DZ BANK Bug Bounty Program

Bug Bounty Rules

The security of our customers' information and assets is our top priority. Although our specialists work continuously on the security of our systems, security gaps can never be completely ruled out. We therefore encourage anyone who believes they have discovered a security hole in our systems to act immediately and share their findings with us. However, as it may be a criminal offence to search for security holes, we ask you to observe the following rules:


1 Scope of the Bug Bounty Program

At the present time, the bug bounty program of DZ BANK AG is limited to the following websites:
• confirm.dzbank.de
• derifin.dzbank.de
• dialin.dzbank.de
• dz-haltung.dzbank.de
• dzbank.de
• dzbbvservice.dzbank.de
• finledger.dzbank.de
• geschaeftsbericht.dzbank.de
• guided-tour.dzbank.de
• halbjahresfinanzbericht.dzbank.de
• haltung.dzbank.de
• i-net.dzbank.de
• ingen.dzbank.de
• institutionelle.dzbank.de
• login.dzbank.de
• psd2-xs2a.dzbank.de
• rsp.support.dzbank.de
• searchapp.dzbank.de
• searchresult.dzbank.de
• wertewelt.dzbank.de
• https://dzeg.dzbank.de


Please note that the extension of your activities to websites which are not included in the above list may be classified as illegal and punished accordingly.


2 Our rules

• Act responsibly.
• Do not publish any security vulnerabilities before we have fixed them.
• Due to internal processes and the complexity involved, this "Responsible Disclosure" is valid for at least 120 days.
• A bug bounty will only be paid to the first person who reports the corresponding security hole.
• In the case of security vulnerabilities based on the same vulnerable software version, only the highest rated software version will receive a bug bounty.
• Security holes that are only caused by the use of an outdated browser do not entitle to the payment of a reward.
• Access only the data necessary to prove the vulnerability.
• Do not delete or modify any data.
• Our internal and external services must not be disturbed, interrupted or impaired by DDoS attacks or in any other way.
• Do not implement backdoors or similar. Use methods to obtain persistent access.
• Do not pass on any confidential information that you have received from DZ BANK AG. Do not send phishing e-mails to third parties, including employees or partners of DZ BANK, and do not use any other social engineering techniques.
• Do not carry out any attacks on the basis of "brute force" or "fuzzing".
• Do not attack our end users in any way and do not trade in stolen user data.
• Describe the vulnerability found and the steps to reproduce it as accurately as possible to enable us to reconstruct it in full and thus speed up the payment of the reward.
• Security breaches reported by a (former) employee of DZ BANK AG do not entitle you to payment of a reward.


3 What we are interested in the Bug Bounty Program

In general, we are interested in reports about security holes that allow a potential attacker to exploit them:
• view non-public customer data
• to modify or delete data not originating from him
• directly affect the confidentiality or integrity of user data or the privacy of users
We are particularly interested in the following types of vulnerabilities:
• Cross-site request forgery (CSRF / XSRF)
• persistent cross-site scripting (XSS)
• XML external entity injections (XXE)
• Authentication bypass / Unauthorized data access
• Encryption vulnerabilities
• Remote code execution
• SQL Injections
• Privilege escalation


4 What is less relevant for us in the Bug Bounty program

• Complaints about services, products and/or equipment of DZ BANK AG and its affiliated companies
• Questions and complaints regarding the availability of our web services
• Phishing mails or fraud
• All vulnerabilities, without a detailed description of the attack methodology or proof of exploitability
• Automatic reports generated by scan tools
• Our policies regarding SPF/DKIM/DMARC Records
• HTML character set error messages such as "does not specify charset" or "unrecognized charset
• The absence of Secure/HTTP Only Flags for non-sensitive cookies
• The absence of HTTP Strict Transport Security (HSTS)
• Clickjacking or the absence of X-frame options
• Cachebare HTTPS response pages on non-critical pages
• Use of insecure SSL/TLS ciphers
• Vulnerabilities that only affect users with outdated browsers and reduced security settings


5 How to report to us

When contacting us, please indicate the exact domain on which you found the vulnerability. Furthermore, we ask you to provide us with as many details as possible to reproduce the vulnerability in order to facilitate our analysis and thus speed up the payment of the reward.
Please communicate with us via encrypted e-mails to "security@dzbank.de", using the PGP key, which you can request at the following URL
https://securemail.dzbank.de
Please note that we will store and process your data during the analysis process. Please indicate in your e-mail if you wish your report to be processed anonymously. Please note, however, that in this case we will not be able to pay out any reward for your efforts.

Contact

We shall be pleased to answer any questions you may have.