How to notify us
If you have identified a security problem in one of our ICT systems or websites, please proceed as follows:
- Do not share any information about the identified security problem with third parties until it has been resolved.
- Please give us a clear description of how and when the problem occurs. Describe how the problem can be reproduced and provide us with information on the method that was used and the time of discovery.
- Act responsibly in dealing with your knowledge of the security problem. Do not take any any actions that go beyond what is needed to demonstrate the problem. Do not use the security problem to your own advantage and do not store any confidential data obtained as a result of the problem.
- State your contact details (email address or telephone number) so that we can keep you updated on the status of the problem.
If your notification meets these requirements, there will not be any legal consequences.
How will we treat your Responsible Disclosure notification?
If you notify us of a security problem in an ICT system or website, we will treat your notification as follows.
- Our Information Desk will confirm receipt within two business days.
- We will send you our response within three days of the confirmation of receipt, setting out our assessment of the issue and the expected resolution date. We will provide you with progress reports.
- We will always treat your notification confidentially and will never share your personal data with third parties, except when obliged to do so by law or pursuant to a court ruling.
- We consult you on whether and how the issue is to be made public. We will never do so before the problem has been resolved. If we make the issue public, we will give you credit for identifying it, if you wish.
- We will reward you as a token of our gratitude. The reward will depend on the gravity and scale of the identified problem and the quality of your report.
The above procedure is based on the Responsible Disclosure Guidelines of the National Cyber Security Centre.
ExceptionsThe following reports will not be taken into consideration :
- the policy of SPF / DKIM / DMARC
- redirection from http to https
- vulnerabilities related to missing http security headers
DNB is already aware of these matters .