Vulnerability Disclosure Programme

Find out how to help Tesco Bank by reporting any suspected security vulnerabilities or security disclosures.

Tesco Bank works hard to keep customers safe by continually maintaining and improving. With this in mind, we recognise the great value of external security researchers and the public. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you.

This guidance outlines our terms and approach to reporting any suspected security vulnerabilities or security disclosures related to Tesco Bank’s technology environment.

Please note that this Vulnerability Disclosure Programme is not a bug bounty or Hall of Fame programme, and that Tesco Bank will not make any financial reward for submissions.

In scope

This policy applies to any digital assets owned, operated, or maintained by Tesco Bank.

Out-of-scope

Assets or other equipment not owned by parties participating in this policy. Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.

The following are considered out-of-scope:

Any reports not relating to technical compromises of confidentiality, integrity and availabilityAny reports not relating to technical compromises of confidentiality, integrity and availability
Vulnerabilities that rely on social engineering techniques (e.g. shoulder surfing, stealing devices, phishing, fraud, stolen credentials)Vulnerabilities that rely on social engineering techniques (e.g. shoulder surfing, stealing devices, phishing, fraud, stolen credentials)
Distributed/Denial of Service (DoS)Distributed/Denial of Service (DoS)
Self-XSS (payloads executed by the user against themselves)Self-XSS (payloads executed by the user against themselves)
Vulnerabilities that require a compromised client system or use a jailbroken/rooted mobile deviceVulnerabilities that require a compromised client system or use a jailbroken/rooted mobile device
Vulnerabilities that rely on customers using outdated or unpatched devices or browsersVulnerabilities that rely on customers using outdated or unpatched devices or browsers
Disclosure of public information or information that does not present a risk to us or our customers (e.g. web server type disclosure).

Our commitments

When working with us, you can expect us to:

Acknowledge your report within 30 days of receiptAcknowledge your report within 30 days of receipt
Work with you to understand and validate your report, noting that the time to resolution will depend on the severity and complexity of the reported issueWork with you to understand and validate your report, noting that the time to resolution will depend on the severity and complexity of the reported issue
Treat submitted reports confidentiallyTreat submitted reports confidentially
Not share your personal details with third parties without your prior authorisation, unless required to do so to comply with legal obligations.Not share your personal details with third parties without your prior authorisation, unless required to do so to comply with legal obligations.

Our expectations

In participating in our Vulnerability Disclosure Programme, we ask that you:

Act in line with this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy take precedenceAct in line with this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy take precedence
Report any vulnerability you’ve discovered promptlyReport any vulnerability you’ve discovered promptly
Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experienceAvoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience
Use only the Tesco Bank official channels detailed below to discuss vulnerability information with usUse only the Tesco Bank official channels detailed below to discuss vulnerability information with us
Provide us with reasonable amount of time (at least 180 days from the initial report) to resolve the reported issue before you disclose it publiclyProvide us with reasonable amount of time (at least 180 days from the initial report) to resolve the reported issue before you disclose it publicly
Perform testing only on in-scope systems and respect systems and activities which are out-of-scopePerform testing only on in-scope systems and respect systems and activities which are out-of-scope
If a vulnerability provides unintended access to data: If a vulnerability provides unintended access to data:
- limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept
- cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information
Only carry out testing on and interact with user accounts you own.Only carry out testing on and interact with user accounts you own.

If our security operations centre identifies malicious activity targeting Tesco Bank, we will treat this an attack and not a disclosure submission. We may act against any attacks, including reporting them to the police and other law enforcement agencies. If in doubt, cease all immediate research activity and disclose to Tesco Bank what you have discovered.

Tesco Bank may change or withdraw this Vulnerability Disclosure Programme at any time, please check back here for the latest information before starting any research.

Reporter responsibilities

We ask that reporters follow these principles:

Submit reports in EnglishSubmit reports in English
Act responsibly, particularly if you believe you have discovered a genuine issueAct responsibly, particularly if you believe you have discovered a genuine issue
Protect any discovered sensitive or personal dataProtect any discovered sensitive or personal data
Demonstrate concern for the availability of our systemsDemonstrate concern for the availability of our systems
Gain permission from your parent or guardian to submit the disclosure if under the age of 16.Gain permission from your parent or guardian to submit the disclosure if under the age of 16.

We also ask that reporters avoid the following:

Breach any laws, including the Computer Misuse Act and other legislation relating to misuse of IT systems in the UK or anywhere in the worldBreach any laws, including the Computer Misuse Act and other legislation relating to misuse of IT systems in the UK or anywhere in the world
Compromise any customer or Tesco Bank dataCompromise any customer or Tesco Bank data
Degradation of any of our systems’ performanceDegradation of any of our systems’ performance
Intentional engagement in any attack against Tesco Bank or third partiesIntentional engagement in any attack against Tesco Bank or third parties
Social engineering, denial-of-service, or physical attacks.Social engineering, denial-of-service, or physical attacks.

Information relating to our technology and information security solutions is confidential. Any information you receive or collect about us or any of our users as part of your research before making a Vulnerability Disclosure submission must be kept confidential and only used in connection with the Vulnerability Disclosure. You may not use, disclose, or distribute any such information without our written consent. Any such information should be deleted once we receive your submission.

Official channels

Please report security issues to SecurityDisclosure@tescobank.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue. The guidance included contains all the information you need to be aware of before making a submission.

This programme is solely for external individuals reporting discovered security vulnerabilities. Colleagues and their families should use internal channels to report concerns. For any other concerns or queries, please head to our contact us page to find out how to get in touch.

Submission requirements

Please provide as much detail as possible to allow us to validate and fix any potential vulnerability quickly, including:

A description of the vulnerability including the exploitability and impact on our customers, technology, and business. Use of screen capture and pictures is recommendedA description of the vulnerability including the exploitability and impact on our customers, technology, and business. Use of screen capture and pictures is recommended
Steps required to exploit the vulnerability including:
- URLs and applications affected,
- prior conditions required (e.g. logged in or not, any previous actions), and
- reproducible steps for how to demonstrate the problem
Steps required to exploit the vulnerability including:
- URLs and applications affected,
- prior conditions required (e.g. logged in or not, any previous actions), and
- reproducible steps for how to demonstrate the problem
IP addresses used when the vulnerability was discovered, and any asset hardware identifiers observedIP addresses used when the vulnerability was discovered, and any asset hardware identifiers observed
If the issue presents post authentication, the user ID used when the vulnerability was discoveredIf the issue presents post authentication, the user ID used when the vulnerability was discovered
A proof of concept demonstrating the vulnerability and associated evidenceA proof of concept demonstrating the vulnerability and associated evidence
Names of any files uploaded to our systems or other actions carried outNames of any files uploaded to our systems or other actions carried out
Your contact details, including a return email or phone number (with international dialling codes if applicable). If you would like to use an alternative communication channel (e.g. Theema), please let us know and we’ll try to accommodate your preferences.Your contact details, including a return email or phone number (with international dialling codes if applicable). If you would like to use an alternative communication channel (e.g. Theema), please let us know and we’ll try to accommodate your preferences.

If your submission only has partial data and insight, this could delay us from validating and fixing the vulnerability. Responses to low and informational issues will be deprioritised. Additionally, please keep testing logs to help us correlate your activity.

Safe harbour

When conducting vulnerability research under this disclosure programme and per the terms of this policy:

We will consider this research to be lawful, helpful to the overall security of the internet, and conducted in good faith, provided your research complies with all applicable lawsWe will consider this research to be lawful, helpful to the overall security of the internet, and conducted in good faith, provided your research complies with all applicable laws.
We will not initiate or support legal action against you for accidental, good-faith violations of this policy, applicable anti-hacking, or anti-technology control circumvention laws if you have not caused harm to Tesco Bank or its customers.We will not initiate or support legal action against you for accidental, good-faith violations of this policy, applicable anti-hacking, or anti-technology control circumvention laws if you have not caused harm to Tesco Bank or its customers.

If you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.

Please note that the safe harbour only applies to legal claims under the control of the organisation participating in this policy and that the policy does not bind independent third parties.

Contact us - we’re here to help

Have a question or need further help? Our friendly, UK-based customer service team is here to help.