Please review Egencia's Vulnerability Disclosure Policy.
Responsible Disclosure Policy
ResponsibleDisclosure.com (operated by an independent third party, Synack, on behalf of Egencia).This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.
The details within your request form will be submitted to Synack. If you have reported an issue determined to be within program scope and to be a valid security issue, Synack will validate your finding and you will be allowed to disclose the vulnerability after a fix has been issued. This process is managed exclusively by Synack through their platform, accordingly you must accept the Synack terms of service if you wish to proceed. All queries are to be directed to Synack and managed exclusively through the ResponsibleDisclosure.com online portal.
For a full overview and listing of Egencia VDP program scope, please visit the Egencia Vulnerability Disclosure Policy page. For inquiries on scope or Egencia’s Vulnerability Disclosure Policy, please contact egencia@responsibledisclosure.com .
Responsible Disclosure Guidelines
Researchers must follow the testing guidelines outlined in Egencia's VDP, as well as the guidelines below (excerpted from the Synack ROE page and not covered by Egencia VDP):- Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.com
- Work directly with ResponsibleDisclosure.com on vulnerability submissions
- Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
- Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
- Do not engage in social engineering or phishing of customers or employees
- Do not request compensation for time and materials or vulnerabilities discovered
- No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
- All attack payload data must use professional language
- When documenting a vulnerability, if a vulnerability is public, take measures to ensure it does not identify Egencia.
All users of our online services are subject to our Privacy Statement and agree to be bound by our Terms of Service. © 2024 GBT Travel Services UK Limited. GBT Travel Services UK Limited (GBT UK) and its authorized sublicensees (including Ovation Travel Group and Egencia) use certain trademarks and service marks of American Express Company or its subsidiaries (American Express) in the “American Express Global Business Travel” and “American Express GBT Meetings & Events” brands and in connection with its business for permitted uses only under a limited license from American Express (Licensed Marks). The Licensed Marks are trademarks or service marks of, and the property of, American Express. GBT UK is a subsidiary of Global Business Travel Group, Inc. (NYSE: GBTG). American Express holds a minority interest in GBTG, which operates as a separate company from American Express.