How do you report?

Send an email to us at responsible-disclosure@swedbank.com. We would prefer you to use our public PGP key to encrypt and protect the information you send over. Please include the following information:

• Detailed description of the vulnerability including, for example, URL, type of vulnerability.
• Necessary information that we need to recreate the problem.
• A screenshot, if applicable to the vulnerability you have found.
• Contact information, name, email, phone number, any public PGP key.

What can you report?

You can report security deficiencies that you have found in one of our services. Examples of security deficiencies are cross-site scripting, deficiencies in encryption or deficiencies in logical controls with consequences for security. The reporting service is not for other logical errors, errors in texts, questions about our services, questions about the security of our services or similar.

What can you expect from Swedbank?

We will confirm that we have received your description, keep you updated on an ongoing basis and inform you when the problem has been resolved.

Claims for compensation as terms and conditions for sending a vulnerability are not accepted.

What is required of you?

For the safety of us and our customers, it is important that you follow good practice, i.e. that:

• You do not exploit the vulnerability to reach, or attempt to reach, information that does not belong to you.
• You do not exploit the vulnerability to remove or modify information.
• You do not affect the availability of our services through, for example, congestion attacks.
• You give us an opportunity to correct the reported vulnerability before you publish it.

Can you report anonymously?

Yes, but then we can't reply back and keep you updated about the status.