ANZ Responsible Disclosure Program

ANZ takes the security of our systems and customer data seriously. The responsible disclosure of vulnerabilities helps ensure the security and privacy of ANZ and our customers. We value and support the work undertaken by the security research community and appreciate it when researchers take the time to report potential security vulnerabilities to us.

Please review the program contents before submitting your findings.

Ratings/Rewards

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Program Rules

• All valid reports will be taken seriously by our teams and with this in mind, do give us a reasonable period of time to evaluate the submission and respond accordingly.
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
• While testing our systems you make every effort not to damage or restrict the availability of products, services or infrastructure.
• You do not use a detected vulnerability to obtain more data than necessary for proving the vulnerability.
• You agree to securely delete all personal and confidential information obtained during testing.