The Fortune 100, graded on vulnerability disclosure

“Contact: mailto:aws-security@amazon.com | AWS Vulnerability Disclosure Program: https://hackerone.com/aws_vdp | Policy: https://vdp.aws.security/”

“Walmart Responsible Disclosure Policy: 'We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy.' Promissory non-pursuit, but testing NOT explicitly authorized, no CFAA/DMCA/ToS carve-out, no timeline → L3. security.txt live, Contact → policy.”

“This policy prohibits the performance of the following activities: Hacking, penetration testing, or other attempts to gain unauthorized access to UnitedHealth Group software or systems; Active vulnerability scanning or testing; | If you have discovered an issue that you believe is an in-scope vulnerability, please email securityreporting@optum.com | The following types of vulnerabilities are considered out of the scope for the purposes of this program: Volumetric vulnerabilities (e.g., Denial of Service or Distributed DoS); Reports of non-exploitable vulnerabilities... | The time to address a valid, reported vulnerability will vary based on impact of the potential vulnerability and affected systems. | For the security of our customers, UnitedHealth Group will not disclose, discuss, or confirm security issues. | Security researchers must not violate any law, or access, use, alter or compromise in any manner any UnitedHealth Group data.”

“For Product categories, the issue must affect the latest publicly available version (including beta versions) of iOS, iPadOS, macOS, tvOS, visionOS, or watchOS, with a standard configuration and on publicly available Apple hardware or Security Research Device. | For Services, the issue must relate to a web server or service owned by Apple or an Apple subsidiary. | Submit your report online to help ensure that you receive timely updates, can add additional information as needed, and can communicate with Apple security engineers about your report. | We make it a priority to resolve security and privacy issues as quickly as possible, and most reports are resolved within 90 days. | Publicly disclosing security issues before a fix is available makes you ineligible for all Apple Security Bounty rewards.”

“Google & Alphabet VRP (Bug Hunters), live since 2010. Scope: 'any Google-owned or Alphabet (Bet) subsidiary web service that handles reasonably sensitive user data'. Authorization language is RESTRICTIVE only: 'The Vulnerability Reward Program does not authorize the testing of Google Cloud customer applications...'. No affirmative safe-harbor, no 'will not pursue legal action', no CFAA/DMCA/ToS carve-out, no CVD deadline in the VRP policy. security.txt: Contact https://g.co/vulnz + security@google.com; Policy https://g.co/vrp.”

“we encourage you to report it by using this page. Your report will be forwarded for timely acknowledgement and verification. Verified issues will then be passed to our development teams for remediation on a timeline commensurate with the severity of the issue. | Any exfiltration or downloading of CVS Health/Aetna data, disclosure of confidential information, and/or disrupting our customers' experience are all outside the scope of this program and outside any protections it affords from legal recourse. | You are expected to engage in security research responsibly. | Per our policy, if you wish to take part in the CVS Health Vulnerability Disclosure Program, you are expected to follow these guidelines”

“No public channel. hackerone.com/berkshirehathaway is a legacy directory stub (GraphQL submission_state=null, policy=null, scopes=[]). security.txt 404 at all paths (genuine Apache 404, not WAF). Search hits claiming a VDP are AI inferences from the empty stub. Prior 'none' confirmed.”

“please submit it in the form below or email VulnerabilityReporting@McKesson.com | We will contact you to confirm that we've received your report and trace your steps to reproduce your research. We will work with the affected teams to validate the report. We will notify you of remediation | Do not hack, penetrate, or attempt to gain access to McKesson infrastructure, systems, or data | you agree to comply with McKesson's Terms of Service, McKesson's Privacy Policy, and all applicable state, federal, or international laws and regulations | you may not publicly disclose your findings or the contents of your Submission to any third parties. McKesson's program does not permit disclosure to any party outside of McKesson”

“No public channel. hackerone.com/exxonmobil is an unclaimed community stub — real-Chrome render reads 'There are no known guidelines for reporting potential security vulnerabilities to this organization.' + 'This page is not affiliated with ExxonMobil.' GraphQL: empty policy/email, offers_rewards=false. security.txt 404. Prior 'none' confirmed.”

“No org-operated channel. Only artifact is an unclaimed HackerOne community stub at hackerone.com/healthcareabc (AmerisourceBergen) — real-Chrome render: 'There are no known guidelines...' + 'This page is not affiliated...' + 'Claim this page'. No scope/submit/policy/email. Below L1. Prior 'none' confirmed.”

“Microsoft Bounty Program is subject to these terms and those outlined in the Microsoft Bounty Terms and Conditions , Microsoft Bounty Legal Safe Harbor , Rules of Engagement , Bounty Program Guidelines | Cloud Programs Up to $100,000 USD ... Endpoint & On-Prem Programs Up to $250,000 USD ... Zero Day Quest Up to $100,000 USD | Report vulnerabilities privately and allow time for remediation before public disclosure. Adhere to our Rules of Engagement and program scope to ensure eligibility for awards. | Do not access, modify, or exfiltrate customer data. Never disrupt services or compromise uptime.”

“Typical Vulnerabilities Accepted: OWASP Top 10 vulnerability categories Other vulnerabilities with demonstrated impact | Typical Out of Scope: Theoretical vulnerabilities Informational disclosure of non-sensitive data Low impact session management issues Self XSS (user defined payload) | Work directly with the JPMorgan Chase Responsible Disclosure Program on vulnerability submissions | you will be allowed to disclose the vulnerability after a fix has been issued | Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.JPMorganChase.com”

“LIVE HackerOne VDP (GraphQL submission_state=open, public_mode, offers_bounties=false). Safe Harbor: 'We do not intend to assert claims under computer abuse laws for activities conducted in a manner consistent with this policy... if legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Promissory + CFAA reference, but testing NOT explicitly authorized, no DMCA/ToS carve-out → L3. security.txt at www.costco.com/security.txt (root). Prior L1 undercounted → L3.”

“VDP at cigna.com/legal/members/responsible-vulnerability-disclosure. Safe harbor: 'We will not pursue legal action against you if you act in good faith... comply with these Guidelines...'. CVD timeline: 'Please provide us a minimum of 90 days... After this 90 day period, you may publicly disclose...'. Submit via security@cigna.com (PGP). No explicit testing authorization, no CFAA/DMCA/ToS carve-out → L3 (has a 90-day clock but testing not authorized). Prior L1 undercounted → L3.”

“Coordinated Vulnerability Disclosure process: report via email to GMB-MedicalDeviceSecurity@cardinalhealth.com; scope = supported/connected medical devices. No safe-harbor or testing authorization. (hackerone.com/cardinal_health is a non-operational directory placeholder.)”

“This is a responsible disclosure program without bounties. | Your Submission must be for an Asset (herein referred to as "product" and/or "technology") that is identified as in scope of the NVIDIA Program(s). | You are required to report a discovered Vulnerability in a prompt and transparent manner through the Platform. | You agree to conduct your research within the bounds of Ethical Hacking. | You agree to practice coordinated disclosure in all of your security research conducted under the Program”

“First-party Meta Bug Bounty (not HackerOne). Testing auth + CFAA: 'We consider these terms to provide you authorization, including under the Computer Fraud and Abuse Act (CFAA)... to test the security of the products and systems identified as in-scope.' Safe harbor: 'we will not initiate a complaint to law enforcement or pursue a civil action against you.' DMCA: 'Meta will also not pursue... DMCA claims against you for circumventing the technological measures...'. ToS waiver: 'To the extent activities authorized by these Meta Bug Bounty terms are inconsistent with other terms of service... we waive those restrictions.' No day-count deadline → L4. Prior directory-L2 was a major miss.”

“No channel. Only HackerOne presence (antheminc, former name) is a community stub ('There are no known guidelines...', 'not affiliated with Anthem'). security.txt 404 (elevancehealth.com + anthem.com). Own cybersecurity page is internal governance only. Prior 'none' confirmed.”

“Active HackerOne VDP at hackerone.com/centene_vdp (HTTP 200, type VDP). 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you' + third-party defense = safe harbor + authorization (L3). policy_versions grep: zero CFAA/DMCA/ToS/timeline → no L4/L5. Prior 'none' matched the empty /centene stub, not the real _vdp program.”

“hackerone.com/bofa is an empty stub (GraphQL submission_state=null, validated against working controls). bankofamerica handle NOT_FOUND. Bugcrowd 404 (3 slugs). Synack ECONNREFUSED. security.txt 404. security-center is consumer fraud/phishing only, no researcher channel. Prior L1 was a false channel → L0.”

“hackerone.com/chevron is an unclaimed community stub (real-Chrome: 'There are no known guidelines...', 'not affiliated with Chevron', no submit). Bugcrowd 404. Synack ECONNREFUSED. No security.txt (404 www+apex). Own cybersecurity page is internal-only. Prior 'none' confirmed.”

“Live HackerOne VDP ('Ford - Vulnerability Disclosure Program'; also a Bugcrowd coordinated-disclosure engagement). Safe harbor (via FireBounty mirror + WebFetch): 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you' + third-party support. Scope *.ford.com/*.lincoln.com + FordPass + vehicle hardware. No CFAA/DMCA/ToS, no deadline → L3. Prior 'none'/timeout was wrong.”

“Live public HackerOne VDP (submission_state=open, public_mode). 'GM agrees not to pursue civil action against researchers who comply...'; activities consistent with the policy are '"authorized" conduct under the Computer Fraud and Abuse Act'; '...we will not bring a DMCA claim...'. No explicit ToS carve-out and no published CVD deadline (disclosure gated on remediation).”

“Live Bugcrowd VDP (state in_progress, open, scope 'Any Citigroup owned asset', no_reward). Citi's authored policy DISCLAIMS authorization/safe harbor: 'this program should not be construed as encouragement or permission to perform... Hack, penetrate or otherwise attempt to gain unauthorized access... Citi does not waive any rights or claims.' → real VDP but no safe harbor = L2 (authored prose governs over Bugcrowd's generic badge).”

“No current channel. security.txt 404 (live only in a single 2023 snapshot, gone since). Synack host homedepot.responsibledisclosure.com now NXDOMAIN (VDP decommissioned). No HackerOne/Bugcrowd. TechCrunch (2025-12-12): 'Home Depot does not have a way to report security flaws, such as a vulnerability disclosure or bug bounty program.' Prior 'none' confirmed.”

“Working vulnerability-report web form on own domain (fields for location/URL, repro steps, impact, PoC, reporter email). No safe-harbor/no-legal-action promise, no testing authorization; reports may be shared with law enforcement. (hackerone.com/fanniemae is a directory placeholder.)”

“Live Bugcrowd VDP (no_reward, open). Explicit authorization: 'Testing is authorized on the websites and applications in scope.' Safe harbor: 'We consider any security research conducted in good faith and in compliance with this Policy to be authorized conduct and we will not initiate legal action against you... If legal action is initiated by a third party... we will take steps to make it known that your actions were authorized.' No CFAA/DMCA/ToS carve-out; disclosure gated on consent (no timeline) → L3. security.txt routes Contact to bugcrowd.com/kroger-vdp. Prior L1 undercounted → L3.”

“Official 'Report Security Vulnerability' page; submit via vecirt-incident@verizon.com (routed to CIRT). Explicitly anti-safe-harbor: 'Verizon does not endorse, solicit, or request independent testing... for security vulnerabilities' and requires following all Terms and Conditions. No carve-out, no timeline.”

“CONFIRMED LIVE HackerOne VDP: GraphQL team(handle:'phillips66co') resolves to a real registered program 'Phillips 66' (energy co, distinct from healthcare 'philips'). No-bounty VDP. BUT policy markdown is UNREADABLE via every unauthenticated channel (live + Wayback are JS shells; GraphQL policy:null), so exact level could not be read — ≥L2 floor, L3/L4/L5 indeterminate. Level NOT guessed (unverified). security.txt 404. Bugcrowd 404.”

“No channel for MPC. No owned VDP/PSIRT/security page — corporate ToU is anti-testing: prohibits 'attempting to probe, scan, or test the vulnerability of any system' and 'will cooperate with law enforcement'. HackerOne /marathonpetroleum = Page not found. Bugcrowd 404. Synack no DNS. security.txt absent (Wayback 404 both 2023 snapshots). Prior 'none' confirmed (hostile posture).”

“Live security.txt (200): 'Contact: mailto:itsecurity@stonex.com / Encryption: .../itsecurity.pgp / Hiring: ...'. NO Policy: field, no scope, no submission form, no safe-harbor. Contact-only. No owned VDP, no HackerOne/Bugcrowd, no Synack. Prior L1 confirmed.”

“State Farm will not take legal action against you or revoke access to State Farm applications | If you have noticed an information security issue in a State Farm system while using www.statefarm.com or a State Farm mobile application, we want to hear about it | Please disclose issues using the Vulnerability Disclosure Communication form located on this web page | State Farm will work to address the issue in a timely fashion | We reserve all legal rights in the event of noncompliance”

“VDP on own domain: 'applies to all internet-facing assets...'. Triaged by Bugcrowd; no bounty. No safe-harbor/no-legal-action promise, no testing authorization, no carve-out, no timeline.”

“security.txt resolves at ROOT (humana.com/security.txt; /.well-known/ 404s), HTTP 200: 'Contact: mailto:bugbounty@humana.com / Expires: 2026-01-01 / Hiring: ...'. No Policy: field, no public HackerOne/Bugcrowd program. Contact-only. (Expires date is in the past.)”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, bounties $50-$3,000). Scope + submit path = L2. NO safe harbor/authorization/carve-out. Restrictive: 'You may only exploit... your own accounts. Testing must not violate any law...' + injunctive-relief threat. No security.txt. Prior L1 undercounted.”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, bounties). Scope (*.gs.com, *.goldmansachs.com) + Submit = L2. No promissory safe harbor (only HackerOne boilerplate). No carve-out, no timeline ('will not be publicly disclosing reports at this time'). Prior L1 undercounted.”

“Real public Bugcrowd program 'Comcast Xfinity VDP' (slug comcastvdp, participation=open, 1,459 rewarded). Brief safeHarborStatus='full' (= CFAA/CMA + DMCA + ToS/AUP carve-outs per Bugcrowd/disclose.io definition). 'Testing is only authorized on the targets listed as in scope.' No published disclosure deadline → L4. xfinity.com/vulnerabilityreport routes here. (hackerone.com/comcast is a null stub.) Prior L1 was a major miss.”

“First-party policy: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.' + third-party defense language. Testing authorized + non-pursuit = L3. No CFAA/DMCA/ToS carve-out, no disclosure timeline. Email submission; public disclosure prohibited without permission. Prior L1 undercounted.”

“Typical Vulnerabilities Accepted: OWASP Top 10 vulnerability categories Other vulnerabilities with demonstrated impact | Typical Out of Scope: Theoretical vulnerabilities Informational disclosure of non-sensitive data Low impact session management issues Self XSS (user defined payload) | To work directly with ResponsibleDisclosure.com on vulnerability submissions in good faith | you will be allowed to disclose the vulnerability after a fix has been issued | Not to engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems”

“No channel. security.txt 404 both paths (HTML). HackerOne valero = team does not exist; valeroenergy = null community stub. Bugcrowd 404. Synack no DNS. Legal Notice PROHIBITS testing ('Probes, scans, or tests the vulnerability... without proper authorization'); only generic privacy emails. Prior 'none' confirmed.”

“Contact: https://www.dell.com/support/dell-vulnerability-response-policy # Bug Bounty Program - Applications | Contact: https://bugcrowd.com/dell-com # Bug Bounty Program - Products | Contact: https://bugcrowd.com/dell-product | Policy: https://www.dell.com/support/dell-vulnerability-response-policy”

“Policy on own domain (security.target.com/vdp/). Scope: 'any of Target's guest-facing online services.' Safe harbor: 'Target will not take legal action against you related to any activities conducted in a manner consistent with this Policy and otherwise in good faith.' Submissions via HackerOne. No explicit authorization to test or statutory carve-outs.”

“security.txt at /.well-known/ (confirmed via Wayback; live edge WAF-blocks non-browsers). Policy tesla.com/legal/security: 'pre-approved, good-faith security researcher... has not accessed a computer without authorization... under the CFAA' (CFAA) and 'will not bring a copyright infringement claim under the DMCA... who circumvents security mechanism' (DMCA). Authorization gated on pre-registration; no explicit ToS waiver; disclosure 'reasonable time' (no fixed deadline) → L3. Public Bugcrowd program bugcrowd.com/tesla.”

“Real open HackerOne program (GraphQL submission_state=open, public_mode, 'The Walt Disney Company'). Conditional non-pursuit: 'If we conclude, in our sole discretion, that you have complied... TWDC will not pursue claims against you in response to your report.' Testing NOT broadly authorized; no carve-outs; SLAs are response targets not a CVD deadline. Scope incl. Disney+, ESPN, Marvel, etc. Prior L1 undercounted → L3.”

“Vulnerability Reporting Program scope = 'J&J's infrastructure, websites, public APIs, and applications'; report via vulnerability_reporting@its.jnj.com (devices via productsecurity@jnj.com). 10-business-day acknowledgment; asks to 'Comply with all laws.' No safe-harbor language. Also runs hackerone.com/jnj.”

“HackerOne 'pepsico_vdp' (GraphQL submission_state=open, public_mode). Real VDP with scope/rules but NO safe-harbor/legal/authorization language → L2. Bare 'pepsico' = team does not exist; no security.txt (404); no Synack/Bugcrowd. Prior L1 undercounted.”

“Boeing will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. | We consider activities conducted consistent with this policy to constitute authorized access under anti-hacking laws. | To the extent your activities are inconsistent with certain Boeing terms and conditions, we waive those restrictions for the limited purpose of permitting security research under this policy. | Provide Boeing reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.”

“HackerOne 'ups' (UPS VDP, GraphQL open/public_mode). Safe Harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Authorization + non-pursuit but no CFAA/DMCA/ToS carve-out, no deadline → L3. No security.txt (404). Prior L1 undercounted.”

“VDP on own domain with embedded web form. Scope: 'public facing RTX product, system, or asset'. Asks to 'Provide RTX reasonable time to resolve.' No safe-harbor, no authorization, no timeline. Also listed on hackerone.com/rtx.”

“VDP managed by Synack. Scope *.fedex.com. Safe harbor: 'Synack will not bring a private action against you or refer the matter for public inquiry.' Submit via fedex.responsibledisclosure.com. (Trust Center landing page intermittently 503s.)”

“Only an empty HackerOne community stub (hackerone.com/progressivecorp — GraphQL state=null, policy=null, external_program). Own /security/ 404; security.txt both paths = branded 404. No real HackerOne program (4 slugs none); no Bugcrowd (404); no Synack (NXDOMAIN). Prior 'none' confirmed.”

“HackerOne 'lowes' (Lowe's Companies VDP, GraphQL open/public_mode). Non-pursuit: "Lowe's will not take legal action against or suspend or terminate the accounts of those who discover and report security vulnerabilities in accordance with this Vulnerability Disclosure Policy." Full scope + SLAs (real VDP). No explicit testing authorization, no CFAA/DMCA/ToS carve-out, no deadline → L3. (lowes.com security.txt bleeds through to an unrelated TIAA-CREF stub — not Lowe's.) Prior L1 undercounted.”

“No channel. HackerOne 'Team does not exist' (4 slugs). No Bugcrowd (404). No Synack (NXDOMAIN). security.txt behind F5 WAF 403 with no real file. Only a corporate privacy mailbox (not a researcher channel). Prior 'none' confirmed.”

“we consider this research conducted under this policy to be: Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy | Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls | Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis | Public disclosure may be allowed upon request, and only after granted written permission to do so from P&G”

“Only an empty HackerOne community stub (hackerone.com/sysco — GraphQL state=null, policy=null, external_program). security.txt path returns 200 but is SPA HTML (not a real file). No real HackerOne (syscocorp none); no Bugcrowd (404); no Synack (NXDOMAIN). Prior 'none' confirmed.”

“hackerone.com/americanexpress is an empty community-curated stub (GraphQL submission_state=null, policy='', external_program, scopes=[]). security.txt both paths 302→404 (Akamai). Amex security-center is consumer fraud guidance; sole email spoof@americanexpress.com is phishing, not vuln disclosure. Bugcrowd 404; Synack ECONNREFUSED. Prior L1 was a false channel → L0.”

“Responsible Disclosure powered by Synack. Submit via form. Safe harbor: '...Synack will not bring a private action against the reporter or refer the matter for public inquiry.' Disclosure only after fix. (Site 403s bots.)”

“No channel. Footer exposes only Privacy/Terms/Compliance, no security link. HackerOne /adm + /archer_daniels_midland 404 (no program/stub). Bugcrowd /engagements/adm 404. Synack ECONNREFUSED. security.txt both paths clean 404 (not WAF). Prior 'none' confirmed.”

“hackerone.com/metlife is an empty community stub — real-Chrome render verbatim: 'There are no known guidelines for reporting potential security vulnerabilities to this organization.' + 'not affiliated with MetLife... Claim this page', no Submit button (submission_state null). Bugcrowd 404. Synack ECONNREFUSED. security.txt 404/403. Own pages: only phish@metlife.com (phishing). Prior 'none' confirmed.”

“please let us know by emailing our Information Protection & Security team directly at Information.Protection@hcahealthcare.com | We ask that you work with us to diagnose and correct a vulnerability prior to publically disclosing it to ensure the safety and wellbeing of our patients and systems | We ask that you not perform vulnerability or similar testing on products that are actively in use for public safety reasons | In the event you share information with us, you agree that the information you submit will be considered non-proprietary and non-confidential, and that we may use such information in any manner, without restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for us.”

“Own VDP page. Testing authorized + CFAA: 'Lockheed Martin considers security research and vulnerability disclosure activities conducted consistent with this policy to be "authorized" conduct under the Computer Fraud and Abuse Act and other applicable computer use laws.' Non-pursuit: 'will not pursue civil or criminal action... for accidental or good faith violations of this policy'. CVD timeline: 'Keep information about any vulnerabilities... confidential between yourself and Lockheed Martin until we have had minimum 120 days to verify and resolve the issue.' L4 signals + published 120-day timeline → L5. Prior L1 was a major miss (HackerOne entry was only a community stub).”

“No external channel. security.txt 404 live + Wayback (Jun 2023–Nov 2024). HackerOne 4 slugs 404; /nyl is a generic non-NYL handle. Bugcrowd 4 variants 404. Synack ECONNREFUSED. Own Information Security page describes internal defensive program only, no report mechanism. Prior 'none' confirmed.”

“By responsibly submitting your findings to Capital One in accordance with these guidelines Capital One agrees not to pursue legal action against you. | Capital One reserves all legal rights in the event of noncompliance with these guidelines. | Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity. | Provide Capital One reasonable time to fix any reported issue. | Out of Scope Vulnerabilities Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program.”

“Allstate Identity Protection (Allstate-owned, formerly InfoArmor) security page: 'Report any potential security bug or vulnerability to SecurityDisclosure@infoarmor.com'. No scope, no testing authorization, no safe harbor, no timeline → contact-only L1. Main allstate.com has no PSIRT; security.txt times out; HackerOne empty stub; Bugcrowd 404; Synack ECONNREFUSED. Prior L1 confirmed (subsidiary channel).”

“HackerOne hackerone.com/caterpillar (submission_state=open). disclose.io GOLD-STANDARD safe harbor verbatim: 'We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Service (TOS) and/or Acceptable Use Policies (AUP)... Will not bring legal action against you... including for bypassing technological measures we use to protect the applications in scope' (= testing authorized + CFAA + ToS/AUP + DMCA 1201). No published CVD deadline → L4. security.txt does NOT resolve at either path (403 Akamai) → securityTxt false.”

“Contact: https://www.ibm.com/trust/security-psirt | Contact: https://hackerone.com/ibm?type=team | Contact: mailto:psirt@us.ibm.com | PSIRT manages Product, Website, Secrets / Tokens Vulnerabilities”

“Product Cybersecurity Coordinated Vulnerability Disclosure Policy. Safe harbor: 'If you comply with this Policy... we will consider your research to be authorized, and not recommend or pursue legal action' + third-party authorization defense. Scope = product cybersecurity (medical devices, SaMD). No statutory carve-outs; timeframes at Lilly's discretion.”

“Real PUBLIC HackerOne VDP under slug 'msd' (Merck Sharp & Dohme), not 'merck' (404). GraphQL submission_state=open, public_mode, scopes *.merck.com + *.msd.com. Own page merck.com/responsible-vulnerability-disclosure-program/ directs to hackerone.com/msd. Safe harbor + explicit authorization: 'Any activities conducted in a manner the Company deems consistent with this policy will be considered authorized conduct and we will not initiate legal action against you...'. No CFAA/DMCA/ToS carve-out, no deadline → L3. Prior directory-L2 was wrong handle.”

“vulnerabilitydisclosure@nationwide.co.uk | You must not: Break any applicable law or regulations. Access unnecessary, excessive or significant amounts of data. Modify data in Nationwide's systems or services. | Submissions we won't respond to: Vulnerabilities relating to systems, websites or apps which are not owned or controlled by us. | We do not offer financial compensation or any other form of reward for submissions. | By emailing or providing a disclosure to us, you agree to our terms. | We will review all submissions that meet the requirements listed on this page.”

“Product Security Center with per-product-line PSIRT email reporting. Symantec PSIRT symantec.psirt@broadcom.com ('confirm receipt within three business days', ISO 29147); VMware PSIRT vmware.psirt@broadcom.com. Real VDP with submission method/process, no legal safe-harbor commitment. (hackerone.com/broadcom is a directory stub.)”

“security.txt at delta.com/security.txt (ROOT path, not /.well-known/ which 404s) → Contact: ResponsibleDisclosure@Delta.com, Policy: VDP guidelines page. NO safe harbor — 'Delta reserves all legal rights in the event of your noncompliance... to pursue legal action'; requires compliance with Delta's Terms of Use. 5-business-day ack.”

“No researcher channel. security.txt 404 both paths/hosts. HackerOne 'Team does not exist'. Bugcrowd /engagements/publix 404. Synack no DNS. corporate.publix.com is a SPA catch-all (every path incl. nonsense returns same 200 body, no VDP). Prior 'none' confirmed.”

“Real PUBLIC HackerOne VDP (GraphQL submission_state=open, public_mode). Promissory safe harbor: 'Pfizer will not initiate legal action against you for any security research activities... conducted in a manner consistent with this policy.' But testing NOT authorized: 'this policy does not... authorize or encourage any actions...' + 'Do not perform automated scanning or testing.' No CFAA/DMCA/ToS carve-out, no deadline → L3. Prior L1 undercounted.”

“No researcher channel. security.txt 404. HackerOne tdsynnex NOT_FOUND; legacy techdata/synnex are UNCLAIMED community stubs (GraphQL state=null, 'community-curated security page documents any known process...'). Bugcrowd engagements x3 404. Synack no DNS. Own /security + /responsible-disclosure 404. Prior 'none' confirmed.”

“No researcher channel. /.well-known/security.txt 404; /security.txt returns 200 but is the SPA HTML shell (not a real file). HackerOne 'conocophillips' is an UNCLAIMED community stub (GraphQL state=null). Bugcrowd 404. Synack no DNS. Own security page describes internal IT/OT program only (no external report path). Prior 'none' confirmed.”

“security.txt at ROOT /security.txt (200): 'Contact: mailto:security@galaxy.com / Expires: 2025-09-30' (expired but still served). NOT at /.well-known/ (404). No Policy line, no scope, no safe harbor. No dedicated security/disclosure page; no HackerOne/Bugcrowd/Synack. Bare contact → L1 confirmed.”

“Coordinated Vulnerability Disclosure portal at cvd.abbvie.com (web form). SCOPE LIMITED to AbbVie Medical Devices / SaMD, NOT the corporate abbvie.com web property. No safe harbor; submissions deemed non-confidential. 5-business-day ack. (hackerone.com/abbvie is private/invite-only.)”

“LIVE HackerOne VDP (GraphQL: state=public_mode, submission=open, scope *.prudential.com). Safe Harbor: 'Any activities conducted in a manner consistent with this Policy and within the Policy's scope will be considered authorized conduct by Prudential, including under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws such as Cal. Penal Code 502(c).' 'reasonable amount of time to resolve' but no numeric deadline → L4. Prior 'none' was WRONG.”

“security.txt exists (live WAF-blocked 403; via Wayback raw): 'Contact: mailto:soc-sectxt@tjx.com / Expires: 2026-04-16'. Contact only — no scope, no policy, no safe harbor. hackerone.com/tjx is an empty community-curated stub (GraphQL state=null). L1 confirmed.”

“No public reporting channel. security.txt 404 both paths. No HackerOne team (GraphQL NOT_FOUND). No Bugcrowd (404). No Synack. Only IR contact + generic ToU 'notify of any breach' clause. Prior 'none' confirmed.”

“security.txt at /.well-known/ HTTP 200: 'Contact: https://bugcrowd.com/united-vdp / Contact: mailto:bugbounty@united.com / Policy: https://www.united.com/ual/en/us/fly/contact/vdppolicy.html'. Public Bugcrowd VDP (first airline VDP) under Bugcrowd standard disclosure terms (safe harbor for in-scope good-faith research). Triple statutory carve-out could not be confirmed (united.com policy page WAF-blocked) → L3, medium confidence.”

“Oracle PSIRT reporting (WAF-blocked; via Wayback): 'If you are not a customer or partner, please email secalert_us@oracle.com.' Disclosure policy restrictive: 'Oracle does not distribute exploit code... for vulnerabilities in our products.' No testing authorization, no safe harbor, no carve-out → contact/PSIRT-email only = L1. hackerone.com/oracle stub; bugcrowd.com/oracle is /h/ private portal (control-tested). Prior L1 confirmed.”

“The Cisco PSIRT is a dedicated, global team that receives, investigates, and publicly reports information about security vulnerabilities and issues related to Cisco products and services. | Cisco welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. | Throughout the investigative process, the Cisco PSIRT strives to work collaboratively with the incident reporter to assess the nature of the vulnerability, gather required technical information, and determine appropriate remedial action. | The Cisco PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Cisco PSIRT on the Cisco website through the appropriate coordinated disclosure. | The Cisco PSIRT aligns its practices with ISO/IEC 29147:2018, which are guidelines for disclosure of potential vulnerabilities established by the International Organization for Standardization.”

“HP PSRT report page (enable.hp.com/potentialsecurityvulnerability-report) — live web form, product-scoped dropdown, 'HP will acknowledge receipt of the submission within two business days and begin investigating.' No legal/safe-harbor language → real VDP, L2. HP's Bugcrowd bounty is PRIVATE/invite-only (/h/hp). Prior L1 upgraded to L2.”

“No verified public channel across corporate.charter.com, charter.com, spectrum.com. hackerone.com/chartercom is an empty community-curated stub (GraphQL state=null, no scopes). No security.txt anywhere. bugcrowd.com/spectrum is /h/ catch-all (control-tested). Prior 'none' confirmed.”

“Managed HackerOne VDP (no bounty). Scope *.aa.com + regional carriers. Safe harbor: 'Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party... we will take steps to make it known that your actions were conducted in compliance with this policy.' Authorizes testing + no legal action (L4). No statutory carve-outs named, no CVD deadline. Verified via real-Chrome render.”

“No channel on any surface. security.txt 404 (apex+www both paths). Only security-adjacent page is financial/ethics disclosures. HackerOne /tyson + /tysonfoods no real program. Bugcrowd 404. Synack refused. UpGuard scan confirms no security.txt/VDP. Prior 'none' confirmed.”

“security.txt at /.well-known/ + root (Canonical https://www.intel.com/security.txt; Policy -> vulnerability-handling-guidelines.html). PSIRT secure@intel.com + Intel Bug Bounty via Intigriti. Safe harbor in bug-bounty terms: 'Intel will not initiate a lawsuit or law enforcement investigation against you in response to your report.' No explicit CFAA/DMCA/ToS carve-out → L3.”

“No channel. Footer/nav have no security/disclosure link; Contact Us is operational/investor only. security.txt 404 both paths. HackerOne enterpriseproducts + enterprise-products 404 (no stub). Bugcrowd 404. Synack refused. Prior 'none' confirmed.”

“No channel. hackerone.com/ingrammicroinc is an empty community stub (real-Chrome: 'There are no known guidelines...' + 'not affiliated', no submit). Bugcrowd 404. Synack NXDOMAIN. No security.txt (WAF). Trust Centre FAQ directs to general support form, no security scope. Prior 'none' confirmed.”

“No VDP at gd.com. security.txt 301→404. Homepage/contact/sitemap no security refs. HackerOne 'generaldynamicssharedr' is empty stub (GraphQL all-null); generaldynamics/general-dynamics/gdit team does not exist. Bugcrowd 404. Synack DNS-fail. Business units publish only DFARS supplier incident reporting (not a researcher VDP). Prior 'none' confirmed.”

“Real HackerOne bug bounty. Safe harbor (promissory): 'If you have made a good faith effort to abide by these Program Terms, we will not initiate or recommend legal action against you, and if a third party initiates legal action, we will make it known that your activities were conducted pursuant to the Bug Bounty Program.' But NO testing authorization ('Actions taken beyond this are not authorized'), NO CFAA/DMCA in the 29k-char rendered policy, and policy REQUIRES ToS compliance (no exemption), no disclosure deadline → L3 (HackerOne's platform Gold-Standard language NOT adopted into Uber's text). Prior L1 undercounted; not over-called to L4.”

“Contact: https://bugcrowd.com/engagements/usaa | Contact: mailto:disclosure@usaa.com | Policy: https://bugcrowd.com/usaa”

“TIAA security-center page → HackerOne embedded form rendering the full 'TIAA Vulnerability Disclosure Policy'. Safe harbor: 'we consider this research conducted under this policy to be: Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you...; Authorized concerning any relevant anti-circumvention laws...; Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP)... and we waive those restrictions on a limited basis.' Scope (*.tiaa.org, *.tiaa-cref.org, *.nuveen.com). No published public-disclosure deadline → L4. Prior 'none' was a major miss.”

“No researcher channel. HackerOne (liberty_mutual/libertymutual/liberty-mutual all 404). Bugcrowd 404. Synack NXDOMAIN. security.txt 404 (libertymutual.com) / Akamai 403 with no archived file (libertymutualgroup.com). Only 'Security Policy' page is customer-data protection, no researcher reporting. Prior 'none' confirmed.”

“Synack commits that, if we conclude, in our sole discretion, that a security vulnerability submitted through our Site complies with the Terms of Use, the applicable Scope and Rules of Engagement and the applicable Responsible Disclosure Guidelines, Synack will not bring a private action against you or refer the matter for public inquiry. | The following web applications are in scope: *.travelers.com | If you submit a valid vulnerability, you will be notified after a fix has been issued, and you will have the opportunity to be added to the Acknowledgments page and to disclose the vulnerability. | Adhere to these Guidelines and the Rules of Engagement and Scope, and do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of Travelers' information and systems.”

“No channel. HackerOne GraphQL 'bms' = Team does not exist (the 200 is an SPA shell); 3 other slugs 404. Bugcrowd 404. Synack NXDOMAIN. security.txt 404 (the Wayback 200 is an Incapsula WAF challenge page, not a real file). Only privacy (dpo@bms.com) + compliance Integrity Line. Prior 'none' confirmed.”

“Safe harbour for researchers is applied | with the exception of what is listed as explicitly out-of-scope you are welcome and encouraged to submit impactful findings on any asset you can attribute to The Coca-Cola Company or our brands! | Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)”

“Real first-party VDP (full text read from __NEXT_DATA__). Scope + submission form (nike.com/help/disclosure) + prohibited-methods list. Not a bounty. CVD timeline present: 'We're committed to patching in-scope vulnerabilities in 90 days or less' + 90-day confidentiality. Safe harbor only soft ('open dialogue... without fear of reprisal') — NO explicit non-pursuit, NO testing authorization, NO CFAA/DMCA/ToS carve-out → L2. (hackerone.com/nike is an empty unclaimed stub, does not count.) Prior L2 confirmed.”

“Self-hosted Responsible Disclosure Policy; report via responsible.disclosure@massmutual.com. Structured RDP rules + scope, but NO safe harbor and explicitly hostile: 'MassMutual expressly reserves all rights afforded to it, by law or in equity.' Prohibits public disclosure without consent.”