Responsible Disclosure Program

At Capital Group, cybersecurity is fundamental to our values and our commitment to protecting our systems and our customers’ information. We encourage security researchers and the broader community to report potential security vulnerabilities affecting Capital Group’s products, services, websites, applications, or other assets. To support this, we have established a Vulnerability Disclosure Program (Program) to enable responsible information sharing, define expectations for vulnerability testing, and provide a Safe Harbor to individuals who adhere to these guidelines. If you believe you have identified a potential security vulnerability, we welcome you to submit your findings in accordance with the guidelines below. We appreciate your support and partnership in helping strengthen our security posture.

This Program should not be interpreted as encouragement or authorization to hack, penetrate, or otherwise attempt to gain unauthorized access to Capital Group’s applications, systems, or data. To clearly distinguish good faith vulnerability research from malicious activity, researchers are expected to disclose potential vulnerabilities in accordance with the following guidelines. Activities conducted in good faith and in accordance with these rules will be considered authorized under this Program.

• Act in good faith and avoid actions that could reasonably cause harm to Capital Group, our clients, our employees, or our systems. 
• Do not intentionally disrupt, degrade, or deny availability of Capital Group services, systems, or assets. 
• Comply with all applicable local, state, national, and international laws and regulations, including those governing the locations where systems or data reside, where network traffic is routed, and where research activities are performed. 
• Do not access, store, modify, share, or destroy Capital Group or client data. If you inadvertently encounter Personally Identifiable Information (PII) or other sensitive data, immediately stop testing, securely delete any such data from your systems, and promptly notify Capital Group. 
• Do not initiate or attempt any unauthorized or fraudulent financial transactions, including, but not limited to, insider trading and other transactions that are illegal or not authorized under applicable securities laws. 
• Do not conduct social engineering activities, including phishing, vishing, smishing, or pretexting. 
• Only interact with accounts you own or for which you have explicit authorization from the account holder. 
• If a vulnerability provides unintended access to data or systems beyond what is necessary to demonstrate the issue, immediately cease testing and submit a report.
• Report suspected or confirmed vulnerabilities as soon as reasonably possible and allow Capital Group a reasonable period of time to investigate and remediate the issue. 
• Keep all details of discovered vulnerabilities confidential and do not disclose them publicly or to third parties without Capital Group’s prior written consent.

Testing activities conducted in accordance with this Program are protected by Safe Harbor. Capital Group will not pursue legal action against individuals who engage in security research that is conducted in good faith, complies with these guidelines and applicable laws, and is reported responsibly through this Program. If a third party initiates legal action against you in connection with activities conducted under this Program, Capital Group will take reasonable steps to make it known that your actions were conducted in compliance with Capital Group’s Vulnerability Disclosure Program.

In operating this Program, Capital Group does not waive any rights it may have by not exercising, or by delaying the exercise of, such rights. Capital Group reserves all legal rights and remedies available at law or in equity in the event of noncompliance with these guidelines, including the right to seek injunctive relief, specific performance, or other appropriate equitable remedies.

Thank you for helping us protect Capital Group, our clients, and our data. If you are uncertain whether your intended activity aligns with these guidelines, please submit a report to Capital Group before proceeding.

Capital Group uses HackerOne to triage and validate vulnerability reports made pursuant to our Responsible Disclosure Program.  Please submit your report via HackerOne's website. 

If you are unable to submit a report via HackerOne, you may send us an email at responsibledisclosure@capgroup.com.