At Yolt, the safety of internet banking and the continuity of our online services are our top priorities. Our specialists work day and night to optimize our systems and processes. Despite the effort we put into the security of our systems, vulnerabilities can still be present.
Do you have the skills and have you discovered any vulnerabilities in our systems? Please help by reporting these vulnerabilities to us, so that we can improve the safety and reliability of our systems together.
A team of security experts will investigate your finding/findings. You will receive an e-mail with an initial reply within two working days. However, there may be a delay in responding due to workload or holidays.
Please note: going public with your finding before we have fixed it will exclude you from a reward. Instead, please talk to our experts and give them time to assess and solve the problem.
You may NOT use this program for the following
- Reporting complaints about Yolt’s services or products
- Questions and complaints about the availability of Yolt websites, mobile banking or internet banking
- Reporting monetary issues
- Reporting Fraud or the presumption of fraud
- Reporting fake e-mails or phishing e-mails
- Reporting malware
Responsible Disclosure Program Rules
Please respect the following program rules before reporting a vulnerability:
- Make sure that during your and our investigation of your reported vulnerability, you do not cause any damage to our systems
- Do not utilize social engineering in order to gain access to our IT systems
- Never let your investigation disrupt our online and other services
- Never publicize any bank or customer data that you may have found during your investigation
- Do not put a backdoor in the system, not even for the purpose of showing the vulnerability. Inserting a backdoor will cause even more damage to the safety of our systems
- Do not make any changes to or delete data from the system. If your finding requires you to copy the data from the system, do not copy more data than necessary. If one record is sufficient, do not copy any more
- Do not make any changes to the system
- Do not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, do not share this gained access with any others
- Do not utilize any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system
- Do not use techniques that can affect the availability of our online and other services
- If your reported vulnerabilities have been solved or have resulted in a change in our services, you will be eligible for a reward
- Vulnerabilities detected by Yolt employees or former employees of Yolt are excluded from any rewards
- If your reported vulnerability has also been reported by others, the reward will be granted to the individual who first reported it
- Multiple reports for the same vulnerability type with minor differences will be treated as one report (only one submission will be rewarded)
- If you are eligible for a reward, we will require your personal information to provide you with the reward
- Rewards will be declined if we find evidence of abuse
International law and regulations
Responsible Disclosure regulations may differ by country. We strongly advise you to take these regulations into account. Your investigation of our IT systems could be regarded as criminal under local or international law and you may then risk criminal prosecution. If you have detected vulnerabilities in one of our Yolt pages, please be aware that local law takes precedence over Yolt rules. Nevertheless, if you act in good faith and according to Yolt’s rules, we will not report your actions to the authorities, unless required to do so by law.
We will only use your personal information to get in contact with you and to undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission, unless we are required to do so by law, or if an external organisation takes over the investigation of your reported vulnerability. In that case, we will make sure that the relevant authority treats your personal information confidentially.
Reporting a vulnerability
You can report a vulnerability by sending an e-mail to: firstname.lastname@example.org. A prerequisite for sending an e-mail to the above-mentioned e-mail address is that you use this public PGP key, or obtain key-id 0xf26d26b580a482c16424182a2fd69cc31af505de yourself from any well-known keyserver.
Please write your report in a clear and concise way, including the following in particular:
- The steps you undertook
- The entire URL
- Objects (as filters or entry fields) possibly involved
- Evidence / Proof of Concept / how to reproduce (video, screenshots if possible)
- Risk or exploitability
- offering a solution is highly encouraged but not required
Our specialists will read your report and start working on it right away.
What to report
Examples of vulnerabilities could be:
- Remote Code execution
- Cross Site scripting (XSS)
- Cross Site Request Forgery (CSRF)
- Server Side Request Forgery (SSRF)
- SQL injection
- Encryption vulnerabilities
- Authentication bypass, unauthorized data access
Excluded from reporting
- All reported vulnerabilities without a properly described evidence report of proof of possible exploitation
- Vulnerabilities found on sites of organisations that are no longer part of Yolt
- Our policies on presence or absence of SPF/DKIM/DMARC records
- Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only on pages behind logon)
- Redirection from HTTP to HTTPS
- HTML does not specify charset
- HTML uses unrecognized charset
- Cookie without HttpOnly flag set
- Absence of using HTTP Strict Transport Security (HSTS)
- Absent or incomplete Content Security Policy headers (CSP)
- Clickjacking or the non-existence of X-Frame-Options on non-logon pages
- Cacheable HTTPS response pages on sites that do not provide money transfer capabilities
- User enumeration on sites that do not provide money transfer capabilities
- Server or third party application version revealed and possible outdated without Proof of Concept on the exploitation of it
- Reports of insecure SSL/TLS ciphers and other misconfigurations
- Generic vulnerabilities related to software or protocols not under control of Yolt
- Distributed Denial of Service Attacks
- Spam or Social Engineering techniques
- Reports of regular scans like Port scanners
To encourage reporting vulnerabilities to Yolt, we would urge you to send any vulnerabilities you detect to us. As mentioned, you may receive a reward. The amount of the reward depends on the severity of the vulnerability reported, the type of website (static information sites versus online banking sites) concerned and the quality of the report we receive. If the report is of great value for the continuity and reliability of Yolt, the reward will be considerably higher.