At RBC, we hold ourselves to the highest standards of integrity to build trust with every interaction. Our commitment is reflected in our dedication to protecting the security of our systems, our clients’ privacy, and safeguarding the personal information entrusted to us.
RBC recognizes that fostering a close relationship with the community will help improve our security and we appreciate the contribution researchers and experts make to our security efforts. That’s why we encourage you to contact us directly to report potential vulnerabilities identified in any product or system belonging to RBC and its affiliates.
If you believe you have identified a potential security vulnerability, please submit it at firstname.lastname@example.org following the submission format outlined below. Thank you in advance for sharing your findings.
Please note, RBC does not operate a public bug bounty program and does not offer rewards or compensation in exchange for submitting potential issues.
Inquiries and support requests that are outside of the scope of this Responsible Disclosure Program may be directed to RBC’s Customer Service channels available at https://www.rbcroyalbank.com/customer-service/.
RBC will not engage in legal action against individuals that submit vulnerability reports through the proper channel and in accordance with the following guidelines. As a responsible security researcher, you must:
- Engage in research without harming RBC, our customers, or our employees.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program and avoid testing using automated scanners.
- Conduct research using only accounts that you own or with the express consent of the account holder.
- Agree that, if you encounter personal information, you will immediately stop your activity, delete such information from your system, and contact RBC.
- Comply with all applicable Federal, Provincial/State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
- Agree that you shall not, without the prior written consent of RBC in each instance, disclose information related to your findings to any third party or the public.
- Agree that any and all information acquired or accessed by you as part of this exercise is confidential to RBC and you shall hold the confidential information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.
- Be at least 18 years of age; if you are considered a minor where you live, you must have your parent’s or legal guardian’s permission prior to submitting a vulnerability.
Please note that RBC employees or contractors are not eligible to participate in the Responsible Disclosure Program.
RBC reserves all legal rights in the event of noncompliance with these guidelines.
Once a report is submitted, RBC commits to acknowledging receipt of reports within two business days of submission and will keep you reasonably informed of the status of any validated vulnerability that you report through this program. By submitting a report to RBC, you agree that:
- RBC may take all steps needed to investigate and resolve the vulnerability, and you grant RBC any rights to your report needed to do so; and
- RBC may process any personal information you provide to RBC as part of your report.
If you believe you have discovered a vulnerability in our products or services, please send your report to email@example.com using the public key below to encrypt your email communication.
In your report, please provide a detailed summary of the vulnerability, including target(s), screenshots or video, attack scenario and steps to reproduce with timelines and time-zone information. Please also include a secure method to contact you.
Certain vulnerabilities are considered out of scope for our Responsible Disclosure Program. These include:
Denial of Service
- Denial of service or Resource Exhaustion Attacks
Physical or Social Engineering
- Physical attempts against RBC Property, data centers or banking equipment
Informational disclosure of non-sensitive data
- IP/Port Scanning unless you are able to hit private IPs or internal servers
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Any HTTP non-200 codes/pages
- Banner disclosure on common/public services
- Disclosure of known public files or directories, (e.g. robots.txt)
Low impact Vulnerabilities
- Missing security headers which do not lead directly to a vulnerability
- Missing best practices (we require evidence of a security vulnerability)
- Any low impact issues related to session management - concurrent sessions, session expiration
- Absence of rate limiting
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality
- Clickjacking/UI redressing
- CSRF on forms that are available to anonymous users (e.g. the contact form)
- Logout Cross-Site Request Forgery (logout CSRF)
- Host header injections unless you can show how they can lead to stealing user data
- Use of a known-vulnerable library (without evidence of exploitability)
- Reports from automated tools or scans
- Reports of spam (i.e., any report involving ability to send emails without rate limits)
- Vulnerabilities affecting users of outdated browsers or platforms
- Presence of autocomplete attribute on web forms
- Missing cookie flags on non-sensitive cookies
- Report of insecure SSL/TLS ciphers without a working proof of concept
- Username enumeration via Login Page error message
- Username enumeration via Forgot Password error message
- Login or Forgot Password page brute force and account lockout not enforced
- OPTIONS / TRACE HTTP method enabled
Self XSS (user defined payload)
- Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
By submitting a report to RBC, you are indicating that you have read, understand, and agree to these requirements.