Bug Bounty Program

Find bugs in our websites and platforms and you might get rewarded
Introduction of the program

Introduction of the program

The purpose of this program is to establish collaboration with security researchers in order to perform security tests against TBI Bank Group environment. Its goals are:

  • to determine whether and how a malicious user can gain unauthorized access to assets that affect the fundamental security of the system, files, logs and/or sensitive data;
  • to confirm that the applicable controls, such as scope, vulnerability management, methodology, and segmentation are in place.
Scope

Scope

The scope of this policy covers all the assets of TBI Bank EAD, TBI Bank EAD Sofia – Branch Bucharest, TBI Credit IFN S.A. (Romania), TBI Leasing IFN S.A. (Romania). This Program covers a mixed environment including all systems, applications, web services, APIs, mobile and all targets part of the infrastructure of the bank.

Program Rules

 

Violation of any of these rules can result in ineligibility for a bounty and/or removal from the program. 

  • Never use a finding to compromise/exfiltrate data or pivot to other systems. Use a proof of concept only to demonstrate an issue. 
  • If sensitive information--such as personal information, credentials, etc.--is accessed as part of a vulnerability, it must not be saved, stored, transferred, accessed, or otherwise processed after initial discovery. All copies of sensitive information must be returned to TBI Bank and may not be retained.
  • Researchers may not, and are not authorized to, engage in any activity that would be disruptive, damaging or harmful to TBI Bank brands or its users. This includes social engineering, phishing, physical security and denial of service attacks against users, employees.
  • Researchers may not publicly disclose vulnerabilities (sharing any details whatsoever with anyone other than authorized employees), or otherwise share vulnerabilities with a third party, without TBI express written permission.

 

Legal Terms

 

TBI is not giving permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of any users or publicize this information on the open, public-facing internet without user consent or modify or corrupt programs or data belonging to TBI. 

TBI will not initiate a lawsuit or law enforcement investigation against a researcher in response to reporting a vulnerability if the researcher fully complies with this program.

 

Testing

 

Please do the following when participating in bug bounty program:

  • Provide your IP address in the bug report. We will keep this data private and only use it to review logs related to your testing activity.
  • Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests. Report to us what header you set so we can identify it easily. For example:

      o    A header that includes your username: X-Bug-Bounty:HackerOne-<username>
      o    A header that includes a unique or identifiable flag X-Bug-Bounty:ID-<sha256-flag>


When testing for a bug, please also keep in mind:

  • Only use authorized accounts so as not to inadvertently compromise the privacy of our users
  • When attempting to demonstrate root permissions with the following primitives in a vulnerable process please use the following commands:

       o    Read: cat /proc/1/maps
       o    Write: touch /root/<your H1 username>
       o    Execute: id, hostname, pwd (though, technically cat and touch also prove execution)

  • Minimize the mayhem. Adhere to program rules at all times. Do not use automated scanners/tools - these tools include payloads that could trigger state changes or damage production systems and/or data.
  • Before causing damage or potential damage: Stop, report what you've found and request additional testing permission.


Responsible Disclosure of Vulnerabilities

 

We are continuously working to evolve our bug bounty program. We aim to respond to incoming submissions as quickly as possible and make every effort to have bugs fixed within 120 days of being triaged.


Rewards 

 

To encourage reporting vulnerabilities to TBI, we would urge you to send any vulnerabilities you detect to us and you might get rewarded for your efforts. Rewards are granted entirely at the discretion of TBI and the amount depends on the severity of the vulnerability reported, the type of website (static information sites versus online banking sites) concerned and the quality of the report we receive. 


You will be eligible for a bounty only if you are the first person to disclose an unknown issue. 
At TBI discretion, providing more complete research, proof-of-concept code and detailed write-ups may increase the bounty awarded. Conversely, TBI may pay less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible. Rewards may be denied if there is evidence of program policy violations.

Rewards will be declined if we find evidence of abuse.


Out of Scope

 

The following issues are considered out of scope:

  • Those that resolve to third-party services
  • Issues that do not affect the latest version of modern browsers
  • Issues that we are already aware of or have been previously reported
  • Issues that require unlikely user interaction
  • Disclosure of information that does not present a significant risk
  • Cross-site Request Forgery with minimal security impact
  • CSV injection
  • Incomplete or missing SPF/DKIM
  • General best practice concerns

 

Attention!

 

Please, read carefully the full Bug Bounty program policy in the attached file, where you will find all the details regarding your potential cooperation, the report requirements, criminal liability, confidentiality, and other well-defined important details.


If you have any questions, please write us at: bugbounty@tbibank.bg


Full terms of participation

Download
pdf format