Responsible Disclosure Policy of Bigbank AS

Version 2.2 2022-06-14

Bigbank AS is a licensed bank and as such, considers the security of its systems and information to be of utmost importance. We try to include security into our products from design to deployment, but no software is 100% secure and sometimes vulnerabilities escape detection.

To improve the security of our services and customers, we are committed to working with security researchers who follow our responsible disclosure policy.

Research Policy

If you act in good faith and follow all the guidelines set forth in this document, Bigbank AS will not bring any action against you, including bringing a lawsuit against you or reporting to law enforcement.

However, if our Information Security Unit identifies that you intentionally and in bad faith do not follow the guidelines set forth in this document, put our customer’s or employee’s data at risk, degrade our system’s performance, or conduct any type of denial of service attack, your actions will be treated as an attack and not a responsible disclosure submission and we may take action against you, including reporting to the police.

Scope

We might decide that some finding is accepted risk and not fix it.

In Scope

  • ansokan.bigbank.se
  • apvieno.bigbank.lv
  • arilaen.bigbank.ee
  • auth.bigbank.eu
  • autopaskola.bigbank.lt
  • bank-link.bigbank.lt
  • banking.bigbank.at
  • banking.bigbank.de
  • banking.bigbank.ee
  • banking.bigbank.lt
  • banking.bigbank.lv
  • banking.bigbank.nl
  • banking.bigbank.se
  • bigbank.at
  • bigbank.de
  • bigbank.ee
  • bigbank.eu
  • bigbank.fi
  • bigbank.lt
  • bigbank.lv
  • bigbank.nl
  • bigbank.se
  • biznesam.bigbank.lv
  • broker.bigbank.lv
  • brokers.bigbank.fi
  • brokers.bigbank.se
  • ca.bigbank.eu
  • calculations.bigbank.fi
  • feedback.bigbank.eu
  • jobs.bigbank.eu
  • lainahakemus.bigbank.fi
  • lizingas.bigbank.lt
  • loans.bigbank.lv
  • login.bigbank.eu
  • paraiska.bigbank.lt
  • partner-api.bigbank.ee
  • partneriams.bigbank.lt
  • partnerid.bigbank.ee
  • partneriem.bigbank.lv
  • paskolos.bigbank.lt
  • refinansavimas.bigbank.lt
  • taotlus.bigbank.ee
  • uilab.bigbank.ee
  • verkkopankki.bigbank.fi
  • verslui.bigbank.lt

Out of Scope

  • The following (sub)domains: staging.bigbank.*, test.bigbank.*, *bigbank.es, COUNTRY_CODE.bigbank.COUNTRY_CODE (eg. se.bigbank.se)
  • Browser extensions and client-side bugs that only work in old browser versions
  • Insecure cookie settings for non-sensitive cookies
  • Disclosure of public information and information that does not present significant risk
  • Third party domains, platforms and services not operated by Bigbank
  • Social engineering, phishing or physical attack - only technical systems are in scope
  • Services in our internal network (if you gain access to our internal network, stop testing immediately and report the vulnerability)
  • Our public github
  • EXIF information in images on our sites
  • Components with PHP version below 7.x (we are aware of those and work is in progress).

Focus On

  • Business logic flaws
  • Authentication and authorization flaws, privilege escalation
  • Sensitive data leaks
  • SQLi
  • Uploading of webshell and getting backend server access
  • Stored XSS or any stored modification of our web
  • Configuration errors

Don't Focus On

  • Rate limiting issues
  • Clickjacking
  • User-enumeration with large amount of requests (report when you can enumerate users without generating large amount of traffic)
  • Referrer header leaks to our integrated partner services like Google Analytics
  • Social engineering
  • Usability issues

Forbidden

  • Perform automated scans (over 20 requests per minute) towards sites which resolve to 185.235.160.31
  • DoS and overloading server with many requests or large requests
  • Accessing and copying our customer's or employee's data

Rewards

Currently, no monetary compensation is offered or provided in connection with reporting vulnerabilities. This policy is not intended to encourage hacking attempts in connection with Bigbank information technology infrastructure, but to provide a responsible manner through which vulnerability reports can be communicated and remediated. However, as a sign of appreciation, we list all researches whose submission helped us in our Hall of Fame.

Report a Security Vulnerability

Please use the form below to report potential security vulnerabilities to the Bigbank Security Team.

Managed by Bigbank Security Team