Vulnerability Disclosure Policy

One of our goals is to address issues as quickly as possible while limiting negative impacts to our clients. In order to do this, we need your help:

• Regardless of the impact, you agree not to compromise Raiffeisen information or Raiffeisen information systems, 
• Disclose issues as soon as possible via the Vulnerability Disclosure Form located on https://raiffeisen.ch/vdp/submit,
• Provide valid contact information,
• Respond when we have a question for you,
• Include as much information as possible in your report (see “Reporting” below) to help us to recreate the issue,
• Use vulnerabilities only to the extent necessary to report. Do not use the vulnerability for any other purpose.
• Do not violate the privacy of others or interfere with our systems. Do not destroy data or harm user experience, 
• Only interact with test accounts that belong to you or for which you have the verifiable explicit permission of the relevant account holder.

Further, you must comply with all laws applicable to you, including local laws of the country or region in which you reside or in which you download or use Raiffeisen’s online platforms, applications, or services.

If you find a valid security vulnerability in compliance with this policy, you can expect Raiffeisen to:

• Respond in a timely manner, acknowledging receipt of your vulnerability report and engage with you in an open dialog to discuss issues, 
• Recognize your contribution if you are the first to report a previously unknown vulnerability, and your report triggers a code or configuration change.

While we encourage you to report to us any vulnerabilities you find, to remain compliant, you are prohibited from:

• Performing actions that may negatively affect Raiffeisen or its clients, like Denial of Service or spam,
• Performing attacks that negatively impact the performance of systems of Raiffeisen, such as brute forcing of any kind, fuzzing, etc. without any throttling,
• Accessing any non-public applications and system, e.g. via lateral movement,
• Theft, destruction or corruption, or attempt to steal, destroy or corrupt data or information of Raiffeisen that does not belong to you,
• Conducting any kind of physical or electronic attack on Raiffeisen personnel, property, buildings, or data centers,
• Social engineering or extorting any Raiffeisen employee, client or contractor.

Public disclosure of any submission details of an identified or alleged vulnerability without express written consent from Raiffeisen will cause you and your submission to be noncompliant with this Policy.

Report any details of an identified or alleged vulnerabilitiy via https://raiffeisen.ch/vdp/submit. We ask you to include detailed information with steps for us to reproduce the vulnerability. The more details you provide, the easier it will be for us to triage and fix the issue, such as:

• Technical description of the vulnerability, including: 
      - Browser information (type and version) used
      - Relevant information about connected components and devices
      - Impacted platform(s) URL(s) 
• Sample code to demonstrate the vulnerability and/or detailed steps to reproduce 
• Threat/risk assessment 
• Date and time of discovery 
• Your valid contact information 
• Possible disclosure plans 

By submitting the report via https://raiffeisen.ch/vdp/submit you agree to comply with the terms and conditions of this policy.

Any activities conducted in accordance with this policy and in good faith, without fraudulent or harmful intent, will be deemed to be “authorized” and we shall not initiate or recommend legal action against you to the extent possible and permitted by law. If legal action is initiated by a third party against you and you have complied with this policy, we will take the necessary measures to make it known that your actions were conducted in compliance with this policy.

Raiffeisen reserves the right to bring any legal action against any person acting in a manner that violates this policy.