Internet Security Vulnerability Disclosure Policy

Reporting

We encourage security researchers to share the details of any suspected security vulnerability by submitting the form at the bottom of this page. Please note that we have partnered with Bugcrowd to manage and triage the submission reports for responsible disclosure, i.e. the data will be processed by Bugcrowd under their terms & conditions. We ask that security researchers include detailed information with steps for us to reproduce the vulnerability.

By submitting the form at the bottom of this page, you agree to comply with the terms and conditions of this Policy.

Our Commitment

If you identify a valid security vulnerability in compliance with this Policy, Credit Suisse commits to:

• Working with you to understand and validate the issue,
• Addressing the risk if deemed appropriate by Credit Suisse team.

We would like to thank every researcher who submits a vulnerability report and helps us to improve security at Credit Suisse.

Your Commitment

One of our goals is to address security vulnerabilities as quickly as possible while limiting negative impacts to our customers. In order to do this, we need your help:

• Regardless of the impact, you agree not to compromise Credit Suisse information or Credit Suisse Information systems,
• Please disclose issues using the Vulnerability Disclosure submission form located on this web page
• For scoring, please follow Bugcrowd’s vulnerability taxonomy found here,
• Please provide valid contact information,
• Please respond when we have a question for you,
• Please include as much information as possible to help us to recreate the issue, such as:
  • Technical description and details,
  • Screen captures of the issue (delete after uploading),
  • URL where the issue occurs,
  • The ID you used to log in,
  • The hardware, operating system, and browser(s) you used,
  • The time of day you noticed the issue,
  • Your source IP.

Finally, you must comply with all laws applicable to you, including local laws of the country or region in which you reside or in which you download or use Credit Suisse’s online platforms, applications or services.

Safe Harbor

We interpret activities that comply with this Policy as “authorized” and we will not initiate or recommend legal action against you. If legal action is initiated by a third party against you and you have complied with this Policy, we will take the necessary measures to make it known that your actions were conducted in compliance with this Policy.

Non-compliance

Public disclosure of any submission details of an identified or alleged vulnerability without express written consent from Credit Suisse will cause you and your submission to be noncompliant with this Policy.

In addition, to remain compliant you are prohibited from:

• accessing, downloading, modifying, or disclosing data residing in an account that does not belong to you,
• executing or attempting to execute any “Denial of Service” attack,
• posting, transmitting, uploading, linking to, sending, or storing any malicious software,
• testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages,
• testing in a manner that would degrade the operation of any Credit Suisse properties,
• Conducting any kind of physical or electronic attack on Credit Suisse personnel, property, buildings, or data centers,
• Social engineering any Credit Suisse service desk, employee, or contractor,
• testing third-party applications, websites, or services that integrate with or link to Credit Suisse properties.