Have you found a security flaw?

For us it’s important that our customers feel safe and secure when doing business with us. That’s why we take a structured approach to security in all of our development and management of systems.

Man and woman in an industry using a laptop

We constantly strive to achieve the highest possible security and quality. Despite this, an error may slip by. If you have found a security flaw, we would like to hear more about so that we can correct the problem as soon as possible.

What can you report?

You can report security flaws that you have found in any of our services. Examples of security flaws are cross-site scripting, flaws in encryption or flaws with security implications in logic controls. The reporting service is not for other logical errors, errors in texts, questions about our services, questions about the security of our services or similar.

How do you report?

Send an email to us at responsible-disclosure@swedbank.com. We prefer that you use our public PGP key to encrypt and protect the information you send. Be sure to include the following information:

  • Detailed description of the vulnerability containing such info as URL and type of vulnerability.
  • The necessary information that we need in order to reproduce the problem.
  • If applicable, a screenshot of the vulnerability you have found.
  • Contact information, name, email, phone number, and your public PGP key (if you have one).

What can you expect of us?

We will confirm that we have received your description, continuously keep you updated while we process the issue, and inform you when the issue is fixed.

Claims for compensation as a condition for sending in a vulnerability will not be accepted.

Can you file a report anonymously?

Yes, but then we cannot respond back and keep you updated on the status

PGP key

PGP key

Key ID: 0x0AD6CCAF
Fingerprint: 2D14 4030 6D4B 68C3 F286 3AC6 333B E8E4 0AD6 CCAF

What is required of you?

For the security of Swedbank and our customers it's important  that you follow good practice, i.e. that:

  • You do not use the vulnerability to access or attempt to access information that does not belong to you
  • You do not use the vulnerability to remove or modify information
  • You do not affect the availability of our services through denial of service attacks
  • You give us an opportunity to fix the reported vulnerability before going public with it.