Responsible Disclosure Policy of Bigbank AS
Clone or download
Ando Roots
Ando Roots Fix broken links in security.txt
Linked policy and encryption files were
moved into the src subfolder in the repo
in GitHub, but the links were not updated.
Latest commit e072881 Jun 18, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Fix broken links in security.txt Jun 18, 2018
Dockerfile Initial commit May 10, 2018
INSTALL.md Improve isntall instructions May 17, 2018
README.md
nginx.conf Add img-src: self to CSP Jun 18, 2018

README.md

security.txt

A public policy document for Bigbank AS, which describes contact information and guidelines for responsible disclosure and research of security vulnerabilities.

Bigbank AS Responsible Disclosure Policy is linked from our public web properties using the securitytxt.org standard. Example: jobs.bigbank.eu/.well-known/security.txt.

Why is this important?

With the recent high-profile security incidents such as Equifax and Yahoo, as well as changing legislation (GDPR), we've seen that security is an increasingly important topic to organizations, especially in licensed industries such as banking. In fact, security must be a board-room issue.

No software is perfect - even NASA makes mistakes. We can do our best to write secure software, but reality is that security bugs happen.

Enterprises have basically two choices to deal with vulnerabilities:

The last approach clearly does not work - the good guys will be scared of lawsuits, but anonymous attackers won't be. The end result is that we are unaware of vulnerabilities in our systems, until they are exploited.

Recent years have seen an explosion of "bug bounty" and "responsible disclosure" programs, where organizations publicly say "we do our best to write secure code, nevertheless, there might be bugs, if you find any such problems in our services, please let us know; in return we promise to fix the issue and not sue you for telling us about it".

These are Bigbank's guidelines for handling responsible disclosure and vulnerability research; a promise to fix found issues and to not sue responsible researchers.

We go about it by publishing said policy in our web pages via security.txt.

For Bigbank operated web properties, open https://<domain>/.well-known/security.txt (not all properties might have the file in place).

Repository Structure

This repository is a Dockerized Nginx web server, which serves static files related to security.txt.

Files in src/ are available from the webserver.

Responsible Disclosure Policy

Our Responsible Disclosure Policy is described in src/security-policy.md and is valid for all Bigbank-operated properties where a security.txt is present.

The policy is versioned and can change without notice. Change history can be seen from GitHub.