Truist is committed to maintaining the security of our systems and our customers’ information. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to Truist. If you believe you have identified a potential security vulnerability, please submit it pursuant to our Responsible Disclosure Program. Thank you in advance for your submission, we appreciate researchers assisting us in our security efforts. Please note, Truist does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

Disclosure Policy

• Follow HackerOne's disclosure guidelines.

Program Rules

Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

• Do not engage in any activity that can potentially or actually cause harm to Truist, our customers, or our employees.
• Do not engage in any activity that can potentially or actually stop or degrade Truist services or assets.
• Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
• Do not use automated scanning or testing.
• Do not store, share, compromise or destroy Truist or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, securely delete related data from your system, and immediately contact Truist. This step protects any potentially vulnerable data, and you.
• Do not initiate a fraudulent financial transaction.

To participate in our program we ask that you configure your tools accordingly. This will help us best determine that you are a researcher participating in our program and will help reduce they likelihood that you are blocked from our systems.

(1) HTTP Headers:

Include a custom HTTP header in all your traffic. Burp and other proxies allow the easy automatic addition of headers to all outbound requests.

Identifier: Your Username Format: X-Bug-Bounty:HackerOne- Example: X-Bug-Bounty: HackerOne-1337H4x0R

Identifier: Tool Identifier Format: X-Bug-Bounty: Example: X-Bug-Bounty: BurpSuite

Provide Truist reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.

Truist takes the position that good faith security research to discover and disclose a vulnerability to Truist consistent with these guidelines is an appropriate and legitimate use of Truist's information systems. Once a report is submitted, Truist commits to provide prompt acknowledgement of receipt of all reports and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Submission Format

When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (proof of concept scripts or screen captures welcome).

Scope

We have listed the assets in scope for this program, however, if you have found a potential vulnerability (excluding the out-of-scope vulnerabilities listed below) on any product, system or asset you believe belongs to Truist, please submit it through this program as we would like to hear about it.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

[We have included an exhaustive list. Please delete or edit entries as you see fit, in line with your business risk]

• Physical Testing
• Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials
• Phishing
• Denial of service attacks
• Resource Exhaustion Attacks
• Wifi Testing

Please also note that Truist employs third-party vendors, and some subdomains may be managed by third parties. When issues reported to the Truist program originate in a different vendor's service, Truist reserves the right to forward submissions to the affected party without further discussion. Please be sure to check our publicly published IP ranges and conduct all necessary due diligence to determine ownership of an asset prior to testing.

This Program Policy is subject to change at Truist’s sole discretion.