Security disclosures for professionals
Security Disclosure Policy
Security Disclosure Submission Terms
We run an amnesty for security researchers who, in good faith, identify vulnerabilities our online systems.
A Security Disclosure is something you want to tell us about which impacts the confidentiality, integrity, or availability of bank or customer data or systems.
If you have identified a potential vulnerability you can email us after reading the Security Disclosure Submission Terms, which contain all the information you need to be aware of before making a submission.
If you discover or submit a vulnerability you should:
Not break any laws.
Make the Security Disclosure voluntarily
Be aged 16 or over, unless you have a Parent or Guardian’s permission.
Staff or their family members should follow the published internal process.
We want to hear from you if you discover a site, application or system with a vulnerability on:
including these IP ranges:
Act in a responsible way
Provide complete details so we have maximum opportunity to resolve any issues
Assume penetration testing experts will be reviewing your submission
Report common vulnerabilities but don’t explain the problem and the impact, just point out where it lies.
Report esoteric or very new issues and fully explain the problem.
Cite references or sources
Put any Customer or Royal Bank of Scotland data at risk, degrade any of our system’s performance, or conduct any type of denial of service attack
If our security operations centre identify your actions this will be treated as an attack and not a Security Disclosure submission. We may take action against any attacks, including reporting them to the police.
We want to get as much information from you so we can validate and fix any potential vulnerability quickly. Please try to provide as much information as possible, including:
A description of the vulnerability including the exploitability and impact if not a common attack type
Steps required to exploit the vulnerability including: URL(s)/application(s) affected Prior conditions required (for example, logged in, not logged in, previous actions ) and how to demonstrate the problem
IPs used when the vulnerability was discovered
If post authentication, the user ID used when the vulnerability was discovered
A Proof of Concept
Names of any files uploaded to our systems
If you do not include everything in this list, this could delay or prevent us from validating and fixing the vulnerability. Responses to Low/Informational issues will be de-prioritised. Save all your logs as we will ask you to make them available to us.
We won’t respond to or analyse submissions covering:
Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials)
Denial of service (DOS)
Self-XSS (User defined payload)
Vulnerabilities which require a jailbroken mobile device
Most vulnerabilities within identified test, UAT, lab, bankofapis or staging environments
Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers, including Internet Explorer versions prior to version 8
Vulnerabilities involving active content such as web browser add-ons
Disclosure of public information or information that does not present risk to us or our customers (for example, web server type disclosure)
Vulnerabilities contingent on a client system previously being compromised
We may highlight anyone who has made a submission which has significantly helped us keep our customers safe and secure. We will always ask for your consent before doing this.
Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about us or any Royal Bank of Scotland user as part of your research prior to making a Security Disclosure submission as detailed in this Policy and these Terms must therefore be kept confidential and only used in connection with the Security Disclosure. You may not use, disclose or distribute any such information without our prior written consent. Any such information should be deleted once your submission has been received.
We may change this Security Disclosure Policy and the Security Disclosure Policy Terms from time to time. We may also cancel them and our Security Disclosure programme at any time. We’ll let you know on this page if we do this.