Welcome to Amex GBT's Responsible Disclosure Page

By submitting a vulnerability to AMEX GBT through ResponsibleDisclosure.com, you agree to the Terms of Service.

Please review Amex GBT's Vulnerability Disclosure Policy.

Get Started

Responsible Disclosure Policy

ResponsibleDisclosure.com (operated by an independent third party, Synack, on behalf of Amex GBT).

This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.

The details within your request form will be submitted to Synack. If you have reported an issue determined to be within program scope and to be a valid security issue, Synack will validate your finding and you will be allowed to disclose the vulnerability after a fix has been issued. This process is managed exclusively by Synack through their platform, accordingly you must accept the Synack terms of service if you wish to proceed. All queries are to be directed to Synack and managed exclusively through the ResponsibleDisclosure.com online portal.

For a full overview and listing of Amex GBT VDP program scope, please visit the Amex GBT Scope and ROE page. For inquiries on scope or Amex GBT’s Vulnerability Disclosure Policy, please contact amexgbt@responsibledisclosure.com .

Responsible Disclosure Guidelines

Researchers must follow the testing guidelines outlined in Amex GBT's VDP, as well as the guidelines below (excerpted from the Synack ROE page and not covered by Amex GBT VDP).

Adhere to all legal terms and conditions outlined at ResponsibleDisclosure.com
Work directly with ResponsibleDisclosure.com on vulnerability submissions
Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
Do not engage in social engineering or phishing of customers or employees
Do not request compensation for time and materials or vulnerabilities discovered
No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
All attack payload data must use professional language
When documenting a vulnerability, if a vulnerability is public, take measures to ensure it does not identify Egencia.

All users of our online services are subject to our Privacy Statement and agree to be bound by our Terms of Service. © 2026 GBT Travel Services UK Limited. American Express and certain associated logos are trademarks of American Express, used in approved formats by GBT Travel Services UK Limited and its authorized sublicensees pursuant to a limited license. American Express holds a minority interest in Global Business Travel Group, Inc. (NYSE: GBTG), which operates as a separate company from American Express.