At RBC, we hold ourselves to the highest standards of integrity to build trust with every interaction. Our commitment is reflected in our dedication to protecting the security of our systems, our clients’ privacy, and safeguarding the personal information entrusted to us.
RBC recognizes that fostering a close relationship with the community will help improve our security and we appreciate the contribution researchers and experts make to our security efforts. That’s why we encourage you to contact us directly to report potential vulnerabilities identified in any product or system belonging to RBC and its affiliates.
If you believe you have identified a potential security vulnerability, please submit it at responsibledisclosure@rbc.com following the submission format outlined below. Thank you in advance for sharing your findings.
Please note, RBC does not operate a public bug bounty program and does not offer rewards or compensation in exchange for submitting potential issues.
Inquiries and support requests that are outside of the scope of this Responsible Disclosure Program may be directed to RBC’s Customer Service channels available at https://www.rbcroyalbank.com/customer-service/.
RBC will not engage in legal action against individuals that submit vulnerability reports through the proper channel and in accordance with the following guidelines. As a responsible security researcher, you must:
- Engage in research without harming RBC, our customers, or our employees.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing using automated scanners.
- Conduct research using only accounts that you own or with the express consent of the account holder.
- Agree that, if you encounter personal information, you will immediately stop your activity, delete such information from your system, and contact RBC.
- Comply with all applicable Federal, Provincial/State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
- Agree that you shall not, without the prior written consent of RBC in each instance, disclose information related to your findings to any third party or the public.
- Agree that any and all information acquired or accessed by you as part of this exercise is confidential to RBC and you shall hold the confidential information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.
- Be at least 18 years of age; if you are considered a minor where you live, you must have your parent’s or legal guardian’s permission prior to submitting a vulnerability.
Please note that RBC employees or contractors are not eligible to participate in the Responsible Disclosure Program.
RBC reserves all legal rights in the event of noncompliance with these guidelines.
Once a report is submitted, RBC commits to acknowledging receipt of reports within two business days of submission and will keep you reasonably informed of the status of any validated vulnerability that you report through this program. By submitting a report to RBC, you agree that:
- RBC may take all steps needed to investigate and resolve the vulnerability, and you grant RBC any rights to your report needed to do so; and
- RBC may process any personal information you provide to RBC as part of your report.
If you believe you have discovered a vulnerability in our products or services, please send your report to responsibledisclosure@rbc.com using the public key below to encrypt your email communication.
In your report, please provide a detailed summary of the vulnerability, including target(s), screenshots or video, attack scenario and steps to reproduce with timelines and time-zone information. Please also include a secure method to contact you.
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. These include:
Physical or Social Engineering
- Physical attempts against RBC Property, data centers or banking equipment.
Informational or Low-Risk Issues
- Outdated software or libraries that are not directly exploitable.
- Server or software version disclosure that does not pose a direct security threat.
- Missing HTTP security headers (e.g., X-Frame-Options, Strict-Transport-Security), unless they are directly exploitable.
- Autocomplete enabled on input fields (e.g., password fields) that do not present a critical security risk.
- Missing cookie flags on non-sensitive cookies (e.g., cookies that don’t store critical data).
- OPTIONS/TRACE HTTP method enabled without a direct exploitable impact.
- Any HTTP non-200 codes/pages that do not reveal sensitive information.
Limited-Impact Findings
- Clickjacking on pages that do not involve sensitive actions or authentication.
- Cross-Site Request Forgery (CSRF) on non-sensitive or state-changing actions (e.g., logging out).
- Open redirects that do not lead to phishing or other malicious behavior.
- Lack of rate limiting or brute-force protections that do not lead to significant account compromise or service disruption (e.g., send spam emails without rate limits).
- Host header injections, unless directly exploitable for stealing user data.
- Session management vulnerabilities (e.g., concurrent sessions, session expiration) that do not have a clear path to exploitation.
- Vulnerabilities affecting users of outdated browsers or platforms that do not represent a significant risk or impact the majority of users.
- IP/Port scanning, unless you are able to access private IPs or internal servers.
- Vulnerabilities from automated tools or scans that haven’t been successfully exploited.
Non-Exploitable Behavior
- Self-XSS, where the vulnerability only impacts the user submitting the report.
- Presence of robots.txt, .gitignore, or sitemap.xml, unless they reveal sensitive information or directly impact security.
- Lack of CAPTCHA or other spam prevention mechanisms that do not enable exploitation or abuse.
- Insecure SSL/TLS ciphers reported without a working proof of concept or clear path to exploitation.
Denial of Service (DoS)
- Denial-of-service (DoS) vulnerabilities caused by non-authenticated rate limits or that do not result in significant downtime or user impact.
By submitting a report to RBC, you are indicating that you have read, understand, and agree to these requirements.