Introduction of the program
Introduction of the program
The purpose of this program is to establish collaboration with security researchers in order to perform security tests against tbi bank Group environment. Its goals are:
to determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or sensitive data;
to confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation are in place.
Scope of this policy covers all the assets of tbi bank EAD, tbi bank EAD Sofia – Branch Bucharest, tbi money IFN S.A. (Romania), tbi leasing S.A. (Romania). This Program covers mixed environment including all systems, applications, webservices, APIs, mobile and all targets part of the infrastructure of the bank.
tbi is not giving permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of any users or publicize this information on the open, public-facing internet without user consent or modify or corrupt programs or data belonging to tbi.
tbi will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this program.
Please do the following when participating in bug bounty program:
Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity
Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:
A header that includes your username: X-Bug-Bounty:HackerOne-
A header that includes a unique or identifiable flag X-Bug-Bounty:ID-
When testing for a bug, please also keep in mind
• Read: cat /proc/1/maps
• Write: touch /root/
• Execute: id, hostname, pwd (though, technically cat and touch also prove execution)
Responsible Disclosure of Vulnerabilities
We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 120 days of being triaged.
To encourage reporting vulnerabilities to tbi, we would urge you to send any vulnerabilities you detect to us and you might get rewarded for your efforts. Rewards are granted entirely at the discretion of tbi and the amount depends on the severity of the vulnerability reported, the type of website (static information sites versus online banking sites) concerned and the quality of the report we receive
You will be eligible for a bounty only if you are the first person to disclose an unknown issue.
At tbi discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, tbi may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations.
Rewards will be declined if we find evidence of abuse
Out of Scope
Out of Scope
The following issues are considered out of scope:
Those that resolve to third-party services
Issues that do not affect the latest version of modern browsers
Issues that we are already aware of or have been previously reported
Issues that require unlikely user interaction
Disclosure of information that does not present a significant risk
Cross-site Request Forgery with minimal security impact
Incomplete or missing SPF/DKIM
General best practice concerns
[important_banner title=”Attention!” subtitle=””]
Please, read carefully the full Bug Bounty program policy in the attached file, where you will find all the details regarding your potential cooperation, the report requirements, criminal liability, confidentiality, and other well-defined important details.
If you have any questions, please write us at: email@example.com