Responsible Disclosure

Are you a security researcher and did you find vulnerabilities in our systems? If so, we would like to cooperate with you. So we can resolve these vulnerabilities before they can be exploited by attackers.

Introduction

Every day, specialists at Rabobank are working hard on improving our systems and processes. By doing this, data from our clients is protected and the availability of our services are secured.

This does not mean that our systems are always flawless and free of vulnerabilities, that’s why we would like to cooperate with security researchers who are able to find those vulnerabilities.

You can submit reports regarding security issues on Rabobank services. If you have found a security issue of vulnerability, please report this as soon as possible. Examples are;

Remote Code Execution

Cross-Site Scripting (XSS)

Cross-Site Request Forgery (CSRF)

SQL Injection

Encryption vulnerabilities

Authentication bypasses and unauthorized data access

Testing on subdomains that are neither explicitly in scope nor out of scope isn't encouraged, but if you can find a vulnerability with business impact on such a subdomain please report it. We normally close sufficiently clear reports as Informative so there will be no negative effect on your reputation score if we decide that it's out of scope. However, remember that Rabobank subdomains that are running third party services are strictly out of scope.

We will not reward trivial or non-exploitable bugs. Examples below include known issues and accepted risks:

HTTP 404 codes/pages or other HTTP non-200 codes/pages

Fingerprinting/version on banner disclosure on common/public services

Disclosure of know public files, directories or non-sensitive information (e.g. robots.txt)

Clickjacking and issues only exploitable through clickjacking

Logout Cross-Site-Request Forgery (Logout CSRF)

Presence of application or web browser “autocomplete” or “save password” functionality

Lack of Secure/HTTPOnly flags on non-sensitive cookies

Weak CAPTCHA or CAPTCHA bypasses

Forgot Password page brute force and account lockout not being enforced

OPTIONS HTTP method enabled

Username/e-mail enumeration through brute force attempts via: Login Page error message, Forgot Password error message

Anything related to HTTP security headers, e.g.: Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP, Cache-Control, Pragma. And others like mentioned on OWASP Secure Headers Project | OWASP Foundation

SSL Configuration issues: SSL Attacks that are not remotely exploitable, SSL Forward secrecy not enabled, SSL weak / insecure cipher suites

Missing HTTP Public Key Pinning (HPKP)

SPF, DKIM, DMARC issues

Host Header Injection

Content Spoofing/Text Injection on 404 pages

Reporting older version of any software without proof of concept or working exploit

Information Leakage in Metadata

Missing DNSSEC

Expired or inactive domains (domain takeovers)

Same Site Scripting / localhost DNS record

Self XSS

Issues depending on outdated browser software

Absence of certificate pinning

Any kind of sensitive data stored in app private directory

Any URIs leaked because a malicious app has permission to view opened URIs

Application crashed due to malformed URL schemes

Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive

Exposure of non-sensitive data on the device

Lack of binary protection

Lack of exploit mitigations

Lack of obfuscation

Pasteboard leakage

Sensitive data in URLs/request bodies when protected by TLS

User data stored unencrypted on the device or on external storage

Vulnerabilities in third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)

Vulnerabilities requiring a rooted, jailbroken or otherwise modified device

In addition to the list of exclusions, we are aware that services provided by third parties may contain vulnerabilities (Whether they are available on a Rabobank domain or not). We highly recommend to verify if they allow security researchers to assess their assets and report potential issues to the service provider.

During your research it is possible you are committing actions that are in breach of law. If you act in good faith and as per set rules of engagement then there is no reason for Rabobank to report this with Law Enforcement. Please follow the rules as noted in this responsible disclosure policy and do not act in an irresponsible manner.

We request you not to publish your report, but share it with our experts and provide them with the time to resolve the issue. We will let you know how we will handle the report, whether or not we will address it and when

Ensure that during your and our investigation of the reported vulnerability, you do not apply any damage

Do not utilize social engineering in order to gain access to our IT Systems

Your investigation should never disrupt our (online) services

Your investigation should never lead to the publicity of bank or customer data

Do not place backdoors in systems. Neither with the purpose to show the vulnerability. Creating a backdoor will bring damage to the safety of the system even more

Do not apply any changes or delete data in the system, In case your finding requires a copy of the data from the system, do not copy more that your investigation requires.

If one record is sufficient, do not copy more

When submitting a report, please do not include any personal information you may have obtained from our systems

E.g. blur names/e-mailaddresses in your screenshots or redact the contents of server responses before submitting this information to our program

Do not make any changes in the system

Do not attempt to penetrate the system more than required. In case you successfully penetrated the system, do not share gained access with others

Do not utilize any brute force techniques (e.g. repeatedly entering passwords) in order to gain access to the system

Don’t use techniques that can influence the availability of our (online) services

Your investigation should be limited to Rabobank assets only

Describe the issue as explicit and detailed as possible and provide any evidence you might have. You can take into account that the notification will be received by specialists.

Particularly include the following in your report:

Which vulnerability

The steps you took

The entire URL

Objects (as filters or entry fields) possibly involved

Screen prints are highly appreciated

If applicable; Raw HTTP requests and responses

Does it involve a data breach (e.g. customer data)

We can only accept reports that are written in English

A team of security experts will verify your submission and respond as soon as possible. Please give them the opportunity in time to investigate (and resolve) the issue appropriately.

Report a vulnerability

Rabobank highly appreciates your effort in assisting us in optimizing our systems and processes. Therefore in most circumstances, you are eligible for a suitable monetary award. We reserve the ultimate decision over a monetary award -whether to give one and in what amount- is a decision that lies entirely within our discretion.

We will not reward when:

The issue was already reported. In that case, only the first reporter will be rewarded

You are living in a country that’s on a sanction list

The issue is already known

The rules are not respected

In accordance with our commitment to privacy and data protection, we do not automatically collect any personal information unless it is explicitly requested and for a specific reason. This approach is in line with our practice of encouraging all reports to be made through a service provider, which only shares a handle and public information from the reported profiles.

If you choose to provide personal information, we may request the following details for follow-up purposes:

Name

Phone number

However, please note that you have the option to report anonymously if you prefer not to disclose any personal information.

Your personal information is only used to approach you and undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission. Unless the law requires us to provide your personal information or when an external organization takes over the investigation of your reported vulnerability. In this case, we will ensure that the applicable authority will treat your personal information confidentially. We will remain responsible for your personal information.

Any information you receive or collect about Rabobank or any Rabobank user through the Responsible Disclosure program must be kept confidential and only used in connection with the Responsible Disclosure program. You may not use, disclose or distribute any of this information, including, but not limited to, any information regarding your submission and information you obtain when researching the Rabobank sites and/or mobile apps, without Rabobank’s prior written consent.

We advise you to take into account that regulations with regard to Responsible Disclosure differ per country. In case you are living abroad and have found vulnerabilities in one of our Rabobank pages, please realize that the Responsible Disclosure policy is not applicable in every country. This implies that despite you acted in accordance with Rabobank's Responsible Disclosure policy, it might still be that you will be prosecuted by justice, despite the fact that we do not report the vulnerability to justice.

Responsible Disclosure

Introduction

In Scope

Out of Scope

Third-Party domains

Exclusions

Mobile apps

Rules of Engagement

How should I report an issue?

Rewards

Privacy

Confidentiality

Aberrant international regulation