Security Disclosure Policy

Security Disclosure SUBMISSION TERMS

We run an amnesty for security researchers who, in good faith, identify vulnerabilities our online systems.

A Security Disclosure is something you want to tell us about which impacts the confidentiality, integrity, or availability of bank or client data or systems.

If you have identified a potential vulnerability you can email us after reading the Security Disclosure Submission Terms, which contain all the information you need to be aware of before making a submission. 

If you discover or submit a vulnerability you should:

·        Not break any laws.

·        Make the Security Disclosure voluntarily

·        Be aged 16 or over, unless you have a Parent or Guardian’s permission.

Staff or their family members should follow the published internal process.

Email us at:


Important information

Disclosure Scope

We want to hear from you if you discover a site, application or system with a vulnerability on:


·        *

Including this IP range:

· -

Do's and Don'ts


·        Act in a responsible way

·        Provide complete details so we have maximum opportunity to resolve any issues

·        Assume penetration testing experts will be reviewing your submission

·        Report common vulnerabilities but don’t explain the problem and the impact, just point out where it lies.

·        Report esoteric or very new issues and fully explain the problem.

·        Cite references or sources


·        Put any Client or Coutts data at risk, degrade any of our system’s performance, or conduct any type of Denial of Service attack

If our security operations centre identify your actions this will be treated as an attack and not a Security Disclosure submission. We may take action against any attacks, including reporting them to the police.

What to include in your submission

We want to get as much information from you so we can validate and fix any potential vulnerability quickly. Please try to provide as much information as possible, including:

·        A description of the vulnerability including the exploitability and impact if not a common attack type

·        Steps required to exploit the vulnerability including: URL(s)/application(s) affected Prior conditions required (for example, logged in, not logged in, previous actions ) and how to demonstrate the problem

·        IPs used when the vulnerability was discovered

·        If post authentication, the user ID used when the vulnerability was discovered

·        A Proof of Concept

·        Names of any files uploaded to our systems

If you do not include everything in this list, this could delay or prevent us from validating and fixing the vulnerability. Responses to Low/Informational issues will be de-prioritised. Save all your logs as we will ask you to make them available to us.

Submissions we won't respond to

We won’t respond to or analyse submissions covering:

·        Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials)

·        Denial of service (DOS)

·        Self-XSS (User defined payload)

·        Vulnerabilities which require a jailbroken mobile device

·        Most vulnerabilities within identified test, UAT, lab, bankofapis or staging environments

·        Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers, including Internet Explorer versions prior to version 8

·        Vulnerabilities involving active content such as web browser add-ons

·        Disclosure of public information or information that does not present risk to us or our clients (for example, web server type disclosure)

·        Vulnerabilities contingent on a client system previously being compromised

Recognition and thanks

We may highlight anyone who has made a submission which has significantly helped us keep our clients safe and secure.  We will always ask for your consent before doing this.


Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about us or any Coutts user as part of your research prior to making a Security Disclosure submission as detailed in this Policy and these Terms must therefore be kept confidential and only used in connection with the Security Disclosure. You may not use, disclose or distribute any such information without our prior written consent.  Any such information should be deleted once your submission has been received.

* We may change this Security Disclosure Policy and the Security Disclosure Policy Terms from time to time.  We may also cancel them and our Security Disclosure programme at any time.  We’ll let you know on this page if we do this.