Reporting vulnerabilities

At Yolt, the safety of internet banking and the continuity of our online services are our top priorities. Our specialists work day and night to optimize our systems and processes. Despite the effort we put into the security of our systems, vulnerabilities can still be present.

Do you have the skills and have you discovered any vulnerabilities in our systems? Please help by reporting these vulnerabilities to us, so that we can improve the safety and reliability of our systems together.

A team of security experts will investigate your finding/findings. You will receive an e-mail with an initial reply within two working days. However, there may be a delay in responding due to workload or holidays.

Please note: going public with your finding before we have fixed it will exclude you from a reward. Instead, please talk to our experts and give them time to assess and solve the problem.

You may NOT use this program for the following
Reporting complaints about Yolt’s services or products
Questions and complaints about the availability of Yolt websites, mobile banking or internet banking
Reporting monetary issues
Reporting Fraud or the presumption of fraud
Reporting fake e-mails or phishing e-mails
Reporting malware
Responsible Disclosure Program Rules
Please respect the following program rules before reporting a vulnerability:

Make sure that during your and our investigation of your reported vulnerability, you do not cause any damage to our systems
Do not utilize social engineering in order to gain access to our IT systems
Never let your investigation disrupt our online and other services
Never publicize any bank or customer data that you may have found during your investigation
Do not put a backdoor in the system, not even for the purpose of showing the vulnerability. Inserting a backdoor will cause even more damage to the safety of our systems
Do not make any changes to or delete data from the system. If your finding requires you to copy the data from the system, do not copy more data than necessary. If one record is sufficient, do not copy any more
Do not make any changes to the system
Do not attempt to penetrate the system any further than required for the purpose of your investigation. Should you have successfully penetrated the system, do not share this gained access with any others
Do not utilize any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system
Do not use techniques that can affect the availability of our online and other services
If your reported vulnerabilities have been solved or have resulted in a change in our services, you will be eligible for a reward
Vulnerabilities detected by Yolt employees or former employees of Yolt are excluded from any rewards
If your reported vulnerability has also been reported by others, the reward will be granted to the individual who first reported it
Multiple reports for the same vulnerability type with minor differences will be treated as one report (only one submission will be rewarded)
If you are eligible for a reward, we will require your personal information to provide you with the reward
Rewards will be declined if we find evidence of abuse
International law and regulations
Responsible Disclosure regulations may differ by country. We strongly advise you to take these regulations into account. Your investigation of our IT systems could be regarded as criminal under local or international law and you may then risk criminal prosecution. If you have detected vulnerabilities in one of our Yolt pages, please be aware that local law takes precedence over Yolt rules. Nevertheless, if you act in good faith and according to Yolt’s rules, we will not report your actions to the authorities, unless required to do so by law.

Your privacy
We will only use your personal information to get in contact with you and to undertake actions with regard to your reported vulnerability. We will not distribute your personal information to third parties without your permission, unless we are required to do so by law, or if an external organisation takes over the investigation of your reported vulnerability. In that case, we will make sure that the relevant authority treats your personal information confidentially.

Reporting a vulnerability
You can report a vulnerability by sending an e-mail to: security@yolt.com. A prerequisite for sending an e-mail to the above-mentioned e-mail address is that you use this public PGP key, or obtain key-id 0xf26d26b580a482c16424182a2fd69cc31af505de yourself from any well-known keyserver.

Please write your report in a clear and concise way, including the following in particular:

The steps you undertook
The entire URL
Objects (as filters or entry fields) possibly involved
Evidence / Proof of Concept / how to reproduce (video, screenshots if possible)
Risk or exploitability
offering a solution is highly encouraged but not required
Our specialists will read your report and start working on it right away.

What to report
Examples of vulnerabilities could be:

Remote Code execution
Cross Site scripting (XSS)
Cross Site Request Forgery (CSRF)
Server Side Request Forgery (SSRF)
SQL injection
Encryption vulnerabilities
Authentication bypass, unauthorized data access
Excluded from reporting
All reported vulnerabilities without a properly described evidence report of proof of possible exploitation
Vulnerabilities found on sites of organisations that are no longer part of Yolt
Our policies on presence or absence of SPF/DKIM/DMARC records
Cross Site Request Forgery (CSRF) vulnerabilities on static pages (only on pages behind logon)
Redirection from HTTP to HTTPS
HTML does not specify charset
HTML uses unrecognized charset
Cookie without HttpOnly flag set
Absence of using HTTP Strict Transport Security (HSTS)
Absent or incomplete Content Security Policy headers (CSP)
Clickjacking or the non-existence of X-Frame-Options on non-logon pages
Cacheable HTTPS response pages on sites that do not provide money transfer capabilities
User enumeration on sites that do not provide money transfer capabilities
Server or third party application version revealed and possible outdated without Proof of Concept on the exploitation of it
Reports of insecure SSL/TLS ciphers and other misconfigurations
Generic vulnerabilities related to software or protocols not under control of Yolt
Distributed Denial of Service Attacks
Spam or Social Engineering techniques
Reports of regular scans like Port scanners
Reward
To encourage reporting vulnerabilities to Yolt, we would urge you to send any vulnerabilities you detect to us. As mentioned, you may receive a reward. The amount of the reward depends on the severity of the vulnerability reported, the type of website (static information sites versus online banking sites) concerned and the quality of the report we receive. If the report is of great value for the continuity and reliability of Yolt, the reward will be considerably higher.