How to report a vulnerability

General Requirements

• Only conduct research on publicly available content
• Do not store, share, or compromise ATB data
• Do not initiate or facilitate any fraudulent transaction
• Do not disclose potential vulnerabilities to any third parties or to the public without the prior written permission of ATB

If permission is provided, coordinate the disclosure/release/publication of your finding with ATB; and limit the content of your disclosure to reasonably avoid a person exploiting the vulnerability (e.g. do not disclose executable or proof-of-concept code to the public).

Scope

Any publicly-accessible systems owned, operated, and/or controlled by ATB Financial including web applications, mobile applications, or services hosted on those systems are in-scope.

If you have questions about a specific domain or application that you would like to research, please contact responsibledisclosure@atb.com.
This program is not permission for any of the following:

• Testing the physical security of a ATB property
• Social engineering attacks on ATB clients or employees (e.g., phishing emails or sites)
• Denial of service or resource exhaustion attacks; or mass scanning tools that rely on high traffic volumes, which may result in your IP(s) being blocked.

Legal Requirements

You must comply with all applicable laws in connection with your participation in this program.

If you conduct research and submit your findings to ATB in accordance with this Policy, we will consider it authorized conduct.

ATB reserves all legal rights with respect to any of the activities described in this policy.

By submitting your report to ATB (your “Submission”), you agree that:

• ATB may take all steps needed to validate and mitigate the vulnerability;
• ATB may share or disclose the vulnerability as provided in this Policy;
• ATB may collect, use, share or disclose any personal information you provide to ATB as part of your Submission; and
• You grant ATB any rights to your Submission needed to do any of the above.

Submitting a report

ATB is particularly interested in vulnerabilities from the OWASP Top 10 and/or vulnerabilities that have a demonstrable security impact. When reporting a potential vulnerability, please include a detailed description of your discovery, including:

• The full URL
• Clear and concise steps taken
• Any tools used during discovery
• Objects possibly involved (e.g. filters or entry fields)
• Evidence (e.g. screen captures welcome)
• Your assessment of risk (CVSS 3.1 preferred)
• The attack scenario, exploitability, and security impact of the vulnerability
• Any proposed solution (not required)

Please note that we do not request nor require executable copies of code.

By submitting a report to ATB, you are indicating that you have read, understand, and agree to this Policy.

Please submit your report to: responsibledisclosure@atb.com.

Once ATB receives your email, we will send an automatic email as acknowledgement. We will only make further contact with you if we need additional information to help investigate the issue.

ATB will make reasonable efforts to timely investigate and close potential issues that have a demonstrated security impact, but for the protection of our clients, we may choose to not disclose, discuss, or confirm security issues.