AIG takes cybersecurity seriously and is dedicated to providing a safe and secure digital experience for its customers and employees. The identification and sharing of potential security matters helps AIG protect the security and privacy of company data and customers. In addition to its dedicated team of experienced information security professionals, AIG values the contributions of the security researcher community. If you believe you’ve found a security issue in one of AIG’s applications, services, products, websites, or systems, please submit a report following program rules and guidelines through the AIG HackerOne platform.

AIG’s Vulnerability Disclosure Program is a structured framework for security researchers to identify and submit potential issues to the AIG team for review. Potential issues submitted must include enough information to reproduce and validate the issue. AIG recommends that security researchers review the program rules prior to conducting testing, which include but are not limited to:

• Do not engage in any activity that can stop or degrade AIG’s services or assets.
• Do not engage in any activity that violates: (a) federal or state laws or regulations; or (b) the laws or regulations of any country where (i) data, assets, or systems reside, (ii) data traffic is routed, or (iii) the researcher is conducting research activity.
• Any testing or reporting you undertake constitutes your agreement to all terms and conditions of the program.

Once a report is submitted, AIG will investigate, and if confirmed, take necessary corrective actions as appropriate. We greatly appreciate the efforts of all those who share potential findings with us and enable us to strengthen our overall security capabilities.