Vulnerability Disclosure Policy (VDP)


Description

Schwyzer Kantonalbank & Pensionskasse des Kantons Schwyz acknowledges the valuable role of independent security researchers acting in good faith to help maintain the safety and confidentiality of our and our customers data and the integrity and availability of our systems, products and services. We therefore welcome responsible reporting of any vulnerabilities identified in online services, applications, platforms or websites owned, operated or maintained by us.

Report Vulnerability


Policy

This policy outlines the steps for reporting vulnerabilities to us. Please review the policy carefully before you test and/or report a vulnerability. We are committed to collaborate with security researchers to verify and address any potential vulnerabilities that will be reported.


Scope

Any public-facing online services, applications, platforms or websites owned, operated, or maintained by Schwyzer Kantonalbank and Pensionskasse des Kantons Schwyz.


Out of Scope

Please note that we use services from other companies and/or organizations for some parts of our systems and infrastructure.
Vulnerabilities discovered or suspected in those systems should be reported to the appropriate entity, vendor or applicable authority. Otherwise, we will bring the vulnerability to the attention of the relevant organization. However, the owner of the affected IT system remains responsible for the system and potential remediation activities.

When working with us according to this policy, you can expect us to:

  • Respond in a timely manner, acknowledging receipt of your vulnerability report
  • Provide an estimated time frame for addressing the vulnerability report
  • Work with you to understand and validate your report
  • An open dialog to discuss issues
  • Work to remediate discovered vulnerabilities in a timely manner
  • Strive to keep you informed about the progress of a vulnerability as it is processed
  • Notify you when the vulnerability has been fixed
  • Recognize your contribution if you are the first to report a unique vulnerability, which we identify to pose a danger to our systems, services or data security and therefore leads to a code or configuration change.
  • Provide a legal Safe Harbor for your vulnerability research that is related to this policy

In participating in our vulnerability disclosure program, we ask you to:

  • Play by the rules and instructions described in this policy
  • Don’t breach any applicable laws in connection with your report and your interaction with us, e.g. do not engage in extortion
  • Only interact with test accounts you own or with explicit permission from the account holder
  • Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience
  • Avoid tests that could cause degradation or interruption of our service
  • refrain from using automated tools
  • limit yourself about requests per second
  • Report any vulnerability you’ve discovered promptly
  • Only use the official disclosure channels as defined below to discuss vulnerability information with us
  • Ensure the confidentiality of details of any discovered vulnerabilities according to this policy
  • If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; cease testing and submit a report immediately
  • Don’t exploit or use the discovered vulnerabilities in any manner other than for the purposes of reporting to us
  • Destroy any sensitive data obtained during this test. Sensitive data should be deleted immediately after notification (in the form of a record) has been made and SZKB has taken note of this.
  • Provide us with a reasonable amount of time to resolve the issue
  • When the reported vulnerability is resolved, or remediation work is scheduled, the Vulnerability Disclosure Team will notify you, and invite you to confirm that the solution covers the vulnerability adequately.
  • Coordinate with us before disclosing vulnerabilities publicly (according the CVD-rules set in this policy)

While we encourage you to report to us any vulnerabilities you find, the following conduct however is prohibited:

  • Performing actions that may negatively affect our systems or our customers (e.g. phishing, spam, brute force, denial of service, etc.)
  • Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
  • Conducting any kind of physical or electronic attack on our personnel, property, buildings or infrastructure
  • Social engineering attacks against our employees, customers or contractors

The systems in scope may store and process sensitive data with specific legal and contractual protection. If you gain access to sensitive data stored or processed on our systems, you are obliged to report this immediately with the link as defined below. 
Furthermore, if you manage to gain access to sensitive data, you must keep it confidential, you must not use it to gain financial benefits and you are obliged to destroy the data after you reported the vulnerability. Failing to do so results in losing the legal safe harbor protection.

We value the effort of external security researchers who identify security vulnerabilities and disclose those vulnerabilities responsibly so that they can be fixed. Our policy is to allow publication, provided the following conditions are met (Coordinated Vulnerability Disclosure)

  • The reporting individual does not publish the vulnerability prior to us confirming a fix has been released and that it is acceptable to publish.

Please report security issues exclusively via this platform, providing all relevant information. Do not submit reports from automated tools without verifying them. The more of the following details you provide, the easier it will be for us to triage and fix the issue:

  • Technical description of the vulnerability, including:
  • Browser information (type and version) used
  • Relevant information about connected components and devices
  • Impacted platform(s) URL(s)
  • Sample code to demonstrate the vulnerability and/or detailed steps to reproduce
  • Threat/risk assessment
  • Date and time of discovery
  • Contact information
  • Possible disclosure plans

Please note that these channels are for reporting undisclosed security vulnerabilities only and must not be used for any other support or information requests. Inquiries sent there that do not relate to undisclosed security vulnerabilities will not receive any response.

  • We will not take civil action or file a complaint with law enforcement authorities against participants for accidental, good faith violations of this policy
  • We interpret activities by participants that comply with the policy as authorized access under the Swiss Penal Code. This includes Swiss Penal Code paragraphs 143, 143bis and 144bis.
  • We will not file a complaint against participants for trying to circumvent the security measures deployed in order to protect the services in-scope for this policy.
  • If legal action is initiated by a third party against a participant and the participant has complied with the policy as outlined in this document, we will take the necessary measures to make it known to the authorities that such participant’s actions have been conducted in compliance with this policy.
  • For minor breaches, a warning may be issued. For severe breaches, we reserve the right to file criminal charges.

You are expected, as always, to comply with all applicable laws. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before you continue your research.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

Report Vulnerability