Responsible Disclosure Policy of Bigbank AS

Version 2.1 2020-06-12

Bigbank AS is a licensed bank and as such, considers the security of its systems and information to be of utmost importance. We try to include security into our products from design to deployment, but no software is 100% secure and sometimes vulnerabilities escape detection.

To improve the security of our services and customers, we are committed to working with security researchers who follow our responsible disclosure policy.

Research Policy

If you act in good faith and follow all the guidelines set forth in this document, Bigbank AS will not bring any action against you, including bringing a lawsuit against you or reporting to law enforcement.

However, if our Information Security Unit identifies that you intentionally and in bad faith do not follow the guidelines set forth in this document, put our customer’s or employee’s data at risk, degrade our system’s performance, or conduct any type of denial of service attack, your actions will be treated as an attack and not a responsible disclosure submission and we may take action against you, including reporting to the police.

Scope

We might decide that some finding is accepted risk and not fix it.

In scope

Webpages, API endpoints and other services owned and operated by Bigbank AS:

  • ● The following domains: ansokan.bigbank.se, apvieno.bigbank.lv, arilaen.bigbank.ee, auth.bigbank.eu, autopaskola.bigbank.lt, bank-link.bigbank.lt, banking.bigbank.at, banking.bigbank.de, banking.bigbank.ee, banking.bigbank.lt, banking.bigbank.lv, banking.bigbank.nl, banking.bigbank.se, banking.bigbank.se bigbank.at, bigbank.de, bigbank.ee, bigbank.eu, bigbank.fi, bigbank.lt, bigbank.lv, bigbank.nl, bigbank.se, biznesam.bigbank.lv, broker.bigbank.lv, brokers.bigbank.fi, brokers.bigbank.se, ca.bigbank.eu, calculations.bigbank.fi, feedback.bigbank.eu, jobs.bigbank.eu, lainahakemus.bigbank.fi, lizingas.bigbank.lt, loans.bigbank.lv, login.bigbank.eu, paraiska.bigbank.lt, partner-api.bigbank.ee, partneriams.bigbank.lt, partnerid.bigbank.ee, partneriem.bigbank.lv, paskolos.bigbank.lt, refinansavimas.bigbank.lt, taotlus.bigbank.ee, uilab.bigbank.ee, verkkopankki.bigbank.fi, verslui.bigbank.lt

Out of scope

  • ● The following (sub)domains: staging.bigbank.*, test.bigbank.*, *bigbank.es, COUNTRY_CODE.bigbank.COUNTRY_CODE (eg. se.bigbank.se)
  • ● Browser extensions and client-side bugs that only work in old browser versions
  • ● Insecure cookie settings for non-sensitive cookies
  • ● Disclosure of public information and information that does not present significant risk
  • ● Third party domains, platforms and services not operated by Bigbank
  • ● Social engineering, phishing or physical attack - only technical systems are in scope
  • ● Services in our internal network (if you gain access to our internal network, stop testing immediately and report the vulnerability)
  • ● Our public github
  • ● EXIF information in images on our sites
  • ● components with PHP version below 7.x (we are aware of those and work is in progress).

Focus on

  • ● Business logic flaws
  • ● Authentication and authorization flaws, privilege escalation
  • ● Sensitive data leaks
  • ● SQLi
  • ● Uploading of webshell and getting backend server access
  • ● Stored XSS or any stored modification of our web
  • ● Configuration errors

Don’t focus on

  • ● Rate limiting issues
  • ● Clickjacking
  • ● User-enumeration with large amount of requests (report when you can enumerate users without generating large amount of traffic)
  • ● Referrer header leaks to our integrated partner services like Google Analytics
  • ● Social engineering
  • ● Usability issues

Forbidden

  • Perform automated scans (over 20 requests per minute) towards sites which resolve to 185.235.160.18
  • ● DoS and overloading server with many requests or large requests
  • ● Accessing and copying our customer's or employee's data

Rewards

  • ● You are eligible for a reward only if you keep the finding private. Publicly shared findings will not be rewarded.
  • ● Do not attempt to access or modify customer or employee information other than your own, unless you have written, signed permission from the data owner. If you accidentally access such information, stop testing immediately, delete the information from your systems and report the vulnerability
  • ● We are rewarding only new findings, if it's reported previously by another researcher, it's considered as a duplicate and not rewarded.
  • ● Our rewards are linked to Bugcrowd VRT severity ratings.
  • ● For fair play and mutual trust, we use Bugcrowd to verify the findings, assign severity, find duplicates and assign rewards. We do not reward outside of Bugcrowd.

Report a security vulnerability

Please use the form below to report potential security vulnerabilities to the Bigbank Security Team.

Managed by Bigbank Security Team <ytiruces@bigbank.eu>