Responsible Disclosures | Royal Bank of Scotland

Responsible Disclosures

Responsible Disclosures

Security disclosures for professionals

 

We value findings from security researchers to help us continuously improve

 

Follow the below policy to make your submissions

For Professional Researchers: Security Disclosure Policy

 

The Royal Bank of Scotland’s dedicated team of security professionals work vigilantly to help keep customer information secure, and we recognise the important role that security researchers and our customers also play.  We run an amnesty for security researchers who, in good faith, identify vulnerabilities our online systems.

A Security Disclosure is something you want to tell us about which impacts the confidentiality, integrity, or availability of bank or customer data or systems.

If you have identified a potential vulnerability you can email us at security.disclosures@rbs.co.uk after reading the Security Disclosure Submission Terms, which contain all the information you need to be aware of before making a submission.   

Security Disclosure Submission Terms

If you discover or submit a vulnerability you should:

  • Not break any laws.
  • Make the Security Disclosure voluntarily
  • Be aged 16 or over, unless you have a Parent or Guardian’s permission.

Staff or their family members should follow the published internal process.

Disclosure Scope

Disclosure Scope

We want to hear from you if you discover a site, application or system with a vulnerability on:

 
  • rbs.com
  • rbsdigital.co.uk
  • *.rbs.co.uk

including these IP ranges:

 
  • 155.136.22.0/24
  • 155.136.19.0/24
Do's and Don'ts

Do's and Dont's

Do:

 

  • Act in a responsible way
  • Provide complete details so we have maximum opportunity to resolve any issues
  • Assume penetration testing experts will be reviewing your submission
  • Report common vulnerabilities but don’t explain the problem and the impact, just point out where it lies. 
  • Report esoteric or very new issues and fully explain the problem. 
  • Cite references or sources

 

 

Don’t:

 

  • Put any Customer or Royal Bank of Scotland data at risk, degrade any of our system’s performance, or conduct any type of denial of service attack

If our security operations centre identify your actions this will be treated as an attack and not a Security Disclosure submission. We may take action against any attacks, including reporting them to the police. 

 

What to include in your submission

What to include in your submission

We want to get as much information from you so we can validate and fix any potential vulnerability quickly. Please try to provide as much information as possible, including:

 

  • A description of the vulnerability including the exploitability and impact if not a common attack type
  • Steps required to exploit the vulnerability including: 

     - URL(s)/application(s) affected Prior conditions required (for example, logged in, not logged in, previous actions )

     - How to demonstrate the problem

 

  • IPs used when the vulnerability was discovered
  • If post authentication, the user ID used when the vulnerability was discovered 
  • A Proof of Concept
  • Names of any files uploaded to our systems

If you do not include everything in this list, this could delay or prevent us from validating and fixing the vulnerability. Responses to Low/Informational issues will be de-prioritised. Save all your logs as we will ask you to make them available to us.

Submissions we won't respond to

Submissions we won't respond to

We won’t respond to or analyse submissions covering:

 

  • Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials)
  • Denial of service (DOS)
  • Self-XSS (User defined payload)
  • Vulnerabilities which require a jailbroken mobile device
  • Most vulnerabilities within identified test, UAT, lab, bankofapis or staging environments
  • Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers, including Internet Explorer versions prior to version 8
  • Vulnerabilities involving active content such as web browser add-ons
  • Disclosure of public information or information that does not present risk to us or our customers (for example, web server type disclosure)
  • Vulnerabilities contingent on a client system previously being compromised
Recognition and thanks

Recognition and thanks

We may highlight anyone who has made a submission which has significantly helped us keep our customers safe and secure.  We will always ask for your consent before doing this.

Confidentiality

Confidentiality

Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about us or any Royal Bank of Scotland user as part of your research prior to making a Security Disclosure submission as detailed in this Policy and these Terms must therefore be kept confidential and only used in connection with the Security Disclosure. You may not use, disclose or distribute any such information without our prior written consent.  Any such information should be deleted once your submission has been received.

We may change this Security Disclosure Policy and the Security Disclosure Policy Terms from time to time.  We may also cancel them and our Security Disclosure programme at any time.  We’ll let you know on this page if we do this.

Set Tab for lightbox