security team. Cigna Healthcare does not accept disclosures that do not follow these Guidelines.

We ask you to:

• Do not delete any data hosted by Cigna Healthcare or its subsidiaries or affiliates.
• Do not access any data or applications that are not necessary to show impact.
• Do not perform denial of service attacks, disrupt services, or degrade internal or external services.
• Do not exfiltrate any data during your research.
• Any confidential information obtained through this research remains the confidential information of Cigna Healthcare, and its subsidiaries or affiliates as applicable, and is not to be shared with any external parties. Any sensitive (e.g. protected health information or personally identifiable information) obtained through this research should be kept for only as long as necessary to complete the research and must be securely deleted upon resolution of the vulnerability and/or at the direction of Cigna Healthcare.
• Do not run any automated tools against our servers.
• Do not try to abuse our servers' resources, including but not limited to, sending unsolicited or unauthorized email.
• Social engineering attacks including but not limited to phishing are out of scope.
• Please provide us a minimum of 90 days from the date we acknowledge receipt of your disclosure to review and remediate reported issues. After this 90 day period, you may publicly disclose your research around the vulnerability, with the exception of any personally identifiable information or protected health information which must at all times remain confidential even after remediation.
• You acknowledge and agree that there may be situations where Cigna Healthcare has a reasonable and legitimate interest in understanding the nature of any public disclosure you may make. When reasonable under the circumstances, you agree to work together with Cigna Healthcare to coordinate any such public disclosure.
• Only publicly disclose vulnerabilities after remediation in compliance with these Guidelines.

Responsible Vulnerability Disclosure Submission

A vulnerability disclosure must include the following information to be deemed a valid disclosure under these Guidelines and our Responsible Disclosure Program:

• Reasonable amount of information regarding the technical vulnerability that will allow Cigna Healthcare to reproduce your steps.
• Working Proof of Concept code.
• How the vulnerability can be exploited in a real world scenario.
• Your email address.
  • We are happy to receive anonymous disclosures but we will not be able to thank you or provide any recognition for your submission.
• Your name and twitter handle, if you’d like to be included in our Researcher Hall of Fame.
  • Researchers will be included in our Researcher Hall of Fame at our discretion.
  • If you do not want to be included in our Researcher Hall of Fame, please let us know through email.

Vulnerability information is extremely sensitive. Please email your vulnerability disclosure to us using the following PGP key

Key fingerprint: 1032 993A B76C 4C63 FAF0 8DAC 605B 84FA CBD8 0994

Please direct these emails to security@cigna.com

Cigna Healthcare will use reasonable efforts to acknowledge the receipt of your disclosure within seven (7) business days and will provide next steps. If requested, and where reasonable under the circumstances, we will notify you when the vulnerability has been fixed.

The validity of the disclosure will be evaluated at our sole discretion. We will of course make a reasonable effort to work with you to better understand the submission. Cigna Healthcare and its subsidiaries and affiliates are free to use and incorporate any feedback, suggestions, or recommendations you provide to Cigna Healthcare.

Recognition

We recognize the importance of white hat researchers who are helping make the digital space safer for everyone. Vulnerabilities disclosed according to these Guidelines may be included in our Researcher Hall of Fame at our sole discretion. We do not otherwise compensate researchers for identifying potential or confirmed vulnerabilities.

We will not pursue legal action against you if you act in good faith when conducting your research, comply with these Guidelines, do not engage in any illegal conduct, do not attempt to harm Cigna Healthcare, or our subsidiaries, affiliates, clients, members, partners, or others, or otherwise infringe or misuse Cigna Healthcare property.

Researcher Hall of Fame

Hall of Fame researchers are security researchers who have responsibly disclosed a security issue following the above guidelines. We’d like to thank the following researchers for their help in making our products better:

Muhammad Zain Khan

Rishav Dhakrey

Mitchell Robson

Noor Mohammad Gagguturi and Kandukuru Sai Jaswanth

Nikhil Rane

Max Chee

Chi Tran

Shivam Sharma

Navreet

Kirti Soni

Nijin K

Dharshan12

Parag Bapu Bagul

Yaswanth Sai Boligarla

Dhruv Gupta

Eusebiu Daniel Blindu

Nightwatch Cybersecurity Research