Security disclosures

for professionals

We want to hear from you if you discover a site, application or system with a vulnerability on:

rbs.com

rbsdigital.co.uk

*.rbs.co.uk

including these IP ranges:

155.136.22.0/24

155.136.19.0/24

Do:

Act in a responsible way

Provide complete details so we have maximum opportunity to resolve any issues

Assume penetration testing experts will be reviewing your submission

Report common vulnerabilities but don’t explain the problem and the impact, just point out where it lies. 

Report esoteric or very new issues and fully explain the problem. 

Cite references or sources

Don’t:

Put any Customer or Royal Bank of Scotland data at risk, degrade any of our system’s performance, or conduct any type of denial of service attack

If our security operations centre identify your actions this will be treated as an attack and not a Security Disclosure submission. We may take action against any attacks, including reporting them to the police. 

We want to get as much information from you so we can validate and fix any potential vulnerability quickly. Please try to provide as much information as possible, including:

A description of the vulnerability including the exploitability and impact if not a common attack type

Steps required to exploit the vulnerability including: URL(s)/application(s) affected Prior conditions required (for example, logged in, not logged in, previous actions ) and how to demonstrate the problem

IPs used when the vulnerability was discovered

If post authentication, the user ID used when the vulnerability was discovered 

A Proof of Concept

Names of any files uploaded to our systems

If you do not include everything in this list, this could delay or prevent us from validating and fixing the vulnerability. Responses to Low/Informational issues will be de-prioritised. Save all your logs as we will ask you to make them available to us.

We won’t respond to or analyse submissions covering:

Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials)

Denial of service (DOS)

Self-XSS (User defined payload)

Vulnerabilities which require a jailbroken mobile device

Most vulnerabilities within identified test, UAT, lab, bankofapis or staging environments

Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers, including Internet Explorer versions prior to version 8

Vulnerabilities involving active content such as web browser add-ons

Disclosure of public information or information that does not present risk to us or our customers (for example, web server type disclosure)

Vulnerabilities contingent on a client system previously being compromised

We may highlight anyone who has made a submission which has significantly helped us keep our customers safe and secure.  We will always ask for your consent before doing this.

Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about us or any Royal Bank of Scotland user as part of your research prior to making a Security Disclosure submission as detailed in this Policy and these Terms must therefore be kept confidential and only used in connection with the Security Disclosure. You may not use, disclose or distribute any such information without our prior written consent.  Any such information should be deleted once your submission has been received.