The Fortune 100, graded on vulnerability disclosure

“Contact: mailto:aws-security@amazon.com”

“AWS Vulnerability Disclosure Program: https://hackerone.com/aws_vdp”

“Policy: https://vdp.aws.security/”

“This policy prohibits the performance of the following activities: Hacking, penetration testing, or other attempts to gain unauthorized access to UnitedHealth Group software or systems; Active vulnerability scanning or testing;”

“If you have discovered an issue that you believe is an in-scope vulnerability, please email securityreporting@optum.com”

“The following types of vulnerabilities are considered out of the scope for the purposes of this program: Volumetric vulnerabilities (e.g., Denial of Service or Distributed DoS); Reports of non-exploitable vulnerabilities...”

“The time to address a valid, reported vulnerability will vary based on impact of the potential vulnerability and affected systems.”

“For the security of our customers, UnitedHealth Group will not disclose, discuss, or confirm security issues.”

“Security researchers must not violate any law, or access, use, alter or compromise in any manner any UnitedHealth Group data.”

“For Product categories, the issue must affect the latest publicly available version (including beta versions) of iOS, iPadOS, macOS, tvOS, visionOS, or watchOS, with a standard configuration and on publicly available Apple hardware or Security Research Device.”

“For Services, the issue must relate to a web server or service owned by Apple or an Apple subsidiary.”

“Submit your report online to help ensure that you receive timely updates, can add additional information as needed, and can communicate with Apple security engineers about your report.”

“We make it a priority to resolve security and privacy issues as quickly as possible, and most reports are resolved within 90 days.”

“Publicly disclosing security issues before a fix is available makes you ineligible for all Apple Security Bounty rewards.”

“we encourage you to report it by using this page. Your report will be forwarded for timely acknowledgement and verification. Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue.”

“Any exfiltration or downloading of CVS Health/Aetna data, disclosure of confidential information, and/or disrupting our customers' experience are all outside the scope of this program and outside any protections it affords from legal recourse.”

“You are expected to engage in security research responsibly.”

“Per our policy, if you wish to take part in the CVS Health Vulnerability Disclosure Program, you are expected to follow these guidelines”

“please submit it in the form below or email VulnerabilityReporting@McKesson.com”

“We will contact you to confirm that we've received your report and trace your steps to reproduce your research. We will work with the affected teams to validate the report. We will notify you of remediation”

“Do not hack, penetrate, or attempt to gain access to McKesson infrastructure, systems, or data”

“you agree to comply with McKesson's Terms of Service, McKesson's Privacy Policy, and all applicable state, federal, or international laws and regulations”

“you may not publicly disclose your findings or the contents of your Submission to any third parties. McKesson's program does not permit disclosure to any party outside of McKesson”

“Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions , Microsoft Bounty Legal Safe Harbor , Rules of Engagement , Bounty Program Guidelines”

“Cloud Programs Up to $100,000 USD ... Endpoint & On-Prem Programs Up to $250,000 USD ... Zero Day Quest Up to $100,000 USD”

“Report vulnerabilities privately and allow time for remediation before public disclosure. Adhere to our Rules of Engagement and program scope to ensure eligibility for awards.”

“Do not access, modify, or exfiltrate customer data. Never disrupt services or compromise uptime.”

“Typical Vulnerabilities Accepted: OWASP Top 10 vulnerability categories Other vulnerabilities with demonstrated impact”

“Typical Out of Scope: Theoretical vulnerabilities Informational disclosure of non-sensitive data Low impact session management issues Self XSS (user defined payload)”

“Work directly with the JPMorgan Chase Responsible Disclosure Program on vulnerability submissions”

“you will be allowed to disclose the vulnerability after a fix has been issued”

“Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.JPMorganChase.com”

“This is a responsible disclosure program without bounties.”

“Your Submission must be for an Asset (herein referred to as "product" and/or "technology") that is identified as in scope of the NVIDIA Program(s).”

“You are required to report a discovered Vulnerability in a prompt and transparent manner through the Platform.”

“You agree to conduct your research within the bounds of Ethical Hacking.”

“You agree to practice coordinated disclosure in all of your security research conducted under the Program”

“State Farm will not take legal action against you or revoke access to State Farm applications”

“If you have noticed an information security issue in a State Farm system while using www.statefarm.com or a State Farm mobile application, we want to hear about it”

“Please disclose issues using the Vulnerability Disclosure Communication form located on this web page”

“State Farm will work to address the issue in a timely fashion”

“We reserve all legal rights in the event of noncompliance”

“Typical Vulnerabilities Accepted: OWASP Top 10 vulnerability categories Other vulnerabilities with demonstrated impact”

“Typical Out of Scope: Theoretical vulnerabilities Informational disclosure of non-sensitive data Low impact session management issues Self XSS (user defined payload)”

“To work directly with ResponsibleDisclosure.com on vulnerability submissions in good faith”

“you will be allowed to disclose the vulnerability after a fix has been issued”

“Not to engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems”

“Contact: https://www.dell.com/support/dell-vulnerability-response-policy # Bug Bounty Program - Applications”

“Contact: https://bugcrowd.com/dell-com # Bug Bounty Program - Products”

“Contact: https://bugcrowd.com/dell-product”

“Policy: https://www.dell.com/support/dell-vulnerability-response-policy”

“Boeing will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.”

“We consider activities conducted consistent with this policy to constitute authorized access under anti-hacking laws.”

“To the extent your activities are inconsistent with certain Boeing terms and conditions, we waive those restrictions for the limited purpose of permitting security research under this policy.”

“Provide Boeing reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.”

“we consider this research conducted under this policy to be: Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy”

“Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls”

“Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis”

“Public disclosure may be allowed upon request, and only after granted written permission to do so from P&G”

“please let us know by emailing our Information Protection & Security team directly at Information.Protection@hcahealthcare.com”

“We ask that you work with us to diagnose and correct a vulnerability prior to publically disclosing it to ensure the safety and wellbeing of our patients and systems”

“We ask that you not perform vulnerability or similar testing on products that are actively in use for public safety reasons”

“In the event you share information with us, you agree that the information you submit will be considered non-proprietary and non-confidential, and that we may use such information in any manner, without restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for us.”

“By responsibly submitting your findings to Capital One in accordance with these guidelines Capital One agrees not to pursue legal action against you.”

“Capital One reserves all legal rights in the event of noncompliance with these guidelines.”

“Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.”

“Provide Capital One reasonable time to fix any reported issue.”

“Out of Scope Vulnerabilities Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program.”

“Contact: https://www.ibm.com/trust/security-psirt”

“Contact: https://hackerone.com/ibm?type=team”

“Contact: mailto:psirt@us.ibm.com”

“PSIRT manages Product, Website, Secrets / Tokens Vulnerabilities”

“vulnerabilitydisclosure@nationwide.co.uk”

“You must not: Break any applicable law or regulations. Access unnecessary, excessive or significant amounts of data. Modify data in Nationwide's systems or services.”

“Submissions we won't respond to: Vulnerabilities relating to systems, websites or apps which are not owned or controlled by us.”

“We do not offer financial compensation or any other form of reward for submissions.”

“By emailing or providing a disclosure to us, you agree to our terms.”

“We will review all submissions that meet the requirements listed on this page.”

“The Cisco PSIRT is a dedicated, global team that receives, investigates, and publicly reports information about security vulnerabilities and issues related to Cisco products and services.”

“Cisco welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security.”

“Throughout the investigative process, the Cisco PSIRT strives to work collaboratively with the incident reporter to assess the nature of the vulnerability, gather required technical information, and determine appropriate remedial action.”

“The Cisco PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Cisco PSIRT on the Cisco website through the appropriate coordinated disclosure.”

“The Cisco PSIRT aligns its practices with ISO/IEC 29147:2018, which are guidelines for disclosure of potential vulnerabilities established by the International Organization for Standardization.”

“To provide reasonable safe harbor to researchers following all Rules of Engagement . See " Safe Harbor " section.”

“Intel Corporation believes that forging relationships with security researchers and fostering security research is a crucial part of our Security First Pledge. We encourage security researchers to work with us to mitigate and coordinate the disclosure of potential security vulnerabilities.”

“You will not discuss or disclose vulnerability information with anyone not authorized by Intel without prior written consent from Intel”

“Contact: https://bugcrowd.com/engagements/usaa”

“Contact: mailto:disclosure@usaa.com”

“Policy: https://bugcrowd.com/usaa”

“Synack commits that, if we conclude, in our sole discretion, that a security vulnerability submitted through our Site complies with the Terms of Use, the applicable Scope and Rules of Engagement and the applicable Responsible Disclosure Guidelines, Synack will not bring a private action against you or refer the matter for public inquiry.”

“The following web applications are in scope: *.travelers.com”

“If you submit a valid vulnerability, you will be notified after a fix has been issued, and you will have the opportunity to be added to the Acknowledgments page and to disclose the vulnerability.”

“Adhere to these Guidelines and the Rules of Engagement and Scope, and do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of Travelers' information and systems.”

“Safe harbour for researchers is applied”

“with the exception of what is listed as explicitly out-of-scope you are welcome and encouraged to submit impactful findings on any asset you can attribute to The Coca-Cola Company or our brands!”

“Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)”