Reporting weak spots in IT systems

Responsible disclosure

To ensure secure banking for our customers, we are continuously improving our systems and processes to maintain their reliability. If you nevertheless notice a weak spot in one of our IT systems, we would appreciate it if you would report it to us.

Work with us to find a solution

Anyone can make a mistake. We won't deny that this can also happen to us. However, publicising weak spots in our IT systems without having spoken to us about them first may have serious consequences, however good your intentions are. Criminals might use your information, for example, to commit internet fraud. For this reason, we want to ask you to first report the mistake to us and to work with us to find a solution so that we can prevent fraud or system failures.

Veilig bankieren

Reporting weak spots

 

What you can report

You can report a range of weak spots in our IT systems to us, preferably as soon as possible. These include:

  • cross-site scripting vulnerabilities
  • SQL injection vulnerabilities
  • encryption weaknesses, etc.

How to report a weak spot

  1. Please fill in this form
  2. E-mail it to us
  3. Use this PGP key to encrypt your email

What will happen to your report

 

We will contact you

A team of security experts will investigate your report and will contact you within 2 working days. This may be in relation to the weak spots you identified, how you found these and any subsequent steps.

Your privacy

Your personal data will only be used to undertake further action based on the information you provide in your report. In principle, we will not share your personal data with third parties without your permission.

Important

 

Stick to the rules

During your investigations, you may carry out actions that are punishable by law. As long as you keep to the rules for reporting weak spots in our IT systems, we will not report you to the police or claim for losses or damage.

Punishable offences

We cannot guarantee that you will never be prosecuted if you commit a punishable offence during the course of your investigations, even if we do not report such an offence. The public prosecutor always has the final say as to whether or not you will be prosecuted. We have no say in this.

 

The rules

These rules are based on guidelines developed by the Dutch National Cyber Security Centre, which is part of the Ministry of Justice and Security.

  1. Be responsible and be careful. 
  2. Only use methods that are strictly necessary for finding or pointing out the vulnerabilities.
  3. Ensure that your own systems are kept as well protected as possible.
  4. Use the weaknesses you have identified only for your own investigations and never for any other purpose.
  5. Do not use social engineering or brute-force attacks to gain access to a system.
  6. Do not install a backdoor in a system, even with the intention of demonstrating the vulnerability. A backdoor renders a system even more insecure.
  7. Do not change or delete any details in the system.
  8. Never copy more data than necessary. If a single record is sufficient for your investigations, do not copy any more.
  9. Do not penetrate a system more often than necessary.
  10. and do not share the access you gained with others.

Frequently Asked Questions

Yes, we may reward you for your investigations. However, we are not obliged to do so. You are not automatically entitled to compensation. The amount of any reward is also not fixed in advance and is determined by us. Whether or not we issue a reward and the amount of any reward depends on a number of factors, including:

  • the care with which you carry out your investigations;
  • the quality of the information you provide;
  • the amount of any loss or damage the information you provide prevents from being incurred.

Never publicise your investigations or weak spots in our systems without first discussing this with us. This will help us prevent criminals from misusing your information. Discuss the matter with our security experts and give us time to solve the problem.

Yes. You do not have to provide your name and contact details when you submit a report. Keep in mind, though, that without your details we will not be able to discuss subsequent steps with you, such as what we are going to do with your report, further collaboration, recognition or any reward.