Skip to main content

Responsible Disclosure Policy

We value the security and privacy of our customers and partners, and we are committed to protecting them from cyber threats. We maintain trained and dedicated internal security functions to meet this objective and our associated legal and regulatory obligations. We appreciate external researchers acting appropriately and responsibly may help us identify security vulnerabilities and exposures in our systems and applications. This document describes our responsible disclosure policy, which aims to encourage (and in appropriate cases reward) responsible reporting of security issues to TSB whilst ensuring that all activities undertaken in that regard are appropriate and do not expose TSB, its customers or the broader market to risk.

Scope

Our responsible disclosure policy covers the tsb.co.uk domain along with the Bank’s mobile apps (iOS and Android) and the physical ATM network. We also welcome responsible disclosure of any TSB corporate or customer data believed to be exposed in publicly accessible web locations.

The following types of vulnerabilities are not in scope of this policy and should not be tested or reported:

  • Self-XSS
  • Missing HTTP security headers
  • Clickjacking
  • CSRF on forms with no sensitive actions
  • Spam or phishing issues
  • Physical or Social engineering attacks
  • Denial of service attacks

Guidelines

While we wish to encourage responsible reporting, it is important that external researchers follow the below guidelines when testing and reporting security vulnerabilities to the bank:

  • Do not attempt to access, modify, or delete any data that does not belong to you.
  • Do not exploit any vulnerability for any purpose, malicious or otherwise.
  • Do not disclose any vulnerability to anyone other than the bank's security team via the contact provided in this policy and via our RFC 9116 implementation - tsb.co.uk/.well-known/security.txt
  • Do not perform any testing that could disrupt or degrade the bank's services or systems.
  • Do not use any automated tools or scanners that could generate excessive traffic or false positives.
  • Do not use any brute force, spam, or phishing techniques.
  • Do not upload any vulnerability or client-related content to any third-party utilities (e.g. code repositories, file sharing or social media sites)
  • Do not violate any laws or regulations.

Any failure to follow these guidelines could expose TSB, its customers, other parties and/or the broader market to material risk and lead to regulatory, reputational or financial harm. We reserve the right to take legal action against anyone who does not comply with these guidelines.

Rewards

In appropriate cases, we may offer monetary rewards for valid and unique security vulnerabilities and exposures that are reported to us in accordance with our responsible disclosure policy. Whether TSB offers a reward, and the amount of any reward will be in TSB’s sole discretion and is likely to depend on a range of factors including in particular the severity, impact, and complexity of the vulnerability, as well as the quality of the report. We use industry standards such as the CVSS scoring system along with internal SME review to assess the severity of the vulnerabilities and associated reward ranges.

We may also offer non-monetary rewards, such as recognition or vouchers, at our sole discretion.

Rewards will only be provided where the researcher has complied with the guidelines contained within this policy and on compliance with the conditions of confidentiality outlined in the below ‘Disclosure’ section of this policy.

We reserve the right to determine the eligibility and amount of the rewards at our sole discretion. We may also reject or reduce the rewards for any of the following reasons:

  • The vulnerability is out of scope or has already been reported by someone else, or is otherwise already known to TSB.
  • The vulnerability is not reproducible or does not pose a significant risk.
  • The report is incomplete, unclear, or contains false or misleading information.
  • The researcher does not follow our guidelines or cooperate with us in a timely manner.
  • The researcher discloses the vulnerability to anyone other than the bank's security team.
  • The researcher does not disclose their findings up front and in a timely manner and/or withholds detail for bargaining purposes.
  • The researcher resides in or makes their submission from a country or region under export sanctions or trade restrictions.

Reporting

If you have found a security vulnerability that is in scope and complies with our guidelines, please report it to us as soon as possible.

You can use the following methods to contact us:

  • Email: ResponsibleDisclosure@tsb.co.uk

Please include the following information in your report:

  • Your name and contact details for further correspondence.
  • A brief description of the vulnerability and its possible impact.
  • The steps to reproduce the vulnerability, including any tools, scripts, screenshots, HTTP request / response pairs, and payloads.
  • The affected domain or application and the URL or endpoint where the vulnerability occurs.
  • The CVSS 3.1 score and vector of any vulnerability.
  • Any suggested mitigations or remediations.

We will aim to acknowledge your report within 24 hours. We will then review your report and verify the vulnerability. We will keep you updated on the status and progress of the issue at our discretion. We will also notify you of the resolution and reward decision. We aim to resolve and, where considered appropriate, reward the issues within 30 days, but this may vary depending on the complexity and severity of the vulnerability.

Disclosure

We appreciate your cooperation in keeping vulnerabilities confidential. We do not allow any public disclosure of the vulnerability or any reward without our prior written consent. We will also ask and expect that you remove any data or evidence that you have obtained from our systems or applications post conclusion of analysis and any relevant remediation.

Typically, we will not publicly acknowledge or thank you for your contribution on our website, social media, or any other channels.

Contact

If you have any questions or feedback about our responsible disclosure policy, please feel free to contact us at ResponsibleDisclosure@tsb.co.uk. We look forward to hearing from you and working with you to improve the security of our systems and applications.

TSB Bank plc. Registered office: Henry Duncan House, 120 George Street, Edinburgh EH2 4LH. Registered in Scotland, no. SC95237.
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 191240.

TSB Bank plc is covered by the Financial Services Compensation Scheme and the Financial Ombudsman Service.

Calls may be monitored and recorded in case we need to check we have carried out your instructions correctly and to help us improve our quality of service. Not all telephone banking services are available 24/7.

Together we can end domestic abuse.

Safe Spaces, UK Says No more, popup