Responsible Disclosure

The safety of our customers' information and assets is our top priority. We actively encourage anyone who believes they have discovered a vulnerability in our systems to act immediately to help us improve and strengthen the safety of our systems by sharing it with us. We are thankful to you for taking the time to report to us weaknesses you discover, as long as you do so with adherence to the following responsible disclosure guidelines:

Scope

At present, Danske Bank’s Responsible Disclosure Programme applies to security vulnerabilities discovered in any of the following web services:

  • danskebank.com (no subdomains)
  • danskebank.dk (no subdomains)
  • *.june.dk
  • *.sunday.dk

In addition to the above mentioned web services, Danske Bank’s Responsible Disclosure Programme also applies to security vulnerabilities discovered in the following mobile application:

  • eBanking 3.0

Rules of engagement

Please read the following rules before reporting a vulnerability:

  • Do not intentionally access non-public Danske Bank data any more than is necessary to demonstrate the vulnerability
  • Do not permanently modify or delete Danske Bank hosted data
  • Do not DDoS or otherwise disrupt, interrupt or degrade our internal or external services
  • Do not put a backdoor in the system, not even for the purpose of showing the vulnerability
  • Do not share confidential information obtained from Danske Bank • Social engineering is out of scope. Do not send phishing emails to, or use other social engineering techniques against, anyone, including Danske Bank staff, members, vendors, or partners
  • Do not utilise any brute-force techniques (e.g. repeatedly entering passwords) in order to gain access to the system
  • Do not attack, in any way, our end users, or engage in trade of stolen user credentials. However, should you become aware of such trade, we would certainly appreciate being informed

What to report

In general, we are interested in receiving reports on vulnerabilities that:

  • Enable disclosure of non-public client information
  • Enable a user to modify data that is not their own
  • Could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data or which affects user privacy

Specifically, we are interested in any of the following vulnerabilities:

  • Cross-site request forgery (CSRF/XSRF)
  • Cross-site scripting (XSS)
  • Authentication bypass / unauthorised data access
  • Encryption vulnerabilities
  • Remote code execution
  • Injection vulnerabilities
  • Privilege escalation

What not to report

The following is excluded from our Responsible Disclosure program:

  • Any vulnerabilities without a properly described evidence report of proof of possible exploitation
  • Reports generated by automated scan tools (e.g. Nmap scan results)
  • Publicly available information and/or browser instructions, such as: 
    • Our policies on presence or absence of SPF/DKIM/DMARC records o Cross Site Request Forgery (CSRF) vulnerabilities on unauthenticated pages 
    • HTML character set vulnerabilities such as “does not specify” or “unrecognized”
    • Lack of secure/HTTP Only flags on non-sensitive cookies
    • Absence of using HTTP Strict Transport Security (HSTS)
    • Clickjacking or the non-existence of X-Frame-Options on non-logon pages
    • Cacheable HTTPS response pages on sites that do not provide money transfer capabilities
    • Reports of insecure SSL/TLS ciphers 
    • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms (older than two major releases) or for users who have intentionally reduced security settings on their platform
  • Vulnerabilities which require a jailbroken mobile device, unless they enable a server-side compromise

How to report a vulnerability

When you contact us, please include the product, where you found the issue and as many details as possible to help us identify the exact area of the issue. If we believe that more information is required, we will contact you.

When you report a vulnerability to us, please encrypt your message using this PGP Key.

We will investigate all reported potential vulnerabilities. Please note that we register your data in connection with our case processing. If you want to know more about how we process your personal data and the rights you have, please read more on https://danskebank.dk/privat/gdpr/en. If you wish to report the issue anonymously, please state this in your communication, and we will not contact you or retain your personal information.

How to report a vulnerability

If you detect a security issue with any of our products, please let us know by mailing us at soc_itops@danskebank.com.