How to report a vulnerability
It's easier for us to triage and fix vulnerabilities when we're provided with as much information as possible. If you're reporting a suspected vulnerability to us, follow the steps below on how to share details of what you've found. We welcome feedback on any asset that belongs to us, and in particular kiwibank.co.nz and Kiwibank Mobile Banking (iOS and Android).
Reporting a vulnerability is different to reporting a scam or phishing attempt. If you'd like to report a scam, or you think your identity or accounts may have been compromised, see our types of scams page for what to do next. If you suspect an email is suspicious, you can forward it to suspicious.email@kiwibank.co.nz.
-
1Tahi
Visit the online portal
Complete the online form to help us understand the nature and impact of your findings.
-
2Rua
Add further details
You can provide supporting documentation, in line with our expectations below.
-
3Toru
Confirm & submit your report
Review all terms and conditions and submit the form.
If you’re reporting an issue to us, we'll:
- confirm we've received your report within 10 business days, we may ask you to provide more information
- keep you informed about the status of your submission
- fix things that are wrong where possible, in a reasonable timeframe.
We don't offer any “bug bounty” or financial incentive for vulnerability disclosures.
When participating in our responsible disclosure programme, you'll need to:
- adhere to these expectations and any other relevant agreements, like our general terms & conditions and our website terms of use
- promptly report any vulnerability you’ve discovered and refrain from obtaining more data than is necessary to prove the vulnerability
- ensure you're not violating the privacy of others, disrupting our systems or services, compromising or destroying data, and/or harming user experience
- only use the official channel we link to from this page to share vulnerability information with us
- treat any reported vulnerability as confidential and allow a reasonable amount of time for us to investigate what you've reported
- immediately stop any research if a vulnerability provides unintended access to data (such as personally identifiable information, card data, or proprietary information) and submit the report immediately
- destroy or delete any data you might obtain due to a vulnerability once you’ve submitted a report
- comply with all applicable law and don't do anything illegal.
Activities that aren't permitted
- automated scanning
- automated submission of forms
- accessing or attempting to access accounts or information you're not authorised to
- any attempt to modify or destroy information
- sending or attempting to send any unsolicited or unauthorised email or other type of message
- conducting social engineering (including phishing) of Kiwibank employees, contractors, customers or other related parties
- posting, transmitting, uploading, linking to, sending or storing malware that could impact our services, products or customers
- exfiltration, disclosure or use of any proprietary or confidential information or data of Kiwibank (including customer data) under any circumstances
- clickjacking
- any physical attempts against Kiwibank's property
- weak or insecure SSL ciphers and certificates
- any attempts of a Denial of service (DoS)
- any activity or attempt to gain unauthorised access to Kiwibank software or systems in violation of law.
We don't authorise or condone any security testing of third-party services used by or within our network – if you find an issue affecting these, you'll need to report it directly to the third party.
Report security vulnerabilities via the online form below. The more details you provide, the easier it'll be for us to triage and fix.