Skip to content

En español |  AARP is committed to maintaining the security of our systems and our members' information. If you discover a security vulnerability in one of our applications, we respectfully request that you disclose your findings to us in a responsible manner. We value your contribution and are committed to handling your disclosure in a responsible manner and in accordance with our Vulnerability Disclosure submission guidelines below.* Thank you in advance for your submission; we appreciate researchers assisting us in our security efforts.

*This disclosure program is limited to security vulnerabilities in web applications owned by AARP. AARP does not provide monetary rewards for bug submissions.

All vulnerabilities affecting AARP should be reported via email to the AARP Team via vulnerabilitydisclosure@aarp.org.

Vulnerability Disclosure Submission Guidelines

When disclosing potential vulnerabilities to AARP, we ask that you report them in accordance with the following vulnerability disclosure guidelines:

  • Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
  • Provide details with reproducible steps in the report.
  • Do not include the following details in your report:
  • We may modify the terms of this policy or terminate the policy at any time.

Do NOT:

  • Engage any actions that could disrupt, expose any AARP web services
  • Engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity
  • Access, acquire, remove, download, or modify data residing in an account that does not belong to you;
  • Destroy or corrupt, or attempt to destroy or corrupt, data or information that does not belong to you;
  • Execute or attempt to execute any “Denial of Service” attack;
  • Post, transmit, upload, link to, send, or store any malicious software;
  • Test in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages or degrade the operation of any AARP properties;
  • Test third-party applications, websites, or services that integrate with or link to AARP properties; nor
  • Exploit any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists.

By Submitting a Report:

  • You represent you are not located in or a resident of a country under United States sanctions, nor a person on, or working on behalf of a party identified on, any restricted party list maintained by the United States government.
  • You consent to your information being stored and transferred to the United States and acknowledge you have read and accepted the terms of this policy
  • You agree not to disclose vulnerability details to anyone other than AARP without AARP’s written permission unless required by law.
  • You agree that any AARP information that you may encounter, view, acquire, or access, is owned by AARP or its customers, clients, or third-party providers. You have no rights, title, or ownership in any such information.

Scope: We reserve the right to determine whether to accept a report.

The following services are subject to the vulnerability disclosure program at this time:

No Limitation of Liability to Third-Parties

AARP values the identification of potential security vulnerabilities and does not intend to take action against good faith researches who report such vulnerabilities lawfully and in compliance with this policy.  However, we are not able to make such a representation on behalf of any third-party.  Notably, to the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of any non-AARP entity, or personal data of AARP employees, customers, suppliers or any other third party, such non- AARP entity or person may independently determine whether to pursue legal action or remedies related to such activities.