This page includes information for security researchers who are interested in participating in Aktia’s Vulnerability Disclosure Program.
Lyhyesti suomeksi / Briefly in Finnish
Aktia Vulnerability Disclosure Program on tietoturvatutkijoille suunnattu ohjelma, jonka tavoitteena on löytää haavoittuvuuksia Aktian järjestelmistä. Tällä sivulla on lisätietoa ohjelmasta ja ohjeita siihen osallistumiseen.
Mikäli etsit tietoa turvallisesta pankkiasioinnista, mene osoitteeseen www.aktia.fi/turvallisuus.
Mikäli haluat ilmoittaa meille kalasteluviestistä, lähetä sähköpostia osoitteeseen [email protected].
Muut tietoturvapoikkeamat voit ilmoittaa osoitteeseen [email protected].
Our goals for the program are to ensure safe digital transactions with our end users, to ensure that security is aligned with our SLDC, and to continually evolve our team's vulnerability management processes. To achieve these, we first need to identify our vulnerabilities. This is where you can help us.
When working with Aktia according to our policy, you can expect us to
- offer Safe Harbor for your security research that is related to this policy
- work with you to understand and validate your report, including an initial response to the submission as soon as possible (usually within 48 business hours)
- prioritize security and work to remediate discovered vulnerabilities in a timely manner.
Vulnerability Disclosure Guidelines
There are some guidelines that need to be followed to ensure good-faith security research.
- Respect the rules. Operate within the rules set forth by the Security Team or speak up if in strong disagreement with the rules.
- Respect privacy. Make a good faith effort not to access or destroy another user's data.
- Be patient. Make a good faith effort to clarify and support your reports upon request.
- Do no harm. Act for the common good by promptly reporting all found vulnerabilities. Never willfully exploit others without their permission.
Note that you are not allowed to publicly discuss or publish any vulnerability before it has been fixed and you have received explicit permission from us to do so.
Safe harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
How to contact us
- You can also contact us directly at [email protected], preferably via our Secure Mail service available here https://securemail.aktia.fi/.
Please provide detailed reports with reproducible steps.
Whenever
possible, include a custom HTTP header to requests to help us find related log
entries. Name the header “X-Security-testing” and add e.g. your made up
username as value.
Thank you for helping keep Aktia and our users safe!
Our services may not be tested without permission or by illegal means (Chapter 38 of the Criminal Code, §5-§8). Among other things, actions that endanger our customers' data or the continuity of our services are counted as illegal means. Possible misuse cases are always investigated.