Responsible Disclosures

Security disclosures
for professionals

Security Disclosure Policy

The Royal Bank of Scotland’s dedicated team of security professionals work vigilantly to help keep customer information secure, and we recognise the important role that security researchers and our customers also play

Security Disclosure Submission Terms

We run an amnesty for security researchers who, in good faith, identify vulnerabilities our online systems.

A Security Disclosure is something you want to tell us about which impacts the confidentiality, integrity, or availability of bank or customer data or systems.

If you have identified a potential vulnerability you can email us after reading the Security Disclosure Submission Terms, which contain all the information you need to be aware of before making a submission. 

If you discover or submit a vulnerability you should:

Not break any laws.

Make the Security Disclosure voluntarily

Be aged 16 or over, unless you have a Parent or Guardian’s permission.

Staff or their family members should follow the published internal process.

Important information

We want to hear from you if you discover a site, application or system with a vulnerability on:

rbs.com

rbsdigital.co.uk

*.rbs.co.uk

including these IP ranges:

155.136.22.0/24

155.136.19.0/24

Do:

Act in a responsible way

Provide complete details so we have maximum opportunity to resolve any issues

Assume penetration testing experts will be reviewing your submission

Report common vulnerabilities but don’t explain the problem and the impact, just point out where it lies. 

Report esoteric or very new issues and fully explain the problem. 

Cite references or sources

Don’t:

Put any Customer or Royal Bank of Scotland data at risk, degrade any of our system’s performance, or conduct any type of denial of service attack

If our security operations centre identify your actions this will be treated as an attack and not a Security Disclosure submission. We may take action against any attacks, including reporting them to the police. 

We want to get as much information from you so we can validate and fix any potential vulnerability quickly. Please try to provide as much information as possible, including:

A description of the vulnerability including the exploitability and impact if not a common attack type

Steps required to exploit the vulnerability including: URL(s)/application(s) affected Prior conditions required (for example, logged in, not logged in, previous actions ) and how to demonstrate the problem

IPs used when the vulnerability was discovered

If post authentication, the user ID used when the vulnerability was discovered 

A Proof of Concept

Names of any files uploaded to our systems

If you do not include everything in this list, this could delay or prevent us from validating and fixing the vulnerability. Responses to Low/Informational issues will be de-prioritised. Save all your logs as we will ask you to make them available to us.

We won’t respond to or analyse submissions covering:

Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials)

Denial of service (DOS)

Self-XSS (User defined payload)

Vulnerabilities which require a jailbroken mobile device

Most vulnerabilities within identified test, UAT, lab, bankofapis or staging environments

Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers, including Internet Explorer versions prior to version 8

Vulnerabilities involving active content such as web browser add-ons

Disclosure of public information or information that does not present risk to us or our customers (for example, web server type disclosure)

Vulnerabilities contingent on a client system previously being compromised

We may highlight anyone who has made a submission which has significantly helped us keep our customers safe and secure.  We will always ask for your consent before doing this.

Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about us or any Royal Bank of Scotland user as part of your research prior to making a Security Disclosure submission as detailed in this Policy and these Terms must therefore be kept confidential and only used in connection with the Security Disclosure. You may not use, disclose or distribute any such information without our prior written consent.  Any such information should be deleted once your submission has been received.

Something else we can help you with?