We're undergoing scheduled system maintenance on our quote, buy and self service platforms on Thursday 12 June 9:30pm – 12:00am. If you experience any issues, please check back outside of this time.

Our Insurance
Car & Vehicle
Get a car quote
Compare all products
Start your research here
Comprehensive
Third Party, Fire & Theft
Third Party
Caravan Insurance
Motorcycle Insurance
Motorhome Insurance
Classic Vehicle Insurance
Trailer Insurance
Home & Contents
A white house with front garden
Home Insurance
Compare Contents Products
Start your research here
Home & Contents
Landlord Insurance
Renters Insurance
Small Business Insurance
Man in safety gear at construction site
Small Business Insurance
More Insurance
Young family playing in yard
Health Insurance
Partner product
Pet Insurance
Partner product
Travel Insurance
Partner product
Life Insurance
Partner product
Manage Policy
Login / register
My AA Insurance
Pay / renew policy
Policy documents
Change your details
Claim
Start a claim
Comprehensive Car
Third Party Car
/ Third Party Fire & Theft
Home / Contents
Landlord
Caravan / Trailer
Motorcycle
Motorhome
Classic Vehicle
Small Business
Windscreen claim
Save time, get things sorted online
Comprehensive Car
Third Party Fire & Theft
Two children looking at a tablet
Claim FAQs
More about claims
Get a quote
Help & Contact
Login / register
Help & Contact

Vulnerability Disclosure Program

Protecting the security of our data, systems and services is important to us. However, even with safeguards in place, vulnerabilities can still happen.

That’s why we value the vital role security researchers play in helping us identify and reduce cybersecurity risks.

Help us keep our data and systems safe

If you’ve found a potential security issue that could affect the confidentiality, integrity or availability of our information, systems, or services (which you’re authorised to access or use), please submit a report to our security team.

Please note that this program relates only to the information, systems and services of AA Insurance and doesn’t include any of our partner products or teams.

We also have more information available on how to confirm if you've received scam communications. Please note that reports of potential scam shouldn’t be made through this program.

How to make a report

If you’ve discovered a potential vulnerability, please contact our cyber security team at vulnerability@aainsurance.co.nz.

To help us understand and address the issue, please include as much detail as possible in your report. We recommend including the following:

  • A brief description of the vulnerability

  • The affected system, service or information, including relevant URLs

  • Your name and contact details (you can stay anonymous or use a pseudonym if you prefer)

  • The date, time, and time zone when the vulnerability was identified

  • The IP address used at the time

  • Clear steps to help us reproduce the vulnerability

If you'd like to encrypt your email, you can download our PGP key.

To protect the privacy and security of our customers, we treat all reports of vulnerabilities as confidential. By submitting a report to us, you agree to refrain from publicly disclosing, discussing, or confirming the details of any suspected security issues until we’ve had the opportunity to address them and confirmed this to you in writing.

What happens next

Once you’ve sent us your report, you’ll get an automated confirmation from us to confirm we’ve received your email.

Our team will carefully review the information you’ve provided. We may get back in touch to request more information to support our investigation, or to provide you with updates. We might also invite you to re-test the vulnerability you’ve identified once we’ve addressed it.

In some cases, we may also use elements of your report in our engagements with our regulatory and government bodies.

We appreciate the valuable contributions of researchers who help us protect our customers by identifying and reporting potential security issues. However, we don’t provide compensation for any reports that are made under this program.

Your privacy

When submitting a report to us, you may be providing us with personal information. By submitting a report to us, you agree to us collecting and using your personal information in accordance with our Privacy Policy.

What isn’t allowed

While we welcome research to help us protect our security, the following are not acceptable or condoned under this program:

  • Gaining access or trying to gain access to accounts or information without proper authorisation

  • Accessing any information, systems or service you’re not ordinarily authorised to access

  • Modifying, deleting or destroying information without permission

  • Sending or trying to send unsanctioned or non-permitted emails or messages

  • Engaging in social engineering, including phishing, against our employees, contractors, customers, or any associated parties

  • Publishing, sending, loading, or sharing malware that could harm our systems, products, or customers

  • Exfiltrating, disclosing, or using any proprietary or classified information (including customer data) without authorisation

  • Clickjacking or other methods of bypassing security

  • Using automated vulnerability assessment tools

  • Physical attacks on our property

  • Exploiting weak or insecure SSL ciphers or certificates

  • Performing or attempting Denial of Service (DoS) attacks

  • Testing vulnerabilities in any applications or websites controlled by our suppliers and distribution network or that are otherwise not controlled by us

  • Engaging in any activity that seeks unauthorised access to our systems or software in violation of the law

We reserve the right to act against individuals engaged in any of the above activities.