Skip to main navigation Skip to main content Skip to footer
  • For Medicare
  • For Providers
  • For Brokers
  • For Employers
  • Search
    Search
    Español
  • For Individuals & Families:
  • For Individuals & Families:
  • Shop for Plans

    Shop for Plans

    • Plans through your employer
    • Learn about the medical, dental, pharmacy, behavioral, and voluntary benefits your employer may offer.
    • Explore coverage through work
  • Log in to myCigna
  • Log in to myCigna
  • Shop for Plans

    Shop for Plans

  • Member Guide
  • Find a Doctor
  • Home Legal Legal and Privacy Information Responsible Vulnerability Disclosure

    Responsible Vulnerability Disclosure Guidelines

    The security team at Cigna HealthcareSM strongly believes that collaboration with the security community is key to maintaining secure environments for all of our clients, members, and partners. If you believe you have discovered a security vulnerability on a Cigna Healthcare, or any of its subsidiaries or affiliates, website, mobile application, or other property, we strongly encourage you to inform us as quickly as possible. Disclosures may be made to: security@cigna.com

    Our Responsible Disclosure Program is governed by these Responsible Vulnerability Guidelines (the “Guidelines”). By submitting a vulnerability to Cigna Healthcare, you agree to be bound by these Guidelines.

    Scope: Software Built by Cigna Healthcare

    Our Responsible Disclosure Program relates only to applications built by Cigna Healthcare, its subsidiaries, and affiliates. For third party built applications, please reach out to relevant third parties.

    Only security vulnerabilities should be reported through this program.

    Vulnerabilities related to Cigna Healthcare and its subsidiaries are in scope.

    The following are out of scope of our Responsible Disclosure Program, do not qualify as valid vulnerabilities under these Guidelines, and should not be reported:

    • Outdated versions of libraries or other components
    • Self-XSS
    • Missing DNS security configurations (e.g. SPF records, DKIM, etc.)
    • Missing or misconfigured HTTP headers (e.g. HSTS, X-Frame Options, CSP, etc.)

    Researcher Guidelines

    The privacy of our clients, members, and partners must be maintained during the disclosure of any vulnerability.

    This page includes instructions on how to securely report vulnerabilities to our security team. Cigna Healthcare does not accept disclosures that do not follow these Guidelines.

    We ask you to:

    • Do not delete any data hosted by Cigna Healthcare or its subsidiaries or affiliates.
    • Do not access any data or applications that are not necessary to show impact.
    • Do not perform denial of service attacks, disrupt services, or degrade internal or external services.
    • Do not exfiltrate any data during your research.
    • Any confidential information obtained through this research remains the confidential information of Cigna Healthcare, and its subsidiaries or affiliates as applicable, and is not to be shared with any external parties. Any sensitive (e.g. protected health information or personally identifiable information) obtained through this research should be kept for only as long as necessary to complete the research and must be securely deleted upon resolution of the vulnerability and/or at the direction of Cigna Healthcare.
    • Do not run any automated tools against our servers.
    • Do not try to abuse our servers' resources, including but not limited to, sending unsolicited or unauthorized email.
    • Social engineering attacks including but not limited to phishing are out of scope.
    • Please provide us a minimum of 90 days from the date we acknowledge receipt of your disclosure to review and remediate reported issues. After this 90 day period, you may publicly disclose your research around the vulnerability, with the exception of any personally identifiable information or protected health information which must at all times remain confidential even after remediation.
    • You acknowledge and agree that there may be situations where Cigna Healthcare has a reasonable and legitimate interest in understanding the nature of any public disclosure you may make. When reasonable under the circumstances, you agree to work together with Cigna Healthcare to coordinate any such public disclosure.
    • Only publicly disclose vulnerabilities after remediation in compliance with these Guidelines.

    Responsible Vulnerability Disclosure Submission

    A vulnerability disclosure must include the following information to be deemed a valid disclosure under these Guidelines and our Responsible Disclosure Program:

    • Reasonable amount of information regarding the technical vulnerability that will allow Cigna Healthcare to reproduce your steps.
    • Working Proof of Concept code.
    • How the vulnerability can be exploited in a real world scenario.
    • Your email address.
      • We are happy to receive anonymous disclosures but we will not be able to thank you or provide any recognition for your submission.
    • Your name and twitter handle, if you’d like to be included in our Researcher Hall of Fame.
      • Researchers will be included in our Researcher Hall of Fame at our discretion.
      • If you do not want to be included in our Researcher Hall of Fame, please let us know through email.

    Vulnerability information is extremely sensitive. Please email your vulnerability disclosure to us using the following PGP key

    Key fingerprint: 1032 993A B76C 4C63 FAF0 8DAC 605B 84FA CBD8 0994

    Please direct these emails to security@cigna.com

    Cigna Healthcare will use reasonable efforts to acknowledge the receipt of your disclosure within seven (7) business days and will provide next steps. If requested, and where reasonable under the circumstances, we will notify you when the vulnerability has been fixed.

    The validity of the disclosure will be evaluated at our sole discretion. We will of course make a reasonable effort to work with you to better understand the submission. Cigna Healthcare and its subsidiaries and affiliates are free to use and incorporate any feedback, suggestions, or recommendations you provide to Cigna Healthcare.

    Recognition

    We recognize the importance of white hat researchers who are helping make the digital space safer for everyone. Vulnerabilities disclosed according to these Guidelines may be included in our Researcher Hall of Fame at our sole discretion. We do not otherwise compensate researchers for identifying potential or confirmed vulnerabilities.

    We will not pursue legal action against you if you act in good faith when conducting your research, comply with these Guidelines, do not engage in any illegal conduct, do not attempt to harm Cigna Healthcare, or our subsidiaries, affiliates, clients, members, partners, or others, or otherwise infringe or misuse Cigna Healthcare property.

    Researcher Hall of Fame

    Hall of Fame researchers are security researchers who have responsibly disclosed a security issue following the above guidelines. We’d like to thank the following researchers for their help in making our products better:

    Muhammad Zain Khan

    Rishav Dhakrey

    Mitchell Robson

    Noor Mohammad Gagguturi and Kandukuru Sai Jaswanth

    Nikhil Rane

    Max Chee

    Chi Tran

    Shivam Sharma

    Navreet

    Kirti Soni

    Nijin K

    Dharshan12

    Parag Bapu Bagul

    Yaswanth Sai Boligarla

    Dhruv Gupta

    Eusebiu Daniel Blindu

    Nightwatch Cybersecurity Research

    Jimy Nurmahesa

    I want to...
  • Get an ID card
  • File a claim
  • View my claims and EOBs
  • Check coverage under my plan
  • See prescription drug list
  • Find an in-network doctor, dentist, or facility
  • Find a form
  • Find 1095-B tax form information
  • View the Cigna Healthcare Glossary
  • Contact Cigna Healthcare
  • Audiences
  • Individuals and Families
  • Medicare
  • Employers
  • Brokers
  • Providers
  • Third Party Administrators
  • International
  • Manage Your Account
  • myCigna Member Portal
  • Provider Portal
  • Cigna for Employers
  • Cigna for Brokers
  • Cigna Healthcare. All rights reserved.
  • Privacy
  • Terms of Use
  • Legal
  • State Policy Disclosures, Exclusions, and Limitations
  • Transparency in Coverage
  • Customer Rights
  • Accessibility
  • Non-Discrimination Notice
  • Language Assistance [PDF]
  • Report Fraud
  • Sitemap
  • Washington Consumer Health Data Privacy Notice
  • Cookie Settings
  • Disclaimer

    Product availability may vary by location and plan type and is subject to change. All health insurance policies and health benefit plans contain exclusions and limitations. For costs and details of coverage, review your plan documents or contact a Cigna Healthcare representative.

    All Cigna Healthcare products and services are provided exclusively by or through operating subsidiaries of The Cigna Group Corporation, including Cigna Health and Life Insurance Company, Cigna HealthCare of Arizona, Inc., Cigna HealthCare of Georgia, Inc., Cigna HealthCare of Illinois, Inc., Cigna HealthCare of North Carolina, Inc. and Cigna HealthCare of Texas, Inc. Group health insurance and health benefit plans are insured or administered by CHLIC, Connecticut General Life Insurance Company (CGLIC), or their affiliates (see a listing of the legal entities that insure or administer group HMO, dental HMO, and other products or services in your state). Accidental Injury, Critical Illness, and Hospital Care plans or insurance policies are distributed exclusively by or through operating subsidiaries of The Cigna Group Corporation, are administered by Cigna Health and Life Insurance Company, and are insured by either (i) Cigna Health and Life Insurance Company (Bloomfield, CT). The Cigna Healthcare name, logo, and other Cigna Healthcare marks are owned by Cigna Intellectual Property, Inc. This website is not intended for residents of New Mexico.

    Selecting these links will take you away from Cigna.com to another website, which may be a non-Cigna Healthcare website. Cigna Healthcare may not control the content or links of non-Cigna Healthcare websites. Details

    La aseguradora publica el formulario traducido para fines informativos y la versión en inglés prevalece para fines de solicitud e interpretación.

    The insurer is issuing the translated form on an informational basis and the English version is controlling for the purposes of application and interpretation.