American Express Global Business Travel (GBT) Responsible Disclosure Policy

GBT cares deeply about maintaining the trust and confidence that our customers place in us. The security of our online platforms is of paramount importance. If you are a security researcher and have discovered a security vulnerability in one of our services or sites, we encourage you to disclose it to us in a responsible manner. GBT will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate and fix vulnerabilities in accordance with our commitment to security and privacy. We will not take legal action against, or suspend or terminate the accounts of, researchers who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. GBT reserves all legal rights in the event of any noncompliance.

Guidelines:

At GBT we investigate all received vulnerability reports and implement the best course of action in order to protect our customers.

If you identify a verified vulnerability in compliance with GBT’s Responsible Disclosure Policy, GBT commits to:

  • Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission).
  • Work closely with you to understand the nature of the issue and work on timelines for fix.

Noncompliance:

Public disclosure of the submission details of any identified or alleged vulnerability without express written consent from GBT will deem the submission as noncompliant with this Responsible Disclosure Policy.

In addition, to remain compliant you are prohibited from:

  • Accessing, downloading, or modifying data residing in an account that does not belong to you.
  • Executing or attempting to execute any “Denial of Service” attack of any kind.
  • Posting, transmitting, uploading, linking to, sending, or storing any malicious software.
  • Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages.
  • Testing in a manner that would degrade the operation of any GBT systems.
  • Testing third-party applications, websites, or services that integrate with or link to GBT systems.

Please fill the form below if you have a security issue you wish to report to the American Express Global Business Travel Team.  Feel free to reach out to us with any questions: amexgbt-esf@submit.bugcrowd.com. This form is not intended to be used by employees of GBT or GBT subsidiaries, by vendors currently working with GBT or GBT subsidiaries, or residents of countries on the U.S. sanctions list.