Delta Air Lines, Inc. (“Delta”) dedicates resources to create and maintain appropriate physical, electronic, and managerial safeguards to protect our networks and the information we collect, as well as to maintain the accuracy and integrity of our systems and data. We know that building relationships and cooperating with security researchers (“you”) can benefit our commitment to maintaining the security of our networks and data. We welcome and encourage you to contact us about potential security vulnerabilities regarding networks and systems owned or controlled by Delta, including our website and mobile application (collectively, the “Delta Assets”). If you believe you have identified a potential security vulnerability, please share it with us upon discovery in accordance with Delta’s vulnerability disclosure guidelines, Go to footer note (“Vulnerability Disclosure Guidelines”) by following the submission process outlined below. Please note that Delta does not have a “bug bounty” program, nor do we offer compensation or other rewards in exchange for your submissions. Delta’s Vulnerability Disclosure Guidelines are not terms of a bug bounty program. Prior to beginning any research efforts on Delta Assets, please make sure you read the Vulnerability Disclosure Guidelines. We expect you to adhere to these guidelines in order to protect the confidentiality of our systems and information.

Security vulnerabilities should be submitted to Delta, in the form of an encrypted written report with an encryption key, as follows:

Please send an email to our team at ResponsibleDisclosure@delta.com. Encrypt your message and any supporting attachments using Delta’s Vulnerability Disclosure PGP key, which you can download. When reporting a potential vulnerability, please include a detailed summary and supporting information (see list below) to assist us in understanding and reproducing the security vulnerability.

• Type and class of vulnerability (XSS, buffer overflow, RCE, etc.)
• Step-by-step instructions to reproduce the vulnerability
• Proof-of-concept or exploit code
• Potential impact of the vulnerability

Although not required for the submission, if you have information regarding a solution for the security vulnerability, please share your proposed solution with us.

When Delta receives a report, we will send an acknowledgement to the sender within 5 business days and may follow up with the sender as necessary to understand the security vulnerability. After the security vulnerability is verified or confirmed, Delta will send a follow-up reply to the sender.

We thank the researcher community in advance for their cooperation and support.

Prior to beginning any research efforts on Delta Assets, please make sure you read these Vulnerability Disclosure Guidelines in their entirety. At all times during any research undertaken, Delta expects that (i) you will not exploit any potential security vulnerability for any reason, including for financial or reputational gain, (ii) you will not download or collect any proprietary or customer information, (iii) you will not degrade system security or performance, (iv) you will not generate fictional accounts or information and (v) you will at all times keep security vulnerability information that you may discover confidential and private, revealing it to Delta following Delta’s specified submission process. In addition, researchers shall disclose potential security vulnerabilities concerning Delta Assets in accordance with the following guidelines:

• You are expected to engage in security research responsibly and take only the steps necessary to demonstrate to us any security vulnerability identified by you.
• All research activities regarding the Delta Assets must be conducted consistent with Delta’s Terms of Use. Do not take any steps in violation of Delta’s Terms of Use while conducting research activities to identify any potential security vulnerability concerning the Delta Assets.
  
• You are required to conduct all research activities in accordance with applicable law, including: (a) U.S. federal or state, or international laws and regulations; and (b) the laws and regulations of any country where: (i) the Delta Assets reside; (ii) our data is routed; (iii) the research activity is being conducted; or (iv)where data subjects reside.
  
• Do not engage in any activity that could potentially: (i) degrade the performance of or cause operational impact to the Delta Assets; (ii) compromise the safety, security or privacy of our customers or employees or any personal information maintained by Delta about any individual; or (iii) otherwise impact the confidentiality, integrity or availability of Delta’s systems or information.
  
• Do not collect or download any proprietary or customer information from the Delta Assets, including personally identifiable information, and do not view, modify or destroy the same. If you discover any such information, you should immediately stop your activities, report the issue to us and permanently delete any data that you may have viewed from your systems.
  
• Keep security vulnerability reports private and confidential and refrain from disclosing them to any third parties until we address the issue. In return, we will diligently review your reports and respond to you in a timely manner as outlined in this policy. Delta will not negotiate in response to a threat of releasing the security vulnerability to the public.
  
• Do not upload any security vulnerability or Delta proprietary information, including customer information, to third-party utilities, such as Github, DropBox, YouTube, etc.
  
• Do not request compensation from Delta, including SkyMiles. Delta will not offer any rewards in exchange for your cooperation.
  

Delta reserves all legal rights in the event of your noncompliance with these guidelines, including your engagement in any out-of-scope activities to pursue legal action. Nothing in these guidelines is intended or shall be deemed or construed, in any way, to waive, alter, or impair any of the rights or remedies to which Delta is entitled under applicable law.

Out-of-Scope Activities:

The following activities are considered out-of-scope activities and should be avoided by security researchers to prevent any legal action:

• Exploitation of any security vulnerability that you identify.
• Engaging in social engineering or phishing of Delta employees, customers or business partners, including sending fake emails or using fake login pages for the purpose of collecting login credentials.
• Misappropriation of login credentials.
• Denial of Service (DoS) testing.
• Testing of third-party services or applications that interface with the Delta Assets.
• Generating fraudulent financial transactions.
• Attempting to misappropriate cookies.
• Any testing related to aircraft or ground support equipment.