Responsible disclosure policy

Our Promise

We are committed to thoroughly investigating, understanding and resolving security issues across our websites in collaboration with the security community.

Scope

If you believe you have found a security issue in any platform or service owned or operated by UK Finance, we encourage you to notify us.

How to Notify Us

To submit a vulnerability report to UK Finance, please contact us at security@ukfinance.org.uk. Your submission will be reviewed and validated by a member of our security team. When reporting a security issue, please:

• Provide detailed reports with reproducible steps and a clearly defined impact.
• Submit one vulnerability per report.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Safe Harbour

UK Finance supports safe harbour for security researchers who:

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Only interact with accounts you own or with explicit permission of the account holder. If you do encounter Personally Identifiable Information (PII) contact us immediately, do not proceed with access, and immediately purge any local information.
• Provide us with a reasonable amount of time to resolve vulnerabilities prior to any disclosure to the public or a third-party.

We will consider activities conducted consistent with this policy to constitute "authorised" conduct and will not pursue civil action or initiate a complaint to law enforcement. We will help to the extent we can if legal action is initiated by a third-party against you.

Please submit a report to us before engaging in conduct that may be inconsistent with or unaddressed by this policy.

You should not:

• Access unnecessary amounts of data. For example, two or three records is enough to demonstrate most vulnerabilities (such as an enumeration or direct object reference vulnerability);
• Violate the privacy of UK Finance users, staff, contractors, systems etc. For example by sharing, redistributing and/or not properly securing data retrieved from our systems or services;
• Communicate any vulnerabilities or associated details via methods not described in this policy or with anyone other than the dedicated UK Finance security team;
• Modify data in our systems/services which is not your own;
• Disrupt our service(s) and/or systems; or
• Disclose any vulnerabilities in UK Finance systems/services to third-parties/the public prior to UK Finance confirming that those vulnerabilities have been mitigated or rectified. This does not prevent notification of a vulnerability to third-parties to whom the vulnerability is directly relevant, for example where the vulnerability being reported is in a software library or framework - but details of the specific vulnerability of UK Finance must not be referenced in such reports. If you are unsure about the status of a third-party to whom you wish to send notification, please email security@ukfinance.org.uk for clarification.

We request that any and all data retrieved during research is securely deleted as soon as it is no longer required and at most, one month after the vulnerability is resolved, whichever occurs soonest.

If you are unsure at any stage whether the actions you are thinking of taking are acceptable, please contact our security team for guidance (please do not include any sensitive information in the initial communications)

This policy is designed to be compatible with common good practice among well-intentioned security researchers. It does not give you permission to act in any manner that is inconsistent with the law or cause UK Finance to be in breach of any of its legal obligations, including but not limited to:

• The Computer Misuse Act (1990)
• The General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act 2018
• The Copyright, Designs and Patents Act (1988)