At the Swiss National Bank, we place great importance on the security of our IT systems and websites as well as the protection of our data. We are aware that vulnerabilities can occur in complex IT environments and appreciate the support of the security research community. Your contributions can help us to continue improving our security measures.
If you find or are made aware of a vulnerability in the SNB's IT systems or websites ('vulnerability'), please inform us immediately in accordance with the present Vulnerability Disclosure Policy ('VDP').

• First find out which vulnerabilities are invalid and are not considered within the scope of this VDP.
• Do not violate applicable law in connection with the vulnerability or your reporting it.
• Send the description of the identified vulnerability encrypted by email to vulnerability-disclosure@snb.ch. You can find the necessary information in the security.txt file.
• Please provide detailed information to enable the SNB's specialists to analyse and understand the vulnerability. Structure your report of the vulnerability using the template below.

• The SNB will confirm the receipt of your report, examine the vulnerability and resolve it as soon as possible.
• Your report will be treated as confidential and no information will be disclosed to third parties without your consent, unless it is prescribed by law.
• The SNB will not take legal action against you if you comply with the rules of this VDP, no malicious or criminal intent is discernible, and no offence has been committed. If this VDP is violated or an offence is committed the SNB reserves the right to take any and all legal steps.
• After the examination of your report we will inform you of the result of our analysis.
• The SNB does not pay any rewards for reported vulnerabilities.
• You can find details on the processing of your personal data at https://www.snb.ch/en/srv/disclaimer_data.

In general, every vulnerability can be reported. Examples include:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Server-side request forgery (SSRF)
• Remote code execution (RCE)
• Misconfiguration
• Missing authentication
• Data leaks

The following types of vulnerability do not need to be reported. We will not process reports that contain such vulnerabilities, are incomplete or do not use the required template.

• Deviations from best practice and missing security headers
• Vulnerabilities in outdated browsers
• Clickjacking without specific effects
• Missing cookie flags on non-sensitive cookies

Furthermore we maintain that the following activities in particular are explicitly prohibited and may constitute criminally relevant conduct:

• Social engineering attacks (e.g. phishing) on SNB employees
• Activities with possible adverse effects on the SNB (e.g. denial-of-service attacks or sending spam in the name of the SNB)
• Use of automated tools or scripts that may increase the system load or impair the normal functioning of SNB systems
• Other attacks that might impair the performance or integrity of SNB systems (e.g. malware installation, brute force attacks, fuzzing or similar techniques)
• Any unauthorised change, deletion or copying of data on SNB systems
• Publication of information on discovered or suspected vulnerabilities without the explicit written consent of the SNB

1. Title / label of vulnerability
2. Author and contact details
3. Affected application, system, device or product (URL, IP address, manufacturer, product, version)
4. Description of vulnerability including technical details
5. Proof of concept
6. Remediation, solution, prevention