Reporting security vulnerabilities
It is very important to us that our systems are secure. If you discover a vulnerability in any of our systems, please help us by reporting it to us so that we can improve the safety and reliability of our systems together.
Our specialists will start dealing with your report immediately and send you an initial reply as soon as possible. We will ask you to treat your findings confidentially while our investigation is ongoing.
What type of vulnerabilities should you report?
These are the types of vulnerabilities you can report:
- Remote Code Execution: giving a command to allow complete access to a network system or server
- Cross Site Scripting (XSS): injecting malicious scripts into websites and programmes
- Cross Site Request Forgery (CSRF): tricking a user to grant an online request
- SQL injection: changing and accessing database information that cannot normally be viewed by website users
- Vulnerabilities relating to encryption: preventing access to data by encrypting it with a key or code
- Unauthorised access to data: sharing data without having been given permission to do so
How to report a vulnerability
If you have discovered a vulnerability, please do not use it. Also, do not tell anyone else about it.
Please wait while information is being loaded
- Make sure that you do not cause any damage to our systems
- Make sure you do not interrupt our online services
- Do not use social engineering (such as allowing other persons to share confidential data) to gain access to our systems
- Never publicise any SVB data or client data you may have found
- Do not put a backdoor in the system, not even for the purpose of showing the vulnerability
- Never change or remove any data in the system
- Do not copy any more data than is strictly necessary
- Do not try to access the system more than once
- Do not tell anyone else how to access the system
- Do not keep trying different passwords in order to access the system (brute-force tactics)
We will only use your personal details to work on the problem you have reported. We will never give your personal details to anyone else without your permission, except where we are obliged to do so by law. If we need to ask another company to help us with our investigation, we always ensure that they keep your details confidential too.
You do not need to report the following vulnerabilities:
- A suspected vulnerability for which there is no clear evidence
- Vulnerabilities found on the websites of organisations that are no longer part of the SVB
- Our policy on the presence or absence of methods to check the authenticity of emails, such as SPF, DKIM or DMARC records
- Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only on pages you get after logging in)
- Redirection from an insecure page (HTTP) to a secure page (HTTPS)
- The fact that we do not use HTTP Strict Transport Security (HSTS), a security system to protect against attacks
- Getting site visitors to click on something that is not what they wanted (click jacking)
- The lack of an option to load windows in pages other than log-in pages: X-Frame-Options
- Possible old versions of a server or programme (from an external supplier) without evidence to show that these versions are vulnerable
- Reports on insecure SSL protocols or TLS protocols and other faulty settings
- Distributed Denial of Service (DDoS) attacks: attempts to limit or block clients from accessing a computer, computer network or service
- Spamming techniques, such as sending out emails in large quantities
- Social Engineering techniques, such as getting people to share confidential information
- Reports of ordinary scans, such as port scanners
- Sending complaints about our products or services
- Questions or complaints about the accessibility of our websites
- Reporting problems concerning payments
- Reporting fraud or suspected fraud
- Reporting fake emails or phishing emails
We would like you to report any vulnerabilities you discover to us. We may also be able to reward you for this. The amount you can receive depends on:
- the seriousness of the problem
- the website concerned: is it a static information website or an online SVB website?
- the quality of your report
If your report is crucial to us maintaining the trust of our clients, the reward will be higher. We will not pay a reward if there is evidence of misuse.