Reporting vulnerabilities

At Yolt, the safety of internet banking and the continuity of our online services are our top priorities. Our specialists work day and night to optimize our systems and processes. Despite the effort we put into the security of our systems, vulnerabilities can still be present.

Do you have the skills and have you discovered any vulnerabilities in our systems? Please help by reporting these vulnerabilities to us, so that we can improve the safety and reliability of our systems together.

A team of security experts will investigate your report. You will receive an e-mail with an initial reply within two working days. However, there may be a delay in responding due to workload or holidays.

You may NOT use this program for the following:

  • Undisclosed (0-day) vulnerabilities in the components or services of one of our partners or suppliers; these should be reported to the third party/vendor directly instead. If you report a vulnerability on these components or services, the security team might forward your report on a best effort basis, but will not make it eligible for a reward by Yolt
  • Reporting complaints about Yolt’s services or products (please contact customer care instead)
  • Questions and complaints about the availability of Yolt websites, mobile banking or internet banking: please contact customer care instead
  • Reporting monetary issues: please contact customer care instead.
  • Reporting Fraud or the presumption of fraud: Please refer to https://www.yolt.com/faqs/reporting-fraud
  • Reporting fake e-mails or phishing e-mails: Can be reported to security@yolt.com but is excluded from the RD program & rewards
  • Reporting malware: Can be reported to security@yolt.com but is excluded from the RD program & rewards
  • Responsible Disclosure Program Rules: Can be reported to security@yolt.com but is excluded from the RD program & rewards

Rules of engagement

Please respect the following program rules before reporting a vulnerability:

  • Make sure that during your and our investigation of your reported vulnerability, you do not cause any damage to our systems
  • Do not utilize social engineering in order to gain access to our IT systems
  • Never let your investigation disrupt our online and other services
  • Never publicize any bank or customer data that you may have found during your investigation
  • Do not put a backdoor in the system, not even for the purpose of showing the vulnerability. Inserting a backdoor will cause even more damage to the safety of our systems
  • Do not make any changes to or delete data from the system. If your finding requires you to copy the data from the system, do not copy more data than necessary. If one record is sufficient, do not copy anymore
  • Do not make any changes to the system
  • Do not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, do not share this gained access with any others
  • Do not utilize any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system
  • Do not use techniques that can affect the availability of our online and other services
  • If your reported vulnerabilities have been solved or have resulted in a change in our services, you will be eligible for a reward
  • If your reported vulnerability has also been reported by others, the reward will be granted to the individual who first reported it
  • Vulnerabilities detected by Yolt employees or former employees of Yolt are excluded from any rewards
  • Multiple reports for the same vulnerability type with minor differences will be treated as one report (only one submission will be rewarded)
  • Rewards will be declined if we find evidence of abuse
  • Going public with your finding before we have fixed it will exclude you from a reward. Instead, please talk to our experts and give them time to assess and solve the problem

International law and regulations

Responsible Disclosure regulations may differ by country. We strongly advise you to take these regulations into account. Your investigation of our IT systems could be regarded as criminal under local or international law and you may then risk criminal prosecution. If you have detected vulnerabilities in one of our Yolt pages or apps, please be aware that local law takes precedence over Yolt rules. Nevertheless, if you act in good faith and according to Yolt’s rules, we will not report your actions to the authorities, unless required to do so by law.

Your privacy and Payout Procedure

We will only use your personal information to get in contact with you and to undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission, unless we are required to do so by law, or if an external organisation takes over the investigation of your reported vulnerability. In that case, we will make sure that the relevant authority treats your personal information confidentially and in line with regulations.

If your report is eligible for a reward, we’ll supply you with Amazon vouchers as a token of our appreciation. European and American anti-terrorism and anti-money-laundering regulations prohibit us from doing monetary payouts to third-party accounts (i.e. PayPal, bitcoins, cash, checks) without thorough customer due-diligence background checks and also prohibits transactions to entities and countries on the respective blacklists. Therefore to protect both your privacy and our legal obligations, we will provide Amazon vouchers only.

Reporting a vulnerability

You can report a vulnerability by sending an e-mail to: security@yolt.com. A prerequisite for reporting a security issue by e-mail is that you use this public PGP key, or obtain key-id 0xf26d26b580a482c16424182a2fd69cc31af505de yourself from any well-known PGP keyserver.

Please write your report in a clear and concise way, including the following in particular:

  • The steps you undertook as to reproduce the issue
  • The entire Url / Application name and version
  • Objects (as filters or entry fields) possibly involved
  • Evidence / Proof of Concept / how to reproduce (video, screenshots if possible)
  • Risk or exploitability
  • Suggesting a solution is highly encouraged but not required

What to report

Examples of vulnerabilities could be:

  • Remote Code Execution (RCE)
  • Cross Site scripting (XSS)
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • SQL injection
  • Object Serialization vulnerabilities
  • Encryption vulnerabilities
  • Authentication bypass, unauthorized data access

Excluded from reporting

All reported vulnerabilities without a properly described evidence report of proof of possible exploitation

  • Vulnerabilities found on sites of organisations that are no longer part of Yolt
  • Our policies on presence or absence of SPF/DKIM/DMARC records
  • Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only on pages behind logon)
  • Redirection from HTTP to HTTPS
  • HTML does not specify charset
  • HTML uses unrecognized charset
  • Cookie without HttpOnly flag set
  • Absence of using HTTP Strict Transport Security (HSTS)
  • Absent or incomplete Content Security Policy headers (CSP)
  • Clickjacking or the non-existence of X-Frame-Options on non-logon pages
  • Cacheable HTTPS response pages on sites that do not provide money transfer capabilities
  • User enumeration on sites that do not provide money transfer capabilities
  • Server or third party application version revealed and possible outdated without Proof of Concept on the exploitation of it
  • Reports of insecure SSL/TLS ciphers and other misconfigurations
  • Generic vulnerabilities related to software or protocols not under control of Yolt
  • Distributed Denial of Service attacks
  • Spam or Social Engineering techniques
  • Reports of regular security scans like Port scanners or Nessus

Reward

We would encourage you to report vulnerabilities to Yolt and you may receive a reward. However, no rights can be derived from the information on this page. The amount of the reward depends on the severity of the vulnerability reported, the type of website (static information sites versus online banking sites) and app concerned and the quality of the report we receive. If the report is of great value for the continuity and reliability of Yolt, the reward will be considerably higher.