S-Pankki Bug Bounty Program

S-Pankki and S-Group looks forward to working with the security community to find security vulnerabilities in order to keep our businesses, systems and customers safe.

This program is a joint effort between S-Pankki and S-Group.

• https://www.s-pankki.fi
• https://s-ryhma.fi

Program Rules

Our bug bounty program is limited strictly to technical security vulnerabilities of S-Pankki and S-Group services listed in the scope. Any activity that would disrupt, damage or adversely affect any data or account is not allowed.

These program rules are:

• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
• We run our program in English and all reports should be submitted in English.
• S-Pankki has all rights to make bounty policy changes at any time without prior notification.
• S-Pankki has right to discontinue the bug bounty program at any time without prior notification.
• Employees from following companies are not allowed to participate to the bugbounty program: S-Pankki, S-Group, Crosskey, HiQ, Nitor, WithSecure, F-Secure, Reversec, Comiq, Solita, Reaktor, Taitopilvi, Vaimo, Solteq, Frantic, New Things Co, KnowIT, Digia, Columbia Road, Vala Group,Taito United, Gofore and Netlight.

Please do not perform brute force testing to determine whether rate limiting is in place for particular APIs or pieces of functionality.

The following actions are strictly prohibited:

• Denial of Service attacks
• Physical attacks against offices and data centers
• Social engineering (e.g. phishing, vishing, smishing) of our service desk, employees or contractors
• Compromise of a S-Pankki or S-Group user's or employee's account
• Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic

Additionally, the vulnerabilities listed in the section below will not be considered for bounty.

Out-of-scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

The following issues are considered out of scope:

• Self-XSS and XSS without impact
• Clickjacking on pages with no sensitive actions
• Unauthenticated CSRF
• Attacks requiring MITM or physical access to a user's device (MITM in mobile applications are in-scope but those are reviewed case by case)
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Any activity that could lead to the disruption of our service (DoS).
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

SLA

S-Pankki will make a best effort to meet the following SLAs for hackers participating in our program:

• Time to first response (from report submit) - 5 business days
• Time to triage (from report submit) - 10 business days
• Time to bounty (from triage) - 10 business days

We’ll try to keep you informed about our progress throughout the process.

Data Protection

S-Pankki and S-Group may receive personal data in relation to use of Bug Bounty program and shall adhere the EU General Data Protection Regulation (GDPR) and other applicable legislation.

Whenever personal data is encountered during testing, S-Pankki and S-Group expects and requires all persons involved to handle that data with utmost care. Showing or proving the existence of a flaw does likely not require any data dumps - so even if possible, no dumping of personal data is allowed. Any exfiltrated personal data must immediately be deleted and any testing that might result in further personal data being revealed must be halted. You shall not store personal data. Personal data samples, if needed in the report, shall be properly obfuscated before posting. This includes submitting reports that contain your own data. In the case where personal data is posted in a report we will redact that information as soon as possible. If after the redaction the report is unintelligible, it will not be processed.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep S-Pankki, S-Group and our users safe!