Bug Bounty

Bug Bounty Program

Find bugs in our websites and platforms and you might get rewarded

The purpose of this program is to establish collaboration with security researchers in order to perform security tests against tbi bank Group environment. Its goals are:

to determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or sensitive data;
to confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation are in place.

Scope of this policy covers all the assets of tbi bank EAD, tbi bank EAD Sofia – Branch Bucharest, tbi money IFN S.A. (Romania), tbi leasing S.A. (Romania). This Program covers mixed environment including all systems, applications, webservices, APIs, mobile and all targets part of the infrastructure of the bank.

Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue

Researchers may not, and are not authorized to, engage in any activity that would be disruptive, damaging or harmful to tbi bank brands or its users. This includes: social engineering, phishing, physical security and denial of service attacks against users, employees

If sensitive information--such as personal information, credentials, etc.--is accessed as part of vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after the initial discovery. All copies of sensitive information must be returned to tbi bank and may not be retained

Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized employees), or otherwise share vulnerabilities with a third party, without tbi express written permission

Legal Terms

tbi is not giving permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of any users or publicize this information on the open, public-facing internet without user consent or modify or corrupt programs or data belonging to tbi.

tbi will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this program.

Please do the following when participating in bug bounty program:

Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity

Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:

A header that includes your username: X-Bug-Bounty:HackerOne-
A header that includes a unique or identifiable flag X-Bug-Bounty:ID-

Only use authorized accounts so as not to inadvertently compromise the privacy of our users

Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data

When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:

• Read: cat /proc/1/maps
• Write: touch /root/
• Execute: id, hostname, pwd (though, technically cat and touch also prove execution)

Before causing damage or potential damage: Stop, report what you've found and request additional testing permission

Responsible Disclosure of Vulnerabilities

We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 120 days of being triaged.

To encourage reporting vulnerabilities to tbi, we would urge you to send any vulnerabilities you detect to us and you might get rewarded for your efforts. Rewards are granted entirely at the discretion of tbi and the amount depends on the severity of the vulnerability reported, the type of website (static information sites versus online banking sites) concerned and the quality of the report we receive

You will be eligible for a bounty only if you are the first person to disclose an unknown issue.

At tbi discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, tbi may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations.

Rewards will be declined if we find evidence of abuse

The following issues are considered out of scope:

Those that resolve to third-party services
Issues that do not affect the latest version of modern browsers
Issues that we are already aware of or have been previously reported
Issues that require unlikely user interaction
Disclosure of information that does not present a significant risk
Cross-site Request Forgery with minimal security impact
CSV injection
Incomplete or missing SPF/DKIM
General best practice concerns

[important_banner title=”Attention!” subtitle=””]

Please, read carefully the full Bug Bounty program policy in the attached file, where you will find all the details regarding your potential cooperation, the report requirements, criminal liability, confidentiality, and other well-defined important details.

If you have any questions, please write us at: bugbounty@tbibank.bg

[/important_banner]

Full terms of participation

Customer Service

021 / 529 86 00 ccc@tbicallcenter.ro

Working hours

Monday - Friday

08:00 - 17:00

Saturday - Sunday

Closed

Head office

Bucharest, District 1, Romania,
8-12, Putul lui Zamfir St.

General information and locations:

Cookie	Διάρκεια	Περιγραφή
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.

Cookie	Διάρκεια	Περιγραφή
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_9GLZE30W5G	2 years	This cookie is installed by Google Analytics.
_gat_UA-219954199-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Διάρκεια	Περιγραφή
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

Cookie	Διάρκεια	Περιγραφή
incap_ses_452_2729474	session	No description
incap_ses_9210_2226261	session	No description

Cookie	Διάρκεια	Περιγραφή
handl_ip	1 month	No description available.
handl_landing_page	1 month	No description available.
handl_original_ref	past	No description available.
handl_ref	past	No description available.
handl_url	1 month	No description available.
utm_campaign	past	Google Ad Services sets this cookie to store session campaign value if present.
utm_content	past	This cookie is used for storing the session content value if present.
utm_medium	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
utm_source	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.
utm_term	past	This cookie is used to record from where the visitor came to the website orginally. This information is used by the website operator to know the efficiency of their marketing.

Introduction of the program

Introduction of the program

Scope

Scope

Program Rules

Testing

Testing

When testing for a bug, please also keep in mind

Rewards

Rewards

Out of Scope

Out of Scope

Applicable documents

Ιδιώτες

Επιχειρήσεις

Σχετικά με εμάς

Συχνές ερωτήσεις

Πληρώστε εδώ

Introduction of the program

Introduction of the program

Scope

Scope

Program Rules

Testing

Testing

When testing for a bug, please also keep in mind

Rewards

Rewards

Out of Scope

Out of Scope

Applicable documents