Responsible Disclosure

January 2020, version 1.0

Introduction

Are you a security researcher and did you find vulnerabilities in our systems? If so, we would like to cooperate with you to resolve these vulnerabilities before they can be exploited by attackers. Every day, specialists at Rabobank are working hard on improving our systems and processes. By doing this, data from our clients is protected and the availability of our services are secured. This does not mean that our systems are always flawless and free of vulnerabilities, that’s why we would like to cooperate with security researchers who are able to find those vulnerabilities.

In Scope

You can submit reports regarding security issues on Rabobank services. If you have found a security issue of vulnerability, please report this as soon as possible. Examples are;

  • Remote Code Execution
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection
  • Encryption vulnerabilities
  • Authentication bypasses and unauthorized data access

Out of Scope

This policy is not meant for:

  • Complaints about the service offerings of Rabobank
  • Complaints or questions about the availability of our services
  • Reporting fraud or suspicions of fraud, fake e-mails of phishing e-mails
  • Issues considering ATMs (unless they are vulnerabilities)
  • Reporting of viruses or malware

For these type of issues you can find more information on this page and report phishing e-mails to valse-email@rabobank.nl

  • Absence of certificate pinning
  • Any kind of sensitive data stored in app private directory
  • Any URIs leaked because a malicious app has permission to view opened URIs
  • Application crashed due to malformed URL schemes
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive
  • Exposure of non-sensitive data on the device
  • Lack of binary protection
  • Lack of exploit mitigations
  • Lack of obfuscation
  • Pasteboard leakage
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on the device or on external storage
  • Vulnerabilities in third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Vulnerabilities requiring a rooted, jailbroken or otherwise modified device

Third-Party domains

Rabobank provides domain registration for trusted third parties and subsidiaries. This means domains which are not part of any Rabobank services could have WHOIS information related to the Rabobank and/or use the name servers of Rabobank. Most of these domains are out of scope. We understand that the distinction can be hard so we evaluate them case by case.

Exclusions

We will not reward trivial or non-exploitable bugs. Examples below include known issues and accepted risks:

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages
  • Fingerprinting / version banner disclosure on common/public services
  • Disclosure of know public files, directories or non-sensitive information (e.g. robots.txt)
  • Clickjacking and issues only exploitable through clickjacking
  • Logout Cross-Site-Request Forgery (Logout CSRF)
  • Presence of application or web browser “autocomplete” or “save password” functionality
  • Lack of Secure/HTTPOnly flags on non-sensitive cookies
  • Weak CAPTCHA or CAPTCHA bypasses
  • Forgot Password page brute force and account lockout not being enforced
  • OPTIONS HTTP method enabled
  • Username/e-mail enumeration through brute force attempts via:
    1. Login Page error message
    2. Forgot Password error message
  • Anything related to HTTP security headers, e.g.:
    1. Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    2. And others like mentioned on this page
  • SSL Configuration issues:
    1. SSL Attacks that are not remotely exploitable
    2. SSL Forward secrecy not enabled
    3. SSL weak / insecure cipher suites
  • Missing HTTP Public Key Pinning (HPKP)
  • SPF, DKIM, DMARC issues
  • Host Header Injection
  • Content Spoofing/Text Injection on 404 pages
  • Reporting older version of any software without proof of concept or working exploit
  • Information Leakage in Metadata
  • Missing DNSSEC
  • Expired or inactive domains (domain takeovers)
  • Same Site Scripting / localhost DNS record

Rules of Engagement

During your research it is possible you are committing actions that are in breach of law. If you act in good faith and as per set rules of engagement then there is no reason for Rabobank to report this with Law Enforcement. Please follow the rules as noted in this responsible disclosure policy and do not act in an irresponsible manner.

  • We request you not to publish your report, but share it with our experts and provide them with the time to resolve the issue. We will let you know how we will handle the report, whether or not we will address it and when
  • Ensure that during your and our investigation of the reported vulnerability, you do not apply any damage
  • Do not utilize social engineering in order to gain access to our IT Systems
  • Your investigation should never disrupt our (online) services
  • Your investigation should never lead to the publicity of bank or customer data
  • Do not place backdoors in systems. Neither with the purpose to show the vulnerability. Creating a backdoor will bring damage to the safety of the system even more
  • Do not apply any changes or delete data in the system, In case your finding requires a copy of the data from the system, do not copy more that your investigation requires.
  • If one record is sufficient, do not copy more.
  • When submitting a report, please do not include any personal information you may have obtained from our systems.
  • E.g. blur names/e-mailaddresses in your screenshots or redact the contents of server responses before submitting this information to our program
  • Do not make any changes in the system
  • Do not attempt to penetrate the system more than required. In case you successfully penetrated the system, do not share gained access with others
  • Do not utilize any brute force techniques (e.g. repeatedly entering passwords) in order to gain access to the system
  • Don’t use techniques that can influence the availability of our (online) services

How should I report an issue?

Describe the issue as explicit and detailed as pissible and provide any evidence you might have. You can take into account that the notification will be received by specialists.

Particularly include the following in your report:

  • Which vulnerability
  • The steps you took
  • The entire URL
  • Objects (as filters or entry fields) possibly involved
  • Screen prints are highly appreciated

We can only accept reports that are sent in either the Dutch or English language. You can send us an e-mail where you briefly describe the issue: Responsible-disclosure@rabobank.nl

We encourage you to send the e-mail encrypted. Please use the PGP key (zip) located here.

A team of security experts will verify your submission and respond as soon as possible. Please give them the opportunity in time to investigate (and resolve) the issue appropriately.

Rewards

Rabobank highly appreciates your effort by assisting us in optimizing our systems and processes. Therefore in most circumstances you are eligible for suitable monetary award. We reserve the ultimate decision over an monetary award -whether to give one and in what amount- is a decision that lies entirely within our discretion.

We will not reward when:

  • The issue was already reported. In that case, only the first reporter will be rewarded
  • You are living in a country that’s on a saction list
  • The issue is already known
  • The rules are not respected

Privacy

For follow-up, we will ask your contact details like;

  • Name
  • E-mail
  • PGP-Key
  • Phone number

Unless you chose to report anonymously.

Your personal information is only used to approach you and undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission. Unless, the law requires us to provide your personal information or when an external organization takes over the investigation of your reported vulnerability. In this case we will ensure that the applicable authority will treat your personal information confidentially. We will remain responsible for your personal information.

Confidentiality

Any information you receive or collect about Rabobank or any Rabobank user through the Responsible Disclosure program must be kept confidential and only used in connection with the Responsible Disclosure program. You may not use, disclose or distribute any of this information, including, but not limited to, any information regarding your submission and information you obtain when researching the Rabobank sites and/or mobile apps, without Rabobank’s prior written consent.

Aberrant international regulation

We advise you to take into account that regulations with regard to the Responsible Disclosure differ per country. In case you are living abroad and have found vulnerabilities in one of our Rabobank-pages, please realize that the Responsible Disclosure policy is not applicable in every country. This implies that despite you acted in accordance to Rabobank's Responsible Disclosure policy, it might still be that you will be prosecuted by justice, despite the fact that we do not report the vulnerability to justice.