Description

Responsible Disclosure indicates ING’s continued commitment to improve its security posture. As part of this process, we work closely with security researchers to identify and report vulnerabilities they find within our systems. ING appreciates security researchers efforts in reporting vulnerabilities on its systems as long as the discovered vulnerability is in scope, detected without the use of intrusive testing techniques, and follows the disclosure guidelines below:

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Not applicable
Not applicable
max. 10 requests /sec
Not applicable

Reports are required to be written in English. Please include a clear attack scenario outlining detailed reproduction steps.
Make sure that during your investigation you do not cause any damage or disruptions to our systems so do not alter, change or delete data from our systems. Do not put a backdoor in the system, not even for the purpose of showing the vulnerability as inserting a backdoor will cause even more damage to the safety of our systems and do not penetrate the system any further than required for the purpose of your investigation.
Make sure that during your research you do not inadvertently cause a data breach (i.e. sharing screenshots or recordings on 3rd party cloud solution).

Law regulations for Responsible Disclosure may differ by country. We strongly advise you to take these regulations into account. Your investigation on our systems could be regarded as a criminal act under local or international law and you may then risk criminal prosecution. If you have detected vulnerabilities in one of ING’s systems, please be aware that local law takes precedence over ING rules. Nevertheless, if you act in good faith and according to ING’s rules, we will not report your actions to the authorities, unless required to do so by law.

Domains

Any ING (sub)domain

No bounty
Other
In scope

Introduction

At ING, the safety of internet banking and the continuity of our online services are our top priorities. Our specialists work continuously to optimise our systems and processes. Despite the effort we put into the security of our systems, vulnerabilities can still be present.

Do you have the skills and have you discovered any vulnerabilities in our systems? Please help by reporting them to us, so that we can improve the safety and reliability of our systems together.

To encourage reporting vulnerabilities to ING, we would urge you to send any vulnerability you detect to us. Any researcher who provides a high quality report which will be important for the continuity and reliability of the bank will be invited to the private ING program in Intigriti. A financial reward is also possible after the invitation.

We are happy to announce our program! We've done our best to clean up our known issues and now would like to request your help to spot the ones we missed!

Feedback
Would you like to help us improve our program or have some feedback to share, please send your anonymous feedback here:

Program feedback link
Please note this form will be checked periodically and must not be used for submission or support queries.

Out of scope

Domains

  • Domains not owned by ING

Application

  • API key disclosure without proven business impact
  • Pre-Auth Account takeover/OAuth squatting
  • Self-XSS that can't be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS misconfiguration on non-sensitive endpoints
  • Missing cookie flags
  • Missing security headers
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Reverse tabnabbing
  • Bypassing rate-limits or the non-existence of rate-limits.
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages with no sensitive actions
  • CSV Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Mixed content type issues
  • Cross-domain referrer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection on error pages
  • Username/email enumeration
  • Email bombing
  • HTTP Request smuggling without any proven impact
  • Homography/typosquatting
  • XMLRPC enabled
  • Banner grabbing/Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing API keys without proven impact
  • Same-site scripting
  • Blind SSRF without proven impact (DNS pingback only is not sufficient)
  • Disclosed and/or misconfigured Google API key (including maps)
  • Host header injection without proven impact
  • Spam, social engineering and physical attacks
  • DoS/DDoS attacks or brute force attacks
  • Reports that state that software is out of date/vulnerable without a proof-of-concept
  • Attacks requiring physical access to a victim’s computer/device, man in the middle or compromised user accounts

General

  • In case that a reported vulnerability was already known to the company from their own tests or other reporting, it will be flagged as a duplicate
  • Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded or be lowered in severity
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Do not utilise social engineering in order to gain access to our systems.
  • Vulnerabilities detected by ING employees or former employees of ING are welcomed but excluded from any rewards.

Furthermore, this program is not intended for:

  • Reporting complaints about ING’s services or products
  • Questions and complaints about the availability of ING websites, mobile banking or internet banking
  • Reporting monetary issues (e.g. ATM’s and PIN devices)
  • Reporting Fraud or the presumption of fraud
  • Reporting fake SMS messages, e-mails or phishing/SMSishing (report these to valse-email@ing.nl)
  • Reporting malware
  • Reporting incompliance regarding International law and regulations
Severity assessment

This program follows Intigriti's contextual CVSS standard

FAQ

Where can we get credentials for the app?

We currently don’t offer any credentials to test user roles.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
No collaboration
Last 90 day response times
avg. time first response
< 2 days
avg. time to decide
< 1 week
avg. time to triage
< 5 days
Activity
11/26
ING
closed a submission
11/26
ING
accepted a submission
11/19
logo
trapican
created a submission
10/28
ING
closed a submission
10/22
logo
banker101
created a submission
9/19
ING
closed a submission
8/21
logo
randshell
created a submission
7/18
ING
closed a submission
7/16
logo
rej_ex
created a submission
7/11
ING
closed a submission