RESPONSIBLE DISCLOSURE PROGRAM
Mantener la confidencialidad, integridad y disponibilidad de nuestros sistemas y servicios es un aspecto crítico de nuestras operaciones diarias.
El programa
Actualmente, Swissquote Group no aplica ningún programa de recompensas por identificación de errores y no autoriza la investigación activa de vulnerabilidades en sus sitios web y servicios. Sin embargo, si detectas una vulnerabilidad de seguridad, te agradeceríamos mucho tu cooperación y que nos la comuniques de manera responsable.
La notificación debe realizarse por correo electrónico a: vulnerability_disclosure@swissquote.ch con toda la información que consideres necesaria para explicar el problema y cómo lo identificaste.
Se espera que una notificación de vulnerabilidad típica contenga la siguiente información:
- una descripción de la vulnerabilidad y su impacto potencial;
- la lista de hosts, servicios o URL afectados;
- los pasos necesarios para reproducir la vulnerabilidad;
- cómo identificaste la vulnerabilidad;
- tu información de contacto.
Envía solo una vulnerabilidad por informe, a menos que se requiera una cadena para lograr un impacto mensurable. Acusaremos recibo de tu notificación; sin embargo, no proporcionaremos más información sobre nuestros hallazgos.
As stated above, active research of vulnerabilities (e.g., scans) is not authorised. Also note that the following activities are strictly forbidden and monitored:
- any activity that could lead to the disruption of our services (DoS, DDoS, spam, etc...);
- any activity that would threaten the integrity of user data;
- any activity that would breach the confidentiality of user data;
- usage of automated tools to find vulnerabilities;
- any fraudulent transaction.
Swissquote Group reserves the right to bring any legal action against any person acting in a manner considered as illegal, illicit or as infringing the above.
This program applies to the following:
- domains where Swissquote Group Holding SA is listed as the Registrant Organisation, more specifically domains under "swissquote.ch" and "swissquote.com"; "library.swissquote.com" is excluded from the above;
- domains where YUH SA is listed as the Registrant Organisation;
- mobile applications published by Swissquote Mobile on the Android Play Store;
- mobile applications published by Swissquote on the Apple Store.
Certain vulnerabilities are considered out of scope for this program. These include:
- outdated or vulnerable software versions if no clear exploitability can be demonstrated;
- bugs requiring non-trivial prior knowledge, such as a session token, as prerequisite;
- missing best practices in SSL/TLS configuration;
- social engineering related issues;
- physical security of Swissquote Group property.
If you didn’t find the information you were looking for or you still have questions, check out other Help categories.