Responsible disclosure program policy
At Revolut, the security of our users’ data is our priority. The purpose of this page (the “Responsible Disclosure Program”) is to provide you with all the information you need if you have discovered or believe to have discovered a potential vulnerability in any of our services. We are committed to ensuring our security is top tier and really appreciate the help of our community to achieve this. To make sure that any disclosures are made responsibly please ensure you follow the terms below:
- All submissions should be made through the Intigriti platform, you will need to register on the platform by using the link at the bottom of this page.
- Please make sure that any disclosures are made as soon as possible. Not only will this help in resolving security issues in a timely fashion but help ensure that you are the first to get any reward (if applicable)!
- All rewards will be in the form of Intigriti reputation points and managed by Intigriti in accordance with their terms and conditions. More information can be found here - https://kb.intigriti.com/en/articles/3379630-leaderboard-reputation-and-streak.
- Public disclosures of any vulnerabilities (e.g. through social media or the press) can put our community at risk so please make sure you keep this confidential. All disclosures should be made in accordance with this Responsible Disclosure Program so that we can focus on resolving any issues as soon as possible. We reserve our right to take legal action or withhold rewards if this is not followed.
- If you do discover a vulnerability and come into possession of personal data about Revolut customers or employees you must ensure this is deleted as soon as you have made the disclosure through the form below. Personal data is any information that can be used to identify an individual.
- None of the research you have undertaken when reporting a vulnerability should have been obtained by unlawful means.
Frequently asked questions
What shouldn’t I be reporting?
- Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
- Disclosure of known public files or directories (e.g. robots.txt)
- Banner disclosure on common/public services without a PoC
- Security header configurations or missing header
- Lack of Secure/HTTPOnly flags on non-sensitive cookies - Phishing or Social Engineering Attack
Is there a reward?
Once validated by Intigriti you will receive Intigriti reputation points as mentioned on this page: https://kb.intigriti.com/en/articles/3379630-leaderboard-reputation-and-streak
When will I hear from you after making a disclosure?
Your submission should be acknowledged within 72 hours. The disclosure will then need to be validated after which you will be contacted again usually within 5 business days.
Can I publish anything about the vulnerability after my disclosure?
We ask that any details remain confidential to best protect our community. This is in line with Intigriti’s Researcher Terms and Conditions - https://kb.intigriti.com/en/articles/5466165-researcher-terms-conditions. If you have any further questions on this please contact Intigriti at firstname.lastname@example.org