Vulnerability Disclosure Policy of Zürcher Kantonalbank
At Zürcher Kantonalbank («the Bank») and its group companies security aspects are integral when designing, implementing, and maintaining the IT infrastructure. To further increase the cyber resilience of the Bank's IT systems, the Bank wants to encourage third parties to report vulnerabilities. This Vulnerability Disclosure Policy («Policy») applies between you and the Bank. By submitting vulnerability reports to the Bank («ZKB Bug Bounty Program»), you accept the Policy.
1. Eligibility
You are eligible to participate in the ZKB Bug Bounty Program, if you are at least 18 years old.
You are not eligible to participate in particular if you
- are an internal or external employee of the Bank or its group companies;
- were an internal or external employee of the Bank or its group companies within the last 6 months;
- are a close relative or a co-resident of an internal or external employee of the Bank or its group companies;
- have otherwise provided services to the Bank or its group companies within the last 6 months with access to the Bank's IT systems;
- are resident in a country against which the Federal Council has issued sanction measures or are explicitly listed on a sanction list.
If you are not eligible to participate in the ZKB Bug Bounty Program, you are still welcome to send in vulnerability reports in compliance with the Policy but you will not qualify for a bounty. It is at the Bank's full discretion to exclude you from participating in the ZKB Bug Bounty Program without any reason.
2. Confidentiality obligations
You acknowledge that by participating in the ZKB Bug Bounty Program you are subject to contractual and legal confidentiality obligations, including bank client confidentiality pursuant to paragraph 47 of the Swiss Federal Act on Banks and Savings Banks. You are therefore obliged to keep any data confidential that you may discover when participating in the ZKB Bug Bounty Program, in particular information about the vulnerability, the exploitation technique and critical data, such as client identifying data of the Bank or its group companies, other personal data, business and trade secrets or any security related data («Critical Data»). You are not allowed to publish, distribute, copy or disclose information about the vulnerability and the exploitation technique or Critical Data to third parties. You are also not allowed to download Critical Data with that intent or to use Critical Data to your personal advantage. The obligation to maintain confidentiality continues to exist after your participation at the ZKB Bug Bounty Program.
If you access and store Critical Data during the discovery of the vulnerability on the infrastructure you use, you must permanently delete it, immediately after submitting your vulnerability report. You must not include any Critical Data in your vulnerability report.
Once the Bank communicated to you that the vulnerability has been fixed, you are allowed to publish high-level descriptions of the vulnerability. This does not include the disclosure of Critical Data.
3. Subcontractors
You are not allowed to use third parties or subcontractors while participating in the ZKB Bug Bounty Program.
4. Scope
The following domain shall be in scope of the ZKB Bug Bounty Program:
- www.zkb.ch
- www.swisscanto.com
- www.swisscanto-fondsleitungen.com
- www.zkb-philanthropie-stiftung.ch
- www.frankly.ch
If you discover a vulnerability that is outside of the above defined scope, you are still welcome to submit a vulnerability report in compliance with the Policy, but you will not be awarded a bounty.
5. Safe harbor terms
The Bank interprets any of your activities that comply with this Policy as authorized access to the Bank's IT systems and will refrain from filing criminal charges or civil actions against you.
If a criminal charge or civil action is initiated against you by a third party and you have fully complied with the Policy, the Bank will take reasonable measures to inform the authorities that your actions were conducted in compliance with the Policy.
In case of non-compliance with the Policy, the Bank reserves the rights to file criminal charges or civil actions.
6. Procedure for submitting a vulnerability report
If you discovered a security vulnerability, submit your vulnerability report to the Bank using PGP encryption and the contact information located at: https://www.zkb.ch/.well-known/security.txt.
The Bank will confirm the reception of your vulnerability report within 5 working days after your submission. You are welcome to enquire on the status but should avoid doing so more than once every 14 days. This allows the Bank to focus on fixing the vulnerability.
The Bank will inform you when the reported vulnerability is fixed and may contact you to confirm that the Bank has fixed the vulnerability adequately.
Depending on the affected service and type of vulnerability, the Bank may be required to share details of your report to a service provider or the manufacturer of the affected service to request a patch for the vulnerability or ask for assistance.
7. Content of the vulnerability report
In your vulnerability report, the following details must be included:
- The website, IP address, or page where the vulnerability is detected;
- a brief description of the type of vulnerability, e.g., «XSS vulnerability»;
- a step-by-step guide to reproduce the vulnerability. The guide should be a benign, non-destructive proof of concept;
- an attack scenario for the reported vulnerability;
- your contact details.
Your report shall not include Critical Data.
8. Code of conduct
You must
- act in accordance with the Policy, specifically with the confidentiality obligations;
- conduct security tests in good faith and for the purpose of improving the security of the Bank's IT systems;
- comply with data protection rules and refrain from violating the privacy of individuals;
- immediately report the vulnerability.
You must not
- break any applicable law or regulations. However, activities that comply with the Policy will be interpreted as authorized access to the Bank's IT systems and the Bank will refrain from filing criminal or civil charges (see also safe harbor terms );
- access unnecessary, excessive, or significant amounts of data;
- modify data or install software on the Bank's IT systems;
- misuse the Bank's IT systems, services or data;
- exploit the detected vulnerability or explore other vulnerabilities which rely on exploiting the detected vulnerability;
- disrupt the Bank's services. In particular, do not use high intensity, invasive or destructive scanning tools to detect vulnerabilities;
- attempt or report any form of denial of service, e.g. overwhelming a service with a high volume of requests;
- social engineer or «phish» the Bank's employees or clients;
- physically attack the Bank's infrastructure;
- submit vulnerability reports detailing non-exploitable vulnerabilities, or vulnerability reports indicating that the services do not fully align with «best practice», e.g., missing security headers.
9. Bounty payout
The decision whether to award a bounty as well as the amount of the bounty is at the Bank's sole discretion. This will be communicated to you after the Bank's review of your vulnerability report. The Bank does not cover any costs incurred by you in connection with your participation in the ZKB Bug Bounty Program.
The payment is made as wire transfer in Swiss Francs (CHF). Only if you provide the Bank with your full name, your postal adress, a valid IBAN and BIC, the Bank will pay the bounty. Bounties are only granted for vulnerabilities not previously known to the Bank.
If you report multiple vulnerabilities which can be fixed by patching the same root cause, the vulnerabilities will be grouped together and count as one vulnerability (One Fix One Reward). The bounty is determined based on the CVSS score and our internal classification of the affected application. The combination defines a tier, which determines a fixed bounty.
| Tier | Amount |
|---|---|
| T4 | CHF 100.– |
| T3 | CHF 500.– |
| T2 | CHF 1'000.– |
| T1 | CHF 2'000.– |
10. Miscellaneous
Changes to the Policy: The Bank reserves the right to adjust the Policy at any time. Reporting a vulnerability after the effective date of the changes means that you agree to the updated Policy. The Bank reserves the right to terminate or discontinue the Program at its discretion.
Data protection: Information on data processing is available at https://www.zkb.ch/privacy.
Intellectual property: By submitting a report you grant the Bank a worldwide, perpetual, irrevocable, non-exclusive, transferable, sublicensable, fully paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit your vulnerability report for any purpose.
Applicable law and place of jurisdiction: The Policy is governed exclusively by substantive Swiss law. The exclusive place of jurisdiction is Zurich 1.
Taxes: The bounty shall include value added tax (VAT).
If your country of residence is Switzerland or the Principality of Liechtenstein, rewards are subject to value added tax (VAT). In such a case the Bank is obliged to show the VAT and the VAT shall be paid by the Bank. If your country of residence is outside of Switzerland and the Principality of Liechtenstein, you are solely responsible for the declaration of any applicable tax.
Limitation of liability: Any liability of the Bank in connection with the ZKB Bug Bounty Program is exclusively limited to direct damages up to the amount of CHF 100.– (one hundred Swiss Francs) and excludes any indirect or consequential damages, such as lost profits.
Last updated: March 2025