Reporting vulnerabilities

Have you discovered a problem or a weakness in our internet services? Share it with our experts. We’d like to cooperate with you to solve these kinds of problems.

Responsible disclosure

Are you a security researcher who has discovered vulnerabilities in our systems? In that case, we’d like to cooperate with you to resolve these vulnerabilities before they are exploited.

Every day, Rabobank specialists focus on optimizing our systems and processes. As a result, our customers are better protected against abuse and we ensure optimal accessibility of our services. Of course, this doesn’t mean our systems are perfect and don’t have any potential vulnerabilities. That’s why we’d like to cooperate with information security experts who have identified a potential vulnerability in one of our systems.

In scope

We ask that you report all findings relating to the security of Rabobank services to us, preferably as soon as possible. This includes:

    Remote Code Execution Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) SQL Injection Encryption vulnerabilities Bypassing authentication or unauthorized access to data

Not in scope

Please do not contact this reporting desk with:

    comments about the services provided by Rabobank comments or questions about the accessibility of our services reports of fraud or possible fraud reports of possible fake or so-called phishing emails reports of problems with ATMs (unless security-related) reports of viruses and/or malware

You can report phishing emails directly by sending an email to: valse-email@rabobank.nl.

Exclusions

Rabobank does not provide a reward for trivial or non-exploitable bugs. Below are some examples of known vulnerabilities and accepted risks for which no reward is provided.

    HTTP 404 codes/pages or other HTTP non-200 codes/pages. Fingerprinting/version of banner disclosure on general/public services. Publicly accessible files and folders with non-sensitive information, (e.g. robots.txt). Clickjacking and related vulnerabilities. CSRF on forms that are available without a session (e.g. a contact form/login form). Logout Cross-Site Request Forgery. Presence of an ‘autocomplete’ or ‘save password’ functionality. Lack of ‘Secure’ / ‘HTTP Only’ flags on non-sensitive cookies. Weak CAPTCHA or CAPTCHA circumvention. Brute force on the Forget Password Page and Account Lockout not being enforced. OPTIONS Method is enabled. Username / Email enumeration by brute force attempts: via Login error messages. ‘Forget Password’ error messages. Lack of HTTP Security Headers such as: Strict-Transport-Security. X-Frame-Options. X-XSS-Protection. X-Content-Type-Options. Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP. SSL configuration weaknesses: SSL attacks that cannot be exploited remotely. SSL ‘Forward Secrecy’ is not enabled. SSL is weak / insecure cipher suites. Missing HTTP Public Key Pinning (HPKP). SPF, DKIM, DMARC issues. Host Header Injection. Content Spoofing/Text Injection on 404 pages. Reporting old software versions without a proof of concept or working exploit. Information leakage in Metadata. > Missing DNSSEC. Expired or inactive domains (domain takeover). Same Site Scripting / localhost DNS record.

More information