English version

Politika razkrivanja ranljivosti – Smernice za varnostne raziskovalce in odgovorno razkrivanje

Kot podjetje, ki je zavezano zagotavljanju zaupnosti, celovitosti in razpoložljivosti informacij ter finančnih sredstev svojih strank in lastnega poslovanja, priznavamo pomen prispevka varnostne raziskovalne skupnosti. Odgovorno odkrivanje in razkrivanje varnostnih ranljivosti je bistvenega pomena za zaščito naših sistemov in uporabnikov. Ta politika opredeljuje naš pristop k prijavi ranljivosti ter določa jasna pričakovanja za vse vpletene deležnike.

 

Področje uporabe

Ta politika se nanaša na vsa informacijska sredstva, ki so izrecno v lasti, upravljanju in vzdrževanju našega podjetja, vključno z:

• javno dostopnimi spletnimi mesti, ki so v lasti, upravljanju ali pod nadzorom družbe Bankart,
• storitvami, namenjenimi izključno našim strankam,
• javno dostopnimi storitvami ter spletnimi in mobilnimi aplikacijami, vključno z vmesniki (API-ji), ki gostujejo na spletnih mestih ali v infrastrukturi družbe Bankart,
• informacijsko in omrežno infrastrukturo, podporne sisteme ter druge informacijske komponente, ki so del zagotavljanja storitev družbe Bankart,
• fizičnimi napravami, katerih upravljavec je družba Bankart.

Vsi sistemi ali domene, ki niso izrecno v lasti, pod nadzorom ali upravljanjem našega podjetja, niso zajeti v okviru te politike.

Ta program ne podeljuje nobene pravice ali licence za testiranje sistemov izven zgoraj opredeljenega obsega.

 

Načela programa

Zavedamo se pomembne vloge varnostnih raziskovalcev in etičnih hekerjev pri prepoznavanju varnostnih pomanjkljivosti. Čeprav aktivno ne spodbujamo nepooblaščenega varnostnega testiranja, odgovornega testiranja tretjih oseb, ki je izvedeno v dobri veri in v skladu s smernicami tega dokumenta, tudi ne prepovedujemo.

Ne izvajamo programa nagrajevanja ranljivosti (t. i. bug bounty) ali drugih nagradnih shem. Za razkritje ranljivosti ne zagotavljamo denarnih ali materialnih nagrad, javnega priznanja ali drugih spodbud.

To politiko lahko kadarkoli posodobimo ali prekličemo brez predhodnega obvestila.

 

Smernice za odgovorno testiranje

Avtorizacija in obveščanje

• Obvezna predhodna komunikacija: Vse varnostne testne aktivnosti morajo biti pred začetkom vnaprej sporočene naši varnostni ekipi in pisno odobrene. Raziskovalci morajo posredovati podrobne informacije o predlaganih testih, vključenih sistemih ter svoje kontaktne podatke. Naša varnostna ekipa bo na prejeto zahtevo odgovorila v razumnem roku, običajno  5 delovnih dneh od prejema sporočila.

• Nenamerne ugotovitve: Pasivna ali nenamerna odkritja (npr. naključno zaznane ranljivosti) se lahko prijavijo brez predhodnega obvestila. V takšnem primeru je treba vse nadaljnje testiranje nemudoma prekiniti in ugotovitev prijaviti v skladu s to politiko.

Prepovedana dejanja

• Škodljivi testi in ranljivosti: Prepovedani so testi, ki ogrožajo zaupnost, razpoložljivost ali celovitost naših sistemov, vključno z DoS/DDoS napadi, napadi izčrpanosti virov in podobnimi aktivnostmi.
• Dostop in podatki: Ni dovoljeno pridobivati, kopirati, spreminjati ali uničevati podatkov podjetja, strank ali tretjih oseb. Pod nobenim pogojem ne smete odstranjevati ali deliti občutljivih podatkov.
• Zaščita sistemov: Testi, ki lahko povzročijo škodo sistemom ali podatkom, bodisi namerno ali nenamerno, niso dovoljeni. Dovoljen je le dostop do pooblaščenih računov in podatkov.
• Socialni in fizični napadi: Prepovedani so socialni inženiring (phishing, vishing, ipd.) in fizični poskusi dostopa (npr. odprta vrata).
• Uporaba orodij: Ne uporabljajte avtomatiziranih orodij, ki ustvarjajo prekomeren promet ali motijo storitve.
• Minimalno testiranje ranljivosti: Ranljivosti izkoriščajte le toliko, da potrdite njihov obstoj.
• Izključene ugotovitve: Napake UX, črkovalne napake in sistemi izven obsega politike niso predmet testiranja.
• Varovanje tretjih oseb in intelektualne lastnine: Ne ogrožajte zasebnosti, varnosti ali interesov zaposlenih, strank ali tretjih oseb, niti intelektualne lastnine ali komercialnih interesov.

 

Varstvo podatkov in zasebnosti

• Spoštujte zaupnost in zasebnost vseh uporabnikov in podatkov.
• Kakršnikoli osebni podatki, do katerih bi prišli, morajo biti prijavljeni in se ne smejo hraniti.

 

Skladnost z zakonodajo in predpisi

• Med raziskovanjem morate spoštovati vse veljavne zakone in predpise.
• Poročila o ranljivostih ne smejo uvajati dodatnih operativnih tveganj.
• Vse relevantne in potrjene ugotovitve bodo vključene v naše procese upravljanja ICT-tveganj in operativne odpornosti v skladu s členi 8–12 uredbe DORA ter zahtevami NIS2/ZInfV-1 in GDPR/ZVOP-2 glede odzivanja na incidente.

 

Kako prijaviti ranljivost

• Pred izvedbo kakršnegakoli testiranja pošljite e-pošto na: responsible-disclosure@bankart.si v kateri opišete svoje namene, in pridobite pisno odobritev.
• Če odkrijete morebitno varnostno ranljivost, jo prijavite na isti e-poštni naslov v dobro strukturirani obliki, ki vključuje:
  • jasen in podroben opis ranljivosti,
  • korake za reprodukcijo (PoC koda, posnetki zaslona, relevantni URL-ji ali prizadeti sistemi),
  • oceno možnega vpliva,
  • vaše kontaktne podatke (ime, e-pošta, po želji PGP-ključ).
• Težave ne razkrivajte javno pred oceno, odpravo in usklajenim dogovorom z našo varnostno ekipo.

 

Naša zaveza

• Prejem vašega poročila bomo potrdili v razumnem časovnem okviru, običajno v 5 delovnih dneh.
• Če je prijava ranljivosti veljavna in v okviru te politike, bomo ranljivost preučili in ustrezno odpravili. Po potrebi vas lahko kontaktiramo za dodatna pojasnila ali sodelovanje.
• Prizadevamo si, da potrjene ranljivosti odpravimo pravočasno, ob medsebojnem soglasju pa lahko uskladimo tudi javno razkritje.
• Zoper raziskovalce, ki ravnajo v dobri veri in v skladu s politiko, ne bomo sprožili pravnih postopkov niti podpirali uveljavljanja kakršnih koli pravnih sredstev.
• Če ste prvi prijavili težavo in bo na podlagi tega ustvarjena koda ali spremenjena konfiguracija, bomo vaš prispevek priznali na »Steni slavnih za varnostne raziskovalce na lokaciji družbe Bankart« (Security Researcher Wall of Fame).

 

Zaključna opomba

Cenimo prizadevanja raziskovalcev, ki prispevajo k varnejšemu digitalnemu okolju. Čeprav ne spodbujamo neavtoriziranih varnostnih testiranj, se zahvaljujemo za profesionalno in odgovorno poročanje. Za morebitna dodatna vprašanja nas kontaktirajte na responsible-disclosure@bankart.si.

 

Vulnerability Disclosure Policy – Guidelines for Security Researchers and Responsible Disclosure

As a company committed to ensuring the confidentiality, integrity, and availability of information as well as the financial assets of our clients and our own operations, we recognize the value of the security research community. Responsible discovery and disclosure of security vulnerabilities is essential to protect our systems and users.

This policy defines our approach to vulnerability reporting and establishes clear expectations for all stakeholders involved.

 

Scope

This policy applies to all information assets explicitly owned, managed, or maintained by our company, including:

• publicly accessible websites owned, managed, or controlled by Bankart;
• services intended exclusively for our clients;
• publicly accessible services and web or mobile applications, including APIs hosted on Bankart websites or infrastructure;
• IT and network infrastructure, support systems, and other information components that are part of delivering Bankart services;
• physical devices managed by Bankart.

All systems or domains not explicitly owned, controlled, or managed by our company are out of scope.

This program does not grant any rights or license to test systems outside the scope defined above.

This policy may be updated or revoked at any time without prior notice.

 

Program Principles

We recognize the important role of security researchers and ethical hackers in identifying security weaknesses. While we do not actively encourage unauthorized security testing, responsible testing conducted in good faith and in accordance with this policy is not prohibited.

We do not operate a bug bounty or reward program. No monetary or material rewards, public recognition, or other incentives are offered for vulnerability disclosure.

 

Guidelines for Responsible Testing

Authorization and Notification

• Prior Communication: All security testing activities must be communicated to our security team in advance and approved in writing. Researchers must provide detailed information about the proposed tests, affected systems, and contact details. Our security team will typically respond within 5 business days of receiving the request.
• Accidental Discoveries: Passive or accidental discoveries (e.g., randomly detected vulnerabilities) may be reported without prior notification. In such cases, further testing must cease immediately, and the finding should be reported in accordance with this policy.

Prohibited Activities

• Harmful Testing: Testing that could compromise the confidentiality, availability, or integrity of our systems, including DoS/DDoS attacks, resource exhaustion attacks, or similar activities, is prohibited.
• Data Access and Handling: Accessing, copying, modifying, or destroying data of the company, clients, or third parties is strictly forbidden. Sensitive data must not be removed or shared under any circumstances.
• System Protection: Testing that may cause harm to systems or data, intentionally or unintentionally, is not allowed. Only authorized accounts and data may be accessed.
• Social Engineering and Physical Attacks: Social engineering (phishing, vishing etc.) and physical attempts to access facilities (e.g., open doors) are prohibited.
• Use of Tools: Do not use automated scanning tools that generate excessive traffic or disrupt services.
• Minimal Exploitation: Exploit vulnerabilities only to the extent necessary to confirm their existence.
• Excluded Findings: UX issues, typographical errors, and systems outside the scope of this policy are not to be tested.
• Protection of Third Parties and Intellectual Property: Do not compromise the privacy, security, or interests of employees, clients, or third parties, nor intellectual property or commercial interests.

 

Data and Privacy Protection

Respect the confidentiality and privacy of all users and data.

Any personal data encountered must be reported and not retained.

 

Legal Compliance

All research must comply with applicable laws and regulations.

Vulnerability reports must not introduce additional operational risks.

All relevant and confirmed findings will be incorporated into our ICT risk management and operational resilience processes in accordance with DORA Articles 8–12 and NIS2/ZInfV-1 and GDPR/ZVOP-2 incident response requirements.

 

How to Report a Vulnerability

• Before conducting any testing, send an email to responsible-disclosure@bankart.si describing your intentions and obtain written authorization.
• If a potential vulnerability is discovered, report it to the same email address in a well-structured format, including:

• clear and detailed description of the vulnerability;
• steps to reproduce (PoC code, screenshots, relevant URLs or affected systems);
• assessment of potential impact;
• your contact information (name, email, optional PGP key).

Do not publicly disclose the issue/vulnerability before assessment, remediation, and coordinated agreement with our security team.

 

Our Commitment

We will acknowledge receipt of your report within a reasonable timeframe, typically 5 business days.

If the report is valid and within the scope of this policy, we will investigate and remediate the vulnerability. We may contact you for additional clarification or collaboration if needed.

We aim to remediate validated vulnerabilities promptly, and public disclosure may be coordinated with mutual agreement.

Researchers acting in good faith and in accordance with this policy will not face legal action or enforcement of any legal claims.

If you are the first to report a vulnerability and a code change or configuration update is implemented as a result, your contribution will be recognized on the Bankart Security Researcher Wall of Fame.

 

Final Note

We appreciate the efforts of researchers contributing to a safer digital environment. While we do not encourage unauthorized security testing, we thank you for professional and responsible reporting. For any questions, please contact responsible-disclosure@bankart.si.