Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program.
- Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue.
- If sensitive information--such as personal information, credentials, etc.--is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery. All copies of sensitive information must be returned to TBI Bank and may not be retained.
- Researchers may not, and are not authorized to, engage in any activity that would be disruptive, damaging or harmful to TBI Bank brands or its users. This includes social engineering, phishing, physical security and denial of service attacks against users, employees.
- Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized employees), or otherwise share vulnerabilities with a third party, without TBI express written permission.
TBI is not giving permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of any users or publicize this information on the open, public-facing internet without user consent or modify or corrupt programs or data belonging to TBI.
TBI will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this program.
Please do the following when participating in bug bounty program:
- Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
- Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:
o A header that includes your username: X-Bug-Bounty:HackerOne-<username>
o A header that includes a unique or identifiable flag X-Bug-Bounty:ID-<sha256-flag>
When testing for a bug, please also keep in mind:
- Only use authorized accounts so as not to inadvertently compromise the privacy of our users
- When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:
o Read: cat /proc/1/maps
o Write: touch /root/<your H1 username>
o Execute: id, hostname, pwd (though, technically cat and touch also prove execution)
- Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.
- Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.
Responsible Disclosure of Vulnerabilities
We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 120 days of being triaged.
To encourage reporting vulnerabilities to TBI, we would urge you to send any vulnerabilities you detect to us and you might get rewarded for your efforts. Rewards are granted entirely at the discretion of TBI and the amount depends on the severity of the vulnerability reported, the type of website (static information sites versus online banking sites) concerned and the quality of the report we receive.
You will be eligible for a bounty only if you are the first person to disclose an unknown issue.
At TBI discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, TBI may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations.
Rewards will be declined if we find evidence of abuse.
Out of Scope
The following issues are considered out of scope:
- Those that resolve to third-party services
- Issues that do not affect the latest version of modern browsers
- Issues that we are already aware of or have been previously reported
- Issues that require unlikely user interaction
- Disclosure of information that does not present a significant risk
- Cross-site Request Forgery with minimal security impact
- CSV injection
- Incomplete or missing SPF/DKIM
- General best practice concerns
Please, read carefully the full Bug Bounty program policy in the attached file, where you will find all the details regarding your potential cooperation, the report requirements, criminal liability, confidentiality, and other well-defined important details.
If you have any questions, please write us at: firstname.lastname@example.org