bigbank-as / security-txt

Responsible Disclosure Policy of Bigbank AS

Home Page:https://jobs.bigbank.eu/.well-known/security.txt

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

security.txt

A public policy document for Bigbank AS, which describes contact information and guidelines for responsible disclosure and research of security vulnerabilities.

Bigbank AS Responsible Disclosure Policy is linked from our public web properties using the securitytxt.org standard. Example: jobs.bigbank.eu/.well-known/security.txt.

Why is this important?

With the recent high-profile security incidents such as Equifax and Yahoo, as well as changing legislation (GDPR), we've seen that security is an increasingly important topic to organizations, especially in licensed industries such as banking. In fact, security must be a board-room issue.

No software is perfect - even NASA makes mistakes. We can do our best to write secure software, but reality is that security bugs happen.

Enterprises have basically two choices to deal with vulnerabilities:

The last approach clearly does not work - the good guys will be scared of lawsuits, but anonymous attackers won't be. The end result is that we are unaware of vulnerabilities in our systems, until they are exploited.

Recent years have seen an explosion of "bug bounty" and "responsible disclosure" programs, where organizations publicly say "we do our best to write secure code, nevertheless, there might be bugs, if you find any such problems in our services, please let us know; in return we promise to fix the issue and not sue you for telling us about it".

These are Bigbank's guidelines for handling responsible disclosure and vulnerability research; a promise to fix found issues and to not sue responsible researchers.

We go about it by publishing said policy in our web pages via security.txt.

For Bigbank operated web properties, open https://<domain>/.well-known/security.txt (not all properties might have the file in place).

Repository Structure

This repository is a Dockerized Nginx web server, which serves static files related to security.txt.

Files in src/ are available from the webserver.

Responsible Disclosure Policy

Our Responsible Disclosure Policy is described in src/security-policy.md and is valid for all Bigbank-operated properties where a security.txt is present.

The policy is versioned and can change without notice. Change history can be seen from GitHub.

About

Responsible Disclosure Policy of Bigbank AS

https://jobs.bigbank.eu/.well-known/security.txt


Languages

Language:Dockerfile 100.0%