Air Canada’s Vulnerability Disclosure Program

Air Canada’s Vulnerability Disclosure Program

No technology is perfect, and at Air Canada, we aim to monitor and resolve any issues detected within our network. We’re committed to our customer’s information privacy and strive to always provide safe digital experiences across our website and apps.

If you have discovered a security vulnerability within any of our services, we'd love to hear from you. Fill out the form below to report a suspected vulnerability to the Air Canada Cyber Security team. Once your submission has been reviewed and validated, our representatives will reach out to you.

What to consider when reporting a vulnerability

For our customer’s protection, we need to make sure that any reporting is done responsibly. Therefore, we reserve the right to take any actions, including legal action if the guidelines below are not followed:

  • Do not compromise the privacy or safety of our customers.
  • Do not perform testing on aircraft or aircraft systems such as inflight entertainment or inflight Wi-Fi.
  • Do not interrupt or degrade our services.
  • Do not initiate fraudulent transactions.
  • Do not modify or access data that doesn't belong to you.
  • Provide enough detail to reproduce and validate the vulnerability, including targets, steps, tools, and artifacts.
  • If you are using third-party tools to detect, report, or reproduce the vulnerability, please let us know so that we can ensure the intellectual property rights of third parties are respected.
  • Allow a reasonable amount of time for Air Canada to address the vulnerability before requesting an update or taking further action.

Scope

Testing is only authorized on the targets listed as in scope. Any domain/property of Air Canada not listed in the targets section is out of scope.

In-scope

website icon

*.aircanada.com – Website testing

iphone icon

Air Canada App for iOS – Mobile testing

android icon

Air Canada App for Android – Mobile testing

Out-of-scope

  • Previously reported vulnerabilities
  • Vulnerabilities on inflight Wi-Fi, entertainment systems, or avionics
  • Accessible non-sensitive files and directories (for example: README.TXT, CHANGES.TXT, robots.txt, gitignore, etc.)
  • Social engineering/phishing attacks
  • Self XSS
  • Text injection
  • Email spoofing (including lack of SPF, DKIM, From: spoofing, and visually similar and related issues)
  • Descriptive error messages (for example: stack traces, application or server errors, path disclosure)
  • Clickjacking and issues only exploitable through clickjacking. CSRF issues that don't impact the integrity of an account (for example: login or out, contact forms and other publicly accessible forms) Lack of Secure and HTTPOnly cookie flags
  • Missing HTTP security headers
  • TLS/SSL Issues, including BEAST, BREACH, insecure renegotiation, bad cipher suite, expired certificates
  • Out-of-date software

Third-party bugs

If vulnerabilities submitted through the form below affect a third-party library, external project, or another vendor, Air Canada reserves the right to forward the details of the vulnerability to the third party without further discussion with you. By submitting a vulnerability for our review, you agree to disclosure of the vulnerability to, and to be contacted by, any third parties involved in our sites.
*This form is currently available in English only

Back to top