Uitgelogd

U bent succesvol uitgelogd.

Responsible disclosure

To ensure secure banking for our customers, we are continuously improving our systems and processes to maintain their reliability. If you nevertheless notice a weak spot in one of our IT systems, we would appreciate it if you would report it to us.

 

Work with us to find a solution

Anyone can make a mistake. We won't deny that this can also happen to us. But if you publicly disclose weaknesses in our IT systems without first consulting with us, this can have serious consequences. Criminals may use your information, for example to commit internet fraud. To prevent this, we would kindly request you to contact us and help us to find a solution. We can then take measures to prevent fraud and system outages.

 

Reporting weak spots

What you can report

You can report any number of weaknesses in our IT systems. If you spot a weakness, please contact us as soon as possible. For example:

  • Cross-Site Scripting vulnerabilities (i.e. Stored, Reflected);
  • SQL Injection vulnerabilities;
  • Encryption weaknesses;
  • Remote Code Execution;
  • Authentication Bypass, Unauthorized data access;
  • XML External Entity;
  • S3 Bucket Upload;
  • Server-Side Request Forgery

What will not be accepted

  • "Self" XSS;
  • HTTP Host Header XSS without working proof-of-concept;
  • Incomplete/Missing SPF/DKIM;
  • Social Engineering attacks;
  • Denial of Service attacks.

The rules

Here are the rules for a responsible disclosure:
  1. Be responsible and be careful.
  2. Only use methods that are strictly necessary for finding or pointing out the vulnerabilities.
  3. Ensure that your own systems are kept as well protected as possible.
  4. Use the weaknesses you have identified only for your own investigations and never for any other purpose.
  5. Do not use social engineering or brute-force attacks to gain access to a system.
  6. Do not install a backdoor in a system, even with the intention of demonstrating the vulnerability. A backdoor renders a system even more insecure.
  7. Do not change or delete any details in the system.
  8. Never copy more data than necessary. If a single record is sufficient for your investigations, do not copy any more.
  9. Do not penetrate a system more often than necessary.
  10. and do not share the access you gained with others.

How to report a weak spot

A. Provide the following information in the document of your choice: 
  1. What is the domain you are reporting on?
  2. Can you describe the steps you performed?
  3. What are the objects you used (e.g. input fields or filters)?
  4. What is full URL?
  5. Can you attach a screenshot of the successful action
  6. What browser and what version did you test it on?
  7. What Operating System and version are you using?
  8. What programme, script or code did you use?
  9. What are your firstname, lastname, e-mail and telephone number ?
B. Encrypt the document with the PGP key (ID 0x576934A2): download
C. Send the report to this email : responsible.disclosure@nl.abnamro.com  

What will happen to your report

 

We will contact you

A team of security experts will investigate your report and will contact you within 2 working days. This may be in relation to the weak spots you identified, how you found these and any subsequent steps.

Your privacy

We cannot guarantee that you will never be prosecuted if you commit a punishable offence during the course of your investigations, even if we do not report such an offence. The public prosecutor always has the final say as to whether or not you will be prosecuted. We have no say in this.

Important

 

Stick to the rules

During your investigations, you may carry out actions that are punishable by law. As long as you keep to the rules for reporting weak spots in our IT systems, we will not report you to the police or claim for losses or damage.

Punishable offences

We cannot guarantee that you will never be prosecuted if you commit a punishable offence during the course of your investigations, even if we do not report such an offence. The public prosecutor always has the final say as to whether or not you will be prosecuted. We have no say in this.

Frequently Asked Questions

Yes, we may reward you for your investigations. However, we are not obliged to do so. You are not automatically entitled to compensation. The amount of any reward is also not fixed in advance and is determined by us. Whether or not we issue a reward and the amount of any reward depends on a number of factors, including:
  • the care with which you carry out your investigations;
  • the quality of the information you provide;
  • the amount of any loss or damage the information you provide prevents from being incurred.

Never publicise your investigations or weak spots in our systems without first discussing this with us. This will help us prevent criminals from misusing your information. Discuss the matter with our security experts and give us time to solve the problem.

Yes. You do not have to provide your name and contact details when you submit a report. Keep in mind, though, that without your details we will not be able to discuss subsequent steps with you, such as what we are going to do with your report, further collaboration, recognition or any reward.