Rules of Engagement

The National Cyber Security Centre in the Netherlands has created guidelines for reporting weaknesses in IT systems. Our rules are based on these guidelines.

When you discover a weakness and /or investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not report your offence to the authorities and will not submit a claim.
We are not obliged to reward/compensate you for the findings but you might get a reward, and a reward amount is not fixed in advance either. DHB Bank determines any reward amount by taking various factors into account like:
- The caution taken in your investigation
- The quality of your report & interactions with our security team.
- Extent of damage which was averted because of your reporting.

Rules
Take responsibility and act with extreme care and caution. When investigating the matter, only use methods or techniques that are necessary in order to find or demonstrate the weaknesses.
- In no way should the research disturb our bank’s (online) services.
- In no way may the investigation lead to the disclosure of banking and / or customer data.
- Don't make the vulnerability public until we fix it. Instead, talk to our team and give them time to fix the problem.
- Do not make changes or delete the data. In the event that it is necessary for the findings to make a copy of the data in the system, limit it to what is necessary for the burden of proof.
- Do not use weaknesses you discover for purposes other than your own investigation.
- Do not use social engineering to gain access to our systems.
- There is no accepted reason to leave a backdoor in the system, not even to demonstrate the vulnerability. The installation of a backdoor ensures that safety is even more compromised.
- Do not alter or delete any information in the system. If you need to copy information for your investigation, never copy more than you need. One record is sufficient, do not go any further.
- Do not alter the system in any way - Do not make any changes to the system configurations.
- Do not use techniques that affect the accessibility of our bank’s (online) services.
- Limit the penetration of the system to what is strictly necessary to find and demonstrate the vulnerability. If access is obtained, we expect that it will not be shared in any way with others.
- Do not use brute force techniques, such as repeatedly entering passwords, to gain access to systems.

Important Note/Caveat
Please note that laws and regulations concerning responsible disclosures (Coordinated Vulnerability Disclosures) are different in each country. In the event that you are staying & working outside of the Netherlands, and carry out your research on our systems, our bank’s policy may not fully apply to you. It is therefore possible that, even if you have acted in accordance with the guidelines of our coordinated vulnerability disclosure policy, legal action might be taken by the related authorities in your country despite the fact that DHB Bank has not reported the vulnerability to them.

Exclusions
Below are some examples of known vulnerabilities (trivial & exploitable bugs) which are accepted risks & not covered and accordingly not accepted as a security risk.

  • HTTP 404 codes / pages or other HTTP non-200 codes / pages
  • Fingerprinting / version banner disclosure on general / public services
  • Publicly accessible files and folders with non-sensitive information (e.g.: robots.txt).
  • Clickjacking and related vulnerabilities.
  • CSRF on forms available without a session (e.g. a contact form / login form).
  • Cross-Site Request Forgery on logout function.
  • Presence of 'autocomplete' or 'save password functionality.
  • Lack of 'Secure' / 'HTTP Only' flags on non-sensitive cookies.
  • Weak CAPTCHA or CAPTCHA bypass.
  • Brute force on Login Page and Account Lockout not enforced.
  • OPTIONS Method is on.
  • Username / Email enumeration by brute force attempts: via Login error messages. 'Forgot Password'; Password 'errors.
  • Lack of HTTP Security Headers such as: Strict-Transport-Security. X-Frame-Options. X-XSS-Protection.
  • SSL configuration weaknesses: SSL attacks that cannot be exploited from the outside. SSL 'Forward Secrecy' is missing. SSL weak and unsafe cipher suites.
  • Missing HTTP Public Key Pinning (HPKP).
  • SPF, DKIM, DMARC issues.
  • Host Header Injection.
  • Content Spoofing / Text Injection on 404 pages.
  • Reporting old software versions without a proof of concept or working exploit.
  • The leakage of information in Metadata.
  • Missing DNSSEC.
  • Expired or inactive domains (domain takeover).
  • Same Site Scripting / localhost DNS record.