Responsible Disclosure Rules for reporting vulnerabilities in our IT systems
At Garantibank International N.V. (“GBI”), we consider the safety of internet banking and the continuity of our online services as one of our top priorities and follow international security best practices to protect and maintain our IT systems. Despite our efforts to optimize our systems and processes, vulnerabilities may still be present. If you should identify a vulnerability in our IT systems or on our web sites, we would appreciate if you inform us about this security vulnerability so that we can improve the safety and reliability of our IT system.
What you can report?
If you have discovered a security vulnerability in our system, please report it as to us as soon as possible. Examples for security vulnerabilities are:
- Cross-site scripting (XSS) vulnerabilities
- SQL injection vulnerabilities
- Encryption weaknesses
- Remote Code Execution
- Cross Site Request Forgery (CSRF)
- Authentication bypass, unauthorized data access vulnerabilities
How to report?
A vulnerability can be reported by e-mail; firstname.lastname@example.org. Please ensure your email is encrypted by using this PGP key to prevent unauthorized users from accessing the information. Please write your report in a clear and concise manner, including:
- The steps you took;
- The entire URL
- Objects (as filters or entry fields) possibly involved
- Evidence, proof of concept, how to reproduce (video or screenshots if possible)
- A description of the discovered risk or vulnerability
Our specialists will review your report and take action immediately. You may be contacted to discuss the findings of your investigation.
What is email@example.com not used for?
The following items are excluded from reporting for the purposes of these Responsible Disclosure Rules:
- Reporting complaints about GarantiBank International N.V.’s products, services, web sites or internet banking
- Reporting monetary issues
- Reporting Fraud or suspicion of Fraud
- Reporting malware
- Reporting fake or phishing emails
Responsible Disclosure Rules
Please respect these rules before reporting vulnerability. Please note that your investigation of our IT systems could be regarded as criminal activity and may be punishable by law. If you have discovered a vulnerability in our IT system, you should be aware that local law takes precedence over the Responsible Disclosure Rules of GBI. Notwithstanding the foregoing, if you act in good faith and observe GBI’s rules, we will not report your actions to the authorities unless required to do so by law. It is important for you to know, that the public prosecutor’s office will decide whether or not you will be prosecuted, regardless of whether we report your offence to the authorities. Therefore, GBI cannot promise you will not be prosecuted, if you commit a punishable offence while investigating a vulnerability.
The National Cyber Security Centre (www.ncsc.nl) of the Ministry of Security and Justice has created guidelines for reporting weaknesses in IT systems. Our rules are based on these guidelines.
Act responsibly and with extreme care and caution. Only use methods or techniques that are reasonably necessary in order to detect or demonstrate a vulnerability. Please follow the rules mentioned below:
- Ensure that you do not cause any damage to our systems during your investigation
- Do not upload or install any backdoors in the system, not even to demonstrate the vulnerability of a system. Inserting a backdoor will cause further damage to our system.
- Do not alter or delete any data in the system. If you need to copy information do not copy more data than necessary and if one record is sufficient do not make any other copies.
- Do not alter the system in any way.
- In case of penetration, do not share gained access with others.
- Do not use brute force techniques such as entering repeated usernames/passwords
- Do not use techniques having adverse effect to availability of the systems
- Do not use social engineering techniques to gain access to our system.
- Never publicize any bank or customer data that you may have found during your investigation.
- Never publicize any vulnerability discovered in our IT system or online services. Consult with our specialists and give us time to solve the problem.
- Never let your investigation, disrupt our online or other services.
We will only use your personal details to take action based on your report. We will not share your personal details with others without your express permission unless otherwise required to do so by law.