Responsible Disclosure
Reporting security issues and vulnerabilities
Data protection and the security of our IT systems are top priorities for Erste Bank und Sparkassen. Although we secure our systems to the best of our ability, vulnerabilities can occur.
Have you encountered a security vulnerability? Please inform us immediately and help us to make our IT systems even more secure.
Where can you report a security vulnerability?
Please report vulnerabilities to responsible-disclosure@scert.at
If possible, please use encrypted communication. Here you can download our PGP-Key:
Our commitments for vulnerability reporting:
- We will keep your report strictly confidential.
- Your access to our systems will not be restricted.
- We will not take legal actions.
Important: These commitments only apply if you follow our fairness guidelines.
Be sure to follow our vulnerability fairness guidelines:
- Keep the information collected confidential and do not inform third parties.
- Allow us sufficient time to identify and fix the vulnerability.
- Use discovered vulnerabilities only for your own analysis.
- Do not cause any damage!
- Do not spy, modify, download, delete or share data.
- Do not conduct fraudulent transactions.
- Do not physically attack our property or data centres.
- Do not influence the availability of our systems to our customers.
- Limit testing to detect vulnerabilities to the necessary minimum.
- Do not perform social engineering or phishing on our employees or customers.
- Do not collect, enumerate, or validate the existence of user accounts.
- Use only your own credentials for testing.
- Report to us what data was unavoidably visible to prove the vulnerability.
- Do not use automated scanner tools or penetration testing tools.