Responsible disclosure policy
Security of systems and data is paramount to KBC, and therefore an absolute priority. Despite our best efforts, it might be that some vulnerabilities are still present in our systems and processes. We therefore welcome anyone with the relevant skills to assist us in improving the overall security and reliability of our systems, processes and data.
We, meaning KBC Group NV (Havenlaan 2, 1080 Brussel, België, BTW BE 0403.227.515, RPR Brussel) and its affiliates (within the meaning of the Belgian Companies Code) established and operating in Belgium, apply this ‘Responsible Disclosure Policy’ to determine the conditions within which you can voluntarily test and report potential issues related to the safety of KBC systems, processes and data.
By engaging in any activities covered by this Responsible Disclosure Policy, you accept that the provisions of this Responsible Disclosure Policy will apply to your relationship with KBC.
In case you wish to investigate the safety of KBC systems, processes and data, you warrant that you will respect the following principles:
- You do not use any techniques that may disrupt our online and other services;
- You do not delete, modify or otherwise damage our data and systems in any way;.
- You do not copy our data, unless to the extent strictly necessary to perform your investigation, after which this data should be destroyed permanently;
- In no circumstance can you make anything related to the investigation public unless to the extent required by law;
- You do not utilize social engineering or brute force techniques (e.g. guessing the password) to gain access to KBC systems or procedures;
- You do not attempt to penetrate the system any further than strictly necessary to perform your investigation;
- You do not share any gained access or data with any others.
In case you think you have found any weakness with regard to KBC systems, processes and data, you should inform KBC of your findings through KBC's public program on the Intigriti platform. Our security teams will attentively review your submission with diligence and appropriate priority.
When reporting a vulnerability you detected, you warrant that you will respect the following principles:
- You have confirmed your ID on the Intigriti platform;
- You only use the Intigriti platform to inform on discovered vulnerabilities. Other feedback, such as complaints about KBC products & services will not be considered;
- You inform KBC without undue delay of any findings;
- You do not make any information about the investigation you performed public without prior approval of KBC, unless required by law;
- You provide KBC with all information it requires to reproduce the finding and take appropriate action.
You may be eligible for a reward as encouragement for reporting vulnerabilities. The value of the reward will depend on the impact of the reported vulnerability and will always be determined at the discretion of KBC. You are not eligible for a reward if you are an employee of KBC or have worked under contract for KBC in the past year.