Responsible disclosure policy


BT Responsible Disclosure Policy

Introduction

This document contains a set of guidelines regarding the process of responsible disclosure which is defined in the ISO / IEC 29147 as a process through which vendors and vulnerability finders may work cooperatively in finding solutions that reduce the risks associated with a vulnerability. Additionally, this represents the commitment of Banca Transilvania to ensure the continuous improvement of security practices in order to safeguard our clients’ information. This policy is intended to provide security researchers guidelines regarding the assets and types of research that are considered in-scope and the vulnerability reporting process.

Given that the security researcher will comply with the following set of terms, Banca Transilvania will acknowledge that the vulnerability identification has been conducted in good faith and will not pursue any legal action.


Guidelines

Scope

The following assets are covered by this policy:

In-Scope Vulnerabilities

The following vulnerabilities fall under the scope of this policy:

Out-of-Scope Testing Methods and Vulnerabilities

The following testing methods (i.e. types of research) and vulnerabilities do not fall under the scope of this policy:

Reporting a Vulnerability

If you have discovered a vulnerability or you have any questions, please contact us at the following email address: cybersec@btrl.ro.


In order to ensure confidentiality and integrity, please use PGP key 0x6F077A29C359A429 for encrypting the communication. You can find our security.txt file at the following address: https://www.bancatransilvania.ro/.well-known/security.txt


Confidentiality Obligations

Could include but not limited to: customer-related information, financial or personally identifiable information, information related to the vulnerable assets.

The security researcher agrees that they will not disclose any of the above to a third party without Banca Transilvania’s agreement. Therefore, any potential vulnerability reports should be treated as confidential information.