Vulnerability Disclosure Programme
Find out how to help Tesco Bank by reporting any suspected security vulnerabilities or security disclosures.
Find out how to help Tesco Bank by reporting any suspected security vulnerabilities or security disclosures.
Tesco Bank works hard to keep customers safe by continually maintaining and improving. With this in mind, we recognise the great value of external security researchers and the public. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you.
This guidance outlines our terms and approach to reporting any suspected security vulnerabilities or security disclosures related to Tesco Bank’s technology environment.
Please note that this Vulnerability Disclosure Programme is not a bug bounty or Hall of Fame programme, and that Tesco Bank will not make any financial reward for submissions.
This policy applies to any digital assets owned, operated, or maintained by Tesco Bank.
Assets or other equipment not owned by parties participating in this policy. Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority.
The following are considered out-of-scope:
When working with us, you can expect us to:
In participating in our Vulnerability Disclosure Programme, we ask that you:
If our security operations centre identifies malicious activity targeting Tesco Bank, we will treat this an attack and not a disclosure submission. We may act against any attacks, including reporting them to the police and other law enforcement agencies. If in doubt, cease all immediate research activity and disclose to Tesco Bank what you have discovered.
Tesco Bank may change or withdraw this Vulnerability Disclosure Programme at any time, please check back here for the latest information before starting any research.
We ask that reporters follow these principles:
We also ask that reporters avoid the following:
Information relating to our technology and information security solutions is confidential. Any information you receive or collect about us or any of our users as part of your research before making a Vulnerability Disclosure submission must be kept confidential and only used in connection with the Vulnerability Disclosure. You may not use, disclose, or distribute any such information without our written consent. Any such information should be deleted once we receive your submission.
Please report security issues to SecurityDisclosure@tescobank.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue. The guidance included contains all the information you need to be aware of before making a submission.
This programme is solely for external individuals reporting discovered security vulnerabilities. Colleagues and their families should use internal channels to report concerns. For any other concerns or queries, please head to our contact us page to find out how to get in touch.
Please provide as much detail as possible to allow us to validate and fix any potential vulnerability quickly, including:
If your submission only has partial data and insight, this could delay us from validating and fixing the vulnerability. Responses to low and informational issues will be deprioritised. Additionally, please keep testing logs to help us correlate your activity.
When conducting vulnerability research under this disclosure programme and per the terms of this policy:
If you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our official channels before going any further.
Please note that the safe harbour only applies to legal claims under the control of the organisation participating in this policy and that the policy does not bind independent third parties.
Have a question or need further help? Our friendly, UK-based customer service team is here to help.