Vulnerability Disclosure Policy

Purpose

At Migros Bank, we take the security of our systems and the privacy of our customers very seriously. This Vulnerability Disclosure Policy (VDP) provides security researchers with guidelines for reporting potential security issues responsibly. By fostering a transparent communication channel, we aim to quickly identify and address security vulnerabilities.

Scope

Any public-facing digital assets owned, operated, or maintained by Migros Bank, that are reachable by default.

Strictly Forbidden Activities

  • Performing actions that may negatively affect our systems or our customers (e.g., phishing, spam, brute force, denial of service, etc.)
  • Altering or corrupting, or attempting to alter or corrupt, data or information that does not belong to you.
  • Engaging in any activity that would breach the confidentiality of user data (including access, modification, deletion or passing on etc. of such data) or involve fraudulent transactions.
  • Conducting any kind of physical or electronic attack on our personnel, property, buildings, or infrastructure
  • Social engineering our employees, customers, or contractors
  • Usage of automated tools to find vulnerabilities.

Guidelines for Reporting

We ask that researchers follow these principles when submitting vulnerability reports:

  • Respect privacy: Avoid accessing, modifying, or destroying data belonging to others.
  • Do no harm: Refrain from causing any disruption to services, degrading the user experience, or impairing the performance of the systems.
  • Avoid escalation: Do not use vulnerabilities to escalate access or compromise systems, even after reporting.
  • Non-disclosure: Do not publicly disclose the vulnerability without explicit (written) permission from Migros Bank.

How to Submit a Vulnerability Report

Researchers should report potential vulnerabilities by emailing our security team at:
Email: securityresearch@migrosbank.ch
 

The reports shall be written in English.

The more of the following details you provide, the easier it will be for us to triage and fix the issue:

  • Technical description of the vulnerability, including: 
    • Browser information (type and version) used  
    • Relevant information about connected components and devices  
    • Impacted platform(s) URL(s), IPs, hosts, services 
  • Sample code to demonstrate the vulnerability and/or detailed steps to reproduce, including any PoC (Proof of Concept).
  • Threat/risk assessment incl. Impact assessment (potential damage, affected systems, etc.).
  • Recommendations for resolving the issue (if applicable).
  • Date and time of discovery 
  • Contact information 
  • Possible disclosure plans 

Whenever possible, only report one vulnerability per report.

Our Commitment

When working with us, according to this policy, you can expect us to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report within 3 business days at the latest
  • Work with you to understand and validate your report
  • Work to remediate discovered vulnerabilities in a timely manner
  • Notify you when the reported case has been resolved

Safe Harbor

To the extent possible and permitted by law, Migros Bank commits not to pursue legal action against security researchers who:

  • Act in good faith, respect the guidelines of this policy, and avoid any malicious intent.
  • Refrain from exploiting the vulnerability beyond what is necessary to prove its existence.
  • Report the issue directly to Migros Bank.

Contact Information

For any questions or clarifications regarding this policy, please contact:
Email: securityresearch@migrosbank.ch
 

Migros Bank reserves the right to modify this policy at any time.

This policy ensures a productive and collaborative relationship between Migros Bank and the security research community. Thank you for your interest in keeping our systems secure!