Are you a security researcher and did you find vulnerabilities in our systems? If so, we would like to cooperate with you. So we can resolve these vulnerabilities before they can be exploited by attackers.
Every day, specialists at Rabobank are working hard on improving our systems and processes. By doing this, data from our clients is protected and the availability of our services are secured.
This does not mean that our systems are always flawless and free of vulnerabilities, that’s why we would like to cooperate with security researchers who are able to find those vulnerabilities.
You can submit reports regarding security issues on Rabobank services. If you have found a security issue of vulnerability, please report this as soon as possible. Examples are;
Testing on subdomains that are neither explicitly in scope nor out of scope isn't encouraged, but if you can find a vulnerability with business impact on such a subdomain please report it. We normally close sufficiently clear reports as Informative so there will be no negative effect on your reputation score if we decide that it's out of scope. However, remember that Rabobank subdomains that are running third party services are strictly out of scope.
This policy is not meant for:
Rabobank provides domain registration for trusted third parties and subsidiaries. This means domains which are not part of any Rabobank services could have WHOIS information related to the Rabobank and/or use the name servers of Rabobank. Most of these domains are out of scope. We understand that the distinction can be hard so we evaluate them case by case.
We will not reward trivial or non-exploitable bugs. Examples below include known issues and accepted risks:
In addition to the list of exclusions, we are aware that services provided by third parties may contain vulnerabilities (Whether they are available on a Rabobank domain or not). We highly recommend to verify if they allow security researchers to assess their assets and report potential issues to the service provider.
During your research it is possible you are committing actions that are in breach of law. If you act in good faith and as per set rules of engagement then there is no reason for Rabobank to report this with Law Enforcement. Please follow the rules as noted in this responsible disclosure policy and do not act in an irresponsible manner.
Describe the issue as explicit and detailed as possible and provide any evidence you might have. You can take into account that the notification will be received by specialists.
Particularly include the following in your report:
A team of security experts will verify your submission and respond as soon as possible. Please give them the opportunity in time to investigate (and resolve) the issue appropriately.
Rabobank highly appreciates your effort in assisting us in optimizing our systems and processes. Therefore in most circumstances, you are eligible for a suitable monetary award. We reserve the ultimate decision over a monetary award -whether to give one and in what amount- is a decision that lies entirely within our discretion.
We will not reward when:
In accordance with our commitment to privacy and data protection, we do not automatically collect any personal information unless it is explicitly requested and for a specific reason. This approach is in line with our practice of encouraging all reports to be made through a service provider, which only shares a handle and public information from the reported profiles.
If you choose to provide personal information, we may request the following details for follow-up purposes:
However, please note that you have the option to report anonymously if you prefer not to disclose any personal information.
Your personal information is only used to approach you and undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission. Unless the law requires us to provide your personal information or when an external organization takes over the investigation of your reported vulnerability. In this case, we will ensure that the applicable authority will treat your personal information confidentially. We will remain responsible for your personal information.
Any information you receive or collect about Rabobank or any Rabobank user through the Responsible Disclosure program must be kept confidential and only used in connection with the Responsible Disclosure program. You may not use, disclose or distribute any of this information, including, but not limited to, any information regarding your submission and information you obtain when researching the Rabobank sites and/or mobile apps, without Rabobank’s prior written consent.
We advise you to take into account that regulations with regard to Responsible Disclosure differ per country. In case you are living abroad and have found vulnerabilities in one of our Rabobank pages, please realize that the Responsible Disclosure policy is not applicable in every country. This implies that despite you acted in accordance with Rabobank's Responsible Disclosure policy, it might still be that you will be prosecuted by justice, despite the fact that we do not report the vulnerability to justice.