RESPONSIBLE DISCLOSURE PROGRAM

As a leader in digital banking, Swissquote deeply cares about information security.

Maintaining the confidentiality, integrity and availability of our systems and services is a critical aspect of our daily operations.

 

The Program

Swissquote Group currently does not operate a bug bounty program, and does not authorise the active research of vulnerabilities on its websites and services. Nevertheless, should you discover a security vulnerability, we would greatly appreciate your cooperation in disclosing it to us in a responsible manner.

Reporting Guidelines
Enveloppe with an "@" symbol on the back

Reporting should be done by email to: vulnerability_disclosure@swissquote.ch with all information you deem necessary to explain the issue and how you found it.

A typical vulnerability report is expected to contain the following information:

  • a description of the vulnerability and its potential impact;
  • the list of affected hosts, services or URLs; 
  • the required steps to reproduce the vulnerability; 
  • how you identified the vulnerability; 
  • your contact information.

Submit only a single vulnerability per report, unless a chain is required for measurable impact. We will acknowledge reception of your report, however we will not provide further information on our findings. 
 

Strictly Forbidden Activities

As stated above, active research of vulnerabilities (e.g., scans) is not authorised. Also note that the following activities are strictly forbidden and monitored: 

  • any activity that could lead to the disruption of our services (DoS, DDoS, spam, etc...); 
  • any activity that would threaten the integrity of user data; 
  • any activity that would breach the confidentiality of user data; 
  • usage of automated tools to find vulnerabilities; 
  • any fraudulent transaction.

Swissquote Group reserves the right to bring any legal action against any person acting in a manner considered as illegal, illicit or as infringing the above. 

Scope

This program applies to the following: 

  • domains where Swissquote Group Holding SA is listed as the Registrant Organisation, more specifically domains under  "swissquote.ch" and "swissquote.com"; "library.swissquote.com" is excluded from the above;
  • domains where YUH SA is listed as the Registrant Organisation; 
  • mobile applications published by Swissquote Mobile on the Android Play Store; 
  • mobile applications published by Swissquote on the Apple Store. 

Certain vulnerabilities are considered out of scope for this program. These include: 

  • outdated or vulnerable software versions if no clear exploitability can be demonstrated; 
  • bugs requiring non-trivial prior knowledge, such as a session token, as prerequisite; 
  • missing best practices in SSL/TLS configuration; 
  • social engineering related issues; 
  • physical security of Swissquote Group property. 
Got further questions?

If you didn’t find the information you were looking for or you still have questions, check out other Help categories.


UEFA Europa LeagueGenève ServetteZSC Lions

Risk Warning: CFDs are complex instruments and come with a high risk of losing money rapidly due to leverage. 61.54% of retail investor accounts lose money when trading CFDs with this provider. You should consider whether you understand how CFDs work and whether you can afford to take the high risk of losing your money.

Please read the full Risk Disclosure Statement about the detailed analysis of the risk involved.

Swissquote is the brand name of Swissquote Capital Markets Limited, an investment firm authorised and regulated in the Cyprus Securities and Exchange Commission under license number CIF 422/22. Registered in the Republic of Cyprus under number HE425179. Registered & Head Office Address: Spirou Kyprianou 42, Emerald House, Floor 1, 3076, Limassol, Cyprus.

Swissquote Capital Markets Limited is a subsidiary of Swissquote Group Holding Ltd. This website is not targeted at residents of any specific country. In particular, it is not intended for distribution to, or use by, residents of the United States, Canada, Belgium or any person in any country or jurisdiction where its distribution or use would contravene local laws and regulations.