Vulnerability Disclosure Policy
Introduction
Raiffeisen [1] acknowledges the valuable role of independent security researchers acting with good intentions to help us maintain the safety and security of Raiffeisen online applications and systems. Raiffeisen therefore welcomes responsible reporting of any security vulnerabilities found in our online applications and systems.
We ask you to disclose information security issues in a responsible manner and in accordance with this policy. Please read the following policy carefully before you test and/or report any security vulnerability and ensure to follow the rules. If you have any questions or are uncertain whether your security research is in compliance with this policy, please contact us immediately via security@raiffeisen.ch before you continue any activities.
We will validate and fix vulnerabilities in accordance with our security standards.
Scope of this policy
All public facing applications and systems of Raiffeisen that are reachable by default are in scope of this policy (e.g. websites of Raiffeisen). Only such applications and systems are authorized for research as described by this policy.
Out Of Scope
Any application and system not mentioned under “Scope of this policy” and/or hosted by a third-party provider are excluded from the scope of this policy. This includes, but is not limited to:
• databases, back-end systems related to payment transaction, internal networks, and infrastructure devices
Your Commitment
Our Commitment
Strictly Forbidden Activities
Reporting & Contact
Safe Harbor
Any issues to disclose?
Please note that security reports are submitted via our partner GObugfree.
[1] Raiffeisen consists of Raiffeisen Switzerland Cooperative as well as all Swiss Raiffeisen Banks and other companies belonging to the Raiffeisen Group at present and in the future (all together “Raiffeisen”). Abroad, outside Switzerland, there are other legal entities under the name “Raiffeisen”. These companies are not addressed by this policy.