KeyBank

KeyBank Responsible Disclosure Program Policy

KeyBank, a regional bank headquartered in Cleveland, Ohio, is committed to ensuring the safety and security of our customers. We value the input of individuals acting in good faith to help us maintain a high standard for the security and privacy for our users. This policy defines our Responsible Disclosure Program and what you can expect from us in return.

This is a Responsible Disclosure Program. If you need customer support, please see KeyBank Customer Support.

Please Note: KeyBank does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential vulnerabilities.

If you believe you have identified a potential security vulnerability in any product, system, or asset belonging to KeyBank, Cain Brothers, HelloWallet, KeyBanc Capital Markets, or Laurel Road ("KeyBank"), please submit a report to our Responsible Disclosure Program as described in this page. Your participation in the program is voluntary and subject to the terms and conditions set forth on this page. By submitting a report, you acknowledge and agree to the terms and conditions contained in this Policy. You also acknowledge that, to the extent they are not inconsistent with this Policy, you are subject to:

• HackerOne's Disclosure Guidelines
• Finder Terms and Conditions
• General Terms and Conditions

Scope

Any public-facing system owned, operated, or controlled by KeyBank, including web applications hosted on those sites. The assets specifically stated as in scope may be subject to change throughout the lifetime of this program.

Responsible Disclosure Program Guidelines

• Your activities are limited exclusively to:
• Minimal testing to detect a vulnerability or identify an indicator related to a vulnerability; or
• Sharing with, or receiving from, KeyBank information about a vulnerability or an indicator related to a vulnerability.
• KeyBank does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any type of automated attack scanning or penetration testing activities against any KeyBank asset.
• You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.
• You avoid intentionally accessing the content of any communications, data, or information transiting or stored on KeyBank information system(s) – except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.
• You do not exfiltrate, alter, or destroy any data under any circumstances.
• You do not compromise the privacy or safety of KeyBank customers, personnel or entities, or any third parties.
• You do not compromise the intellectual property or other commercial or financial interests of any KeyBank personnel or entities, or any third parties.
• You only interact with accounts you own or with explicit permission of the account holder.
• You do not initiate a fraudulent financial transaction.
• You do not conduct denial of service testing or other testing that impacts the availability of KeyBank services.
• You do not engage in social engineering attacks (e.g. phishing, vishing, smishing) against KeyBank customers, personnel or entities, or third parties.
• You do not engage in any physical attacks against KeyBank customers, personnel or entities, offices, and data centers.
• You do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
• If a vulnerability provides unintended access to data, you limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
• You cease testing and submit a report immediately if you encounter a vulnerability that provides unintended access to any user data, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
• You do not store, share, compromise or destroy KeyBank or customer data. If Personally Identifiable Information (PII) is encountered, you immediately halt your activity, purge related data from your system, and immediately contact KeyBank. This step protects any potentially vulnerable data, and you.
• You do not include any information that may identify an individual other than yourself (such as name, contact information, IP address, or other similar information) in your vulnerability report or any attachments thereto.
• You do not publicly disclose or share with any third-party any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, including vulnerabilities that have been resolved, except upon receiving explicit written authorization from KeyBank.
• If at any point you are uncertain whether to continue testing, please engage with the HackerOne team at [email protected].

Once a report is submitted, KeyBank commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

KeyBank does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity. If you engage in any activities that are inconsistent with these Responsible Disclosure Program Guidelines or any applicable law, you may be subject to criminal and/or civil liabilities.

KeyBank may choose to disregard submissions by parties who submit a high-volume of low-quality reports.

How to Submit a Report

• Please provide detailed reports with reproducible steps, and, if applicable, the steps to remediate it. If the report is not detailed enough to reproduce the issue, we will not be able to validate the issue.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Please do not include any information that may identify an individual other than yourself (such as name, contact information, IP address, or other similar information) in your vulnerability report or any attachments thereto.

By clicking "Submit Report" you are indicating that you have read, understand, and agree to the terms and conditions described in this Policy for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to KeyBank information systems, and consent to having the contents of the communication and follow-up communications stored on a KeyBank information system.

Expectations

When working with us according to this policy, you can expect us to:

• Extend Safe Harbor for your vulnerability research that is related to this policy.
• Provide prompt acknowledgement of receipt of all reports (within two business days of submission) and keep you reasonably informed of the status of any validated vulnerability that you report through this program.
• Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please do not submit reports for the following issues:

• Missing cookie flags, missing or weak Content Security Policy or other security-related headers without demonstrating a vulnerability.
• Username harvesting or guessable user account names.
• Information disclosure through error messages or response headers without demonstrating a vulnerability.
• Browser cache weakness.
• Session timeout.
• CSRF on pages with no sensitive actions.
• Physical testing.
• Social engineering (such as Self-XSS, fake login pages, attempts to steal cookies using social engineering).
• Attacks requiring MITM or physical access to a user's device.
• Denial of service attacks.
• Resource exhaustion attacks.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. Security research not conducted in good faith – for example, for the purpose of discovering security holes in devices, machines or services in order to extort the owners of such devices, machines or services – will not be covered by this safe harbor or the HackerOne Gold Standard Safe Harbor.

Legal

You must comply with security industry best practices, and all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program. You agree that any and all information acquired or accessed as part of this exercise is confidential to KeyBank and you shall hold all such information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give, or disclose such information to third parties or use such information for any purposes other than for the performance of your work or expressly authorized in writing by KeyBank.

KeyBank does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

To the extent that any security research or vulnerability disclosure activity involves the networks, systems, information, applications, products, or services of a non-KeyBank entity (e.g., Federal departments or agencies; State, local, or tribal governments; other private sector companies or persons; employees or personnel of any such entities; or any other such third party), that non-KeyBank third party may independently determine whether to pursue legal action or remedies related to such activities.

By submitting a report to KeyBank, you grant to KeyBank, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of information or material submitted. You must notify us if any part of your report is not your own work or is the intellectual property of a third-party.

KeyBank may modify the terms of this policy or terminate the program at any time.