At the European Central Bank we greatly value the support of IT security researchers and members of cybersecurity communities in helping us to maintain our high IT security standards.
If you identify an IT security vulnerability relating to any of our websites please notify us promptly before disclosing the vulnerability to the outside world, so that we can take the necessary measures. This is known as responsible disclosure.
Please keep all information relating to the discovered vulnerability secret from all third parties for a period of at least 90 days, allowing us to identify and implement the measures needed to address the issue you have reported.
The current scope for reporting includes the following websites:
- the European Central Bank main website: www.ecb.europa.eu
- the European Systemic Risk Board website: www.esrb.europa.eu
- the ECB Banking Supervision website: www.bankingsupervision.europa.eu
Other sites, as well as subdomains of the sites listed above, are currently not included within this scope. We do regularly update this page, however, and it will reflect any changes to the scope for reporting.
How do you notify us?
If you have identified a security vulnerability, please proceed as follows:
Send us your notification as soon as possible via email to IT_responsible_disclosure@ecb.europa.eu.
Please include the following information in your report:
- your contact details (i.e. name, email address and PGP key);
- the type of vulnerability identified;
- the service/device/application impacted by the vulnerability;
- a detailed description of the problem encountered;
- the IP address(es) from which the security vulnerability was identified, together with the date and time of the discovery;
- a compressed archive (zip) with any files that can help in reproducing the flaw (e.g. screenshots, images, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, etc.).
The size of the email communication should not exceed 10MB. Please contact us in advance via the email address above should you need to send an attachment that is larger than this size.
Please use this PGP key to prevent unauthorised users from accessing the information.
Please act responsibly in dealing with your discovery of the identified security vulnerability. Do not take any actions that go beyond what is needed to identify and verify the issue. Please do not use the identified security vulnerability to your own advantage and avoid storing any confidential data obtained as a result of the issue.
Examples of vulnerabilities we will consider
- Injection and deserialization vulnerabilities (SQL/NoSQL/LDAP injection, command injection, object deserialization)
- Broken authentication and broken access control vulnerabilities (incorrect implementation of authentication, session management, access control)
- Sensitive data exposure (vulnerabilities that can lead to data leakage)
- Cross-site scripting
- Cross-site request forgeries
- XML external entities
- Server-side request forgeries
- Redirect vulnerabilities
- Underprotected API
- Known and zero-day vulnerabilities under the spotlight
Examples of vulnerabilities we will not consider
We continuously monitor our internet-exposed assets to identify security issues and misconfigurations, and we therefore kindly ask that you avoid reporting the following items if they don’t lead to actual exploitation:
- weak configurations of the TLS protocol;
- reports of non-compliance with best practices (e.g. for SPF/DKIM/DMARC configuration, content security policy, TLS misconfigurations);
- output of well-known automated tools/solutions.
How will we respond?
If you report a security vulnerability relating to any of our websites specified above, we will process your report as follows.
- We will confirm receipt of your report within two business days.
- We will send you our response within five business days following the confirmation of receipt, setting out our assessment of the issue and the expected resolution date. In some special circumstances, we reserve the right to extend this period by giving appropriate notice.
- We will treat your report as confidential and will not share your details with third parties, except when obliged to do so by law.
- We are currently not running a reward programme for reporting vulnerabilities.
You can refer to the privacy statement for more information on how we handle your personal data within the Responsible Disclosure Programme.