Citi Group
External Program
Submit bugs directly to this organization
Citi Group
Welcome to Citi's Responsible Vulnerability Disclosure Program!
The security of customer account information is of the utmost importance to us. If you believe you've found a security issue in one of our products or services, we encourage you to notify us. The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of Citi and our customers.
Open Scope - Accepts reports for all owned assets based on impact, even if not listed in scope.
Gold Standard Safe Harbor - Adheres to Gold Standard Safe Harbor.
Coordinated Vulnerability Disclosure - Undeclared
Average Response Time - 3 hours to first response
Average Triage Time - 3 weeks, 1 day
At Citi, the security and privacy of our customers' account information and digital assets are paramount. We are relentlessly committed to building and maintaining a secure environment across all our products and services. We understand that in the dynamic landscape of cybersecurity, vigilance and collaboration are key.
We deeply value the expertise and ethical contributions of security researchers and the broader security community. If you believe you have discovered a potential security vulnerability within any Citi product or service, we strongly encourage you to notify us through this Responsible Vulnerability Disclosure Program.
Your responsible and timely disclosure of security vulnerabilities is instrumental. It allows us to:
This program outlines a clear, secure, and respectful process for reporting vulnerabilities. By adhering to these guidelines, you empower us to act quickly and effectively, ensuring that the security and privacy of Citi and its customers always remain our highest priority. We appreciate your partnership in making the digital world safer for everyone.
Please be aware Citi will not correspond with you directly, disclose remediation steps, or timeframes.
You should not publicize or disclose your submission or its results to any third parties without Citi's explicit permission to do so. Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from Citi Group.
This engagement does not allow disclosure. You may not release information about vulnerabilities found in this engagement to the public.
Follow HackerOne's disclosure guidelines.
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report unless you need to chain vulnerabilities to provide impact.
Cross-environment findings will be considered duplicates. If you would like to group together one finding found across multiple environments, feel free to send them along! When duplicates occur, we only triage the first report received (provided that it can be fully reproduced).
Vulnerability reports on the same vulnerability across different target apps belonging to this program will be counted as one submission. Please submit a single report.
Social engineering (e.g., phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or with explicit permission of the account holder.
This program is not intended for submitting complaints about Citi's services or products, reporting issues with ATMs, fraud, malware or asking questions about the availability of Citi's websites or mobile banking services. This program is also not intended for submitting suspicious or phishing e-mails.
Please report suspicious e-mails or phishing to [email protected].
Please note that this program should not be construed as encouragement or permission to perform any of the following activities:
Citi does not waive any rights or claims with respect to such activities.
Thank you for helping keep Citi Group and our users safe!