At GarantiBank International N.V. ("GBI"), we attach particular importance to the security of online banking and the continuity of our online services. This is why we follow international security guidelines to protect and maintain our IT systems. Despite our efforts to optimize our systems and processes, it is possible that security weaknesses may still exist. Should you find a vulnerability in our IT systems or on our websites, we would appreciate it if you would notify us so that we can improve the security and reliability of our IT system.
What can you report?
If you have discovered a vulnerability in the security of our system, we ask that you report it to us as soon as possible. Examples of vulnerabilities are:
- Cross Site Scripting (XSS) vulnerabilities
- SQL injection vulnerabilities
- Weaknesses in encryption
- Remote Code Execution
- Cross Site Request Forgery (CSRF) vulnerabilities
- Circumvention of authentication, unauthorized access to data
How can you report vulnerabilities?
You can report a vulnerability via the email address firstname.lastname@example.org. Make sure your email is encrypted with a PGP key to prevent your email from falling into the wrong hands. Provide a clear, concise description in your report:
- The steps you have taken
- The full URL
- Any objects involved (such as filters and input fields)
- Proof or reproduction of steps (video or screenshot if possible)
- A description of the risk or vulnerability identified
Our specialists will deal with your report immediately and take action. We may contact you to discuss the findings of your investigation.
What is email@example.com not for?
Do not use the email address to report the following:
- Complaints about GarantiBank International N.V.'s products, services, websites or internet banking facilities.
- Financial issues
- Fraud or suspected fraud
- Fake or phishing emails
Observe the following rules before reporting a vulnerability. Please note that your activities when investigating our IT systems may be perceived as criminal activity and may be punishable. If you have discovered a vulnerability in our IT system, local law takes precedence over these rules of GBI. However, if you act in good faith and comply with GBI rules, we will not report your activities to the authorities unless we are required to do so by law. The Public Prosecutor's Office will decide whether you will be prosecuted regardless of whether we report your violation to the authorities. Therefore, the GBI cannot promise that you will not be prosecuted if you commit an offense while investigating a vulnerability.
The National Cyber Security Centre (NCSC) (www.ncsc.nl) of the Ministry of Security and Justice has drawn up guidelines for reporting vulnerabilities in IT systems. Our rules are based on these guidelines.
Proceed responsibly and with the utmost care and prudence. Only use methods or techniques that are reasonably necessary to detect or demonstrate a vulnerability. In doing so, follow the rules below:
- Make sure that you do not cause any damage to our systems during your investigation.
- Do not upload or install backdoors into the system, not even to demonstrate the vulnerability of the system. Installing a backdoor will cause further damage to our system.
- Do not modify or delete any data in the system. Do not copy more data than is necessary if you need to copy data, and do not make more copies if one copy is sufficient.
- Do not make any changes to the system.
- Do not share your access with others when you have entered the system.
- Do not use brute-force techniques, such as entering usernames and passwords repeatedly.
- Do not use techniques that adversely affect system availability.
- Do not use social engineering techniques to gain access to our system.
- Never disclose any bank or customer information you have found during your research.
- Never disclose a vulnerability you discovered in our IT system or online services. Consult with our specialists and give us time to solve the problem.
- Always ensure that our online or other services are not disrupted by your investigation.
We only use your personal data to take action in response to your report. Unless we are legally obliged to do so, we will not pass on your personal data to others without your express consent.