BankUnited
External Program
Submit bugs directly to this organization
BankUnited
BankUnited looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
Open Scope — Accepts reports for all owned assets based on impact, even if not listed in scope.
Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor.
Coordinated Vulnerability Disclosure — Standard coordinated vulnerability disclosure.
Top Response Efficiency — This program's response efficiency is above 90%.
Average Response Times:
BankUnited is committed to ensuring the security of its customers by protecting their information. This policy is intended to give security researchers (also referred to in this document as "you" and "your") clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. If you discover a potential vulnerability in our systems, we encourage you to report it through HackerOne.
For all customer service needs, please contact us at https://www.bankunited.com/contact-us.
Security research activities conducted in good faith, and in a manner consistent with this policy, will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
Do not engage in any activity that can potentially or actually cause harm to BankUnited, our customers, or our employees.
Do not engage in any activity that can potentially or actually stop or degrade BankUnited services or assets.
Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
Do not store, share, compromise or destroy BankUnited or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact BankUnited. This step protects any potentially vulnerable data, and you.
Do not complete fraudulent financial transactions.
When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
Provide BankUnited reasonable time to fix any reported issue.
By responsibly submitting your findings to BankUnited in accordance with these guidelines BankUnited agrees not to pursue legal action against you. BankUnited reserves all legal rights in the event of noncompliance with these guidelines.
Once a report is submitted, BankUnited commits to provide acknowledgement of receipt of all reports and may contact you if additional details are needed.
BankUnited does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:
Please do not discuss this program or any vulnerabilities (even resolved ones) identified, outside of the program without express consent from BankUnited.
Information submitted under this policy will be used for defensive purposes only – to mitigate or remediate vulnerabilities. If your findings include newly discovered vulnerabilities that affect all users of a product or service and not solely BankUnited, we may share your report with the Cybersecurity and Infrastructure Security Agency, where it will be handled under their coordinated vulnerability disclosure process. We will not share your name or contact information without express permission.
BankUnited will make a best effort to meet the following Service Level Agreements (SLAs) for those participating in our program:
| Type of Response | SLA in business days |
|---|---|
| First Response | 1 day |
| Time to Triage | 2 days |
| Time to Resolution | Depends on severity & complexity |
To the best of our ability, we will keep you informed about our progress throughout the process.
By submitting a report to BankUnited, you grant to BankUnited, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of information or material submitted. You must notify us if any part of your report is not your own work or is the intellectual property of a third-party.
In order to help us triage and prioritize submissions, we recommend that your reports:
Describe the location the vulnerability was discovered and the potential impact of exploitation.
Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).
Be in English, if possible.
Researchers should add headers to requests such as:
BankUnited uses HackerOne to triage and validate vulnerability reports made pursuant to our Vulnerability Disclosure Program. Submitting your report through HackerOne will help ensure timely validation. If you are unable to submit a report via HackerOne, you may send us an email at [email protected].