Reporting NWB Bank’s ICT system vulnerabilities

At NWB Bank, we take the security of our ICT systems seriously. If you happen to identify a weak spot in one of our ICT systems, please let us know so we can take appropriate action. We want to work with you to improve the security of our ICT systems. 

We developed the procedure below to help you report any vulnerabilities you may have identified in our ICT systems. You may remind us to these procedures if you encounter a weakness in one of the ICT systems and report it to us.

Please do the following:

• E-mail your findings to security@nwbbank.com. Encrypted if possible, to prevent the information from falling into the wrong hands.
• Provide enough information to reproduce the problem, so we can resolve it as soon as possible. The IP address or URL of the system in question and a description of the problem is usually sufficient, though more complex vulnerabilities may require additional information.
• Provide your contact details, so we can get in touch with you to find a secure solution. Please provide at least an e-mail address or telephone number.
• Report the vulnerability to us as soon as possible after discovering it.
• Do not share information on the vulnerability with others until the problems have been resolved.
• Use your knowledge of the vulnerability responsibly. Do not perform any more actions than necessary to demonstrate the vulnerability.

In any event, please refrain from the following:

• Installing malware.
• Copying, modifying and/or deleting data in any of our systems (or creating a directory listing of a system).
• Modifying systems in any way.
• Repeatedly gaining access to the system or sharing access with others.
• Using brute-force to gain access to systems.
• Using denial-of-service or social engineering.
• Exploiting the vulnerability more than is necessary to establish its presence.

What to expect:

• If you report a vulnerability in one of our ICT systems and follow the above procedure, there will be no legal consequences regarding this report.
• We will handle reports confidentially, and we will not share personal information with third parties without your permission, unless required by law.
• We can publish your name as the discoverer of the vulnerability if you like.
• We will confirm receipt of your report within three days by e-mail.
• We will respond to your report within seven days with an assessment and an expected solution date.
• We will keep you up-to-date on our progress in solving the problem.
• We will resolve the vulnerability in our ICT system as quickly as possible, but definitely within 60 days. Meetings can be scheduled to discuss whether the problem should be made public once solved, and if so how.
• If the vulnerability is difficult or impossible to solve, or if the solution requires a disproportionate amount of resources, we may decide to accept the vulnerability and prohibit further publication on the matter.
• In consultation with the reporting party, we may agree to inform the wider ICT community of the vulnerability, if it seems likely that the vulnerability may also be present elsewhere.
• We may issue a reward or token of appreciation for your help. Any such reward or token of appreciation will be based on the severity of the vulnerability and the quality of the report but must involve a serious vulnerability previously unknown to us.

Other provisions:

• Do not publicly announce the vulnerability, but get in touch with us and give us an opportunity to resolve the issue.