It is important for us at Swedbank that our customers can feel safe and secure when managing their monetary affairs with our electronic channels. Therefore, we seek to ensure the highest security level in IT systems. Despite this, an error may slip by. If you have found a security flaw, we would like to hear more about it to be able to correct the problem as soon as possible.
How do you report?
Send an email to us in your local language at responsible-disclosure@swedbank.com. Optionally, you can use our public PGP key to protect the information you send over. Make sure to have included the following information:
- Detailed description of the vulnerability containing such info as URL and type of vulnerability.
- The necessary information that we need to resolve the problem.
- If applicable, a screenshot of the vulnerability you have found.
- Contact information, name and surname, email, phone number, and your public PGP key (if you have one).
This personal data submitted by you will be processed by Swedbank in order to inform you about the analysis of IT security flaws noticed by you and their correction, and, if necessary, to contact you regarding the revision of the information submitted by you. More information about Swedbank’s data processing procedure is available in the Swedbank Principles of Processing Personal Data.
What can you report?
You can report security flaws that you have found in any of our services. Examples of security flaws are cross-site scripting, flaws in encryption or flaws with security implications in logic controls. The reporting service is not designated for other logical errors, errors in texts, questions about our services, questions about the security of our services or similar.
What can you expect from Swedbank?
We will confirm that we have received your description, continuously keep you updated while we process the issue, and inform you when the issue is fixed. Claims for compensation as a condition for sending in a vulnerability are not accepted.
What is required from you?
It is important for both us and our clients that you follow good practice, i.e. that:
- You do not use the vulnerability to access or attempt to access information that does not belong to you.
- You do not use the vulnerability to remove or modify information.
- You do not affect the availability of our services.
- You give us an opportunity to fix the reported vulnerability before going public with it.
Can you file a report anonymously?
Yes, but we won’t be able to respond and keep you updated on the status.
PGP key
Use this PGP key if you want to send us an encrypted e-mail. But using it is not required.
Key ID: 0x0AD6CCAF
Control code: 2D14 4030 6D4B 68C3 F286 3AC6 333B E8E4 0AD6 CCAF