Corporate - Header - Legal notice

Vulnerability Disclosure Policy

We consider the security of our customers to be one of our top priorities. That is why we design products and services of the highest possible quality and reliability. Despite our efforts to implement the best possible security measures, vulnerabilities may still exist in our products, services and systems.

This document describes the Amundi Group's policy for receiving reports on potential security vulnerabilities in its products and services.

Everyone is encouraged to report any vulnerabilities they identify, regardless of the type of service or product. Researchers, partners, CERTS, customers or any other source are welcome to report vulnerabilities.

How to report a potential security vulnerability?

For all vulnerability reports, please fill in the form: https://amundivdp.vulnerability-disclosure.com

In order to improve the handling and identification of the vulnerability, please include as much information as possible. Please do not include any personal data in your reports, other than the information necessary to contact you.

The processing is intended solely for the purpose of reporting security vulnerabilities in our services. It is not technical support information about our services. Any content other than that specific to security vulnerabilities in our services will not be processed.

Processing of your report

Following your report, our teams will analyse its content in order to validate the vulnerability as quickly as possible. The Amundi Group will then engage in dialogue to discuss the issues identified and inform you of the progress of our analysis.

Furthermore, no remuneration is provided under this programme, even if the vulnerability is confirmed. For security reasons, vulnerabilities and their resolution will not be published.

The Amundi Group remains the sole judge of the classification of the vulnerability and the resulting risk categorisation. The handling and resolution time for vulnerabilities remain at the discretion of the Amundi Group.

Disclosure requirements

By submitting your vulnerability report to Amundi, you are required to:

  • Comply with applicable laws
  • Not carry out denial-of-service or resource exhaustion attacks
  • Use Amundi systems for no purpose other than to harm the Group, its customers, its employees or third parties (partners, service providers, etc.)
  • Not use, distribute, modify or delete any data that you may access by exploiting the vulnerability
  • Not engage in social engineering, spam or phishing attacks against Amundi employees, third parties or customers
  • Not test the physical security of Amundi's property, third parties or customers
  • Not disclose information relating to this disclosure, the reported vulnerability or the fact that a vulnerability has been reported to Amundi

The Amundi Group undertakes not to take legal action against reporting parties who submit reports in accordance with the rules.

Reporting a vulnerability does not give you any intellectual property rights over assets belonging to the Amundi Group or any of its third parties.

All aspects of this process are subject to change without notice, as well as to exceptions on a case-by-case basis.

The Amundi Group appreciates the efforts made by the reporter to identify the vulnerability. We thank you for your contribution to improving the security of our products and systems and the Internet community as a whole.

Get in touch with us

Our online help service is available to answer your question.

My personal information

If you have a question about our company or one of our products, please complete the form to get in touch. Please do not mention your account numbers or critical data in this form.

Civility*

(*) Required fields
All our job offers (Permanent and temporary position, Internship, Apprenticeship or VIE) are available on our dedicated website: https://jobs.amundi.com.

Register and apply directly online.