fbpx Responsible Disclosure and Reporter Acknowledgment Policy | Asian Development Bank

Responsible Disclosure and Reporter Acknowledgment Policy

To improve the protection of its Information Communications Technology resources, ADB encourages the public (“Reporters”) to assist with its efforts by disclosing vulnerabilities in ADB’s publicly accessible information system.

This Responsible Disclosure and Reporter Acknowledgement Policy (“Policy”) explains how ADB works with Reporters to improve our online security.

What to Report to ADB

Security incidents and details of vulnerabilities associated with publicly accessible ADB resources, including websites.

However, all information relating to vulnerabilities that you become aware of through this Policy is considered confidential (“Confidential Information”).

Guidelines

We require that all Reporters:

  • Do not access employee personal information or ADB confidential information.
  • If you accidentally access any of these, please stop testing and submit the vulnerability.
  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
  • Do not disrupt production systems or destroy data during security testing.
  • Perform research only within the scope set out in this Policy.
  • Use the email below to report vulnerability information to us.
  • Collect only the information necessary to demonstrate the vulnerability.
  • Securely delete ADB information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.

If you fulfill these requirements, ADB will:

  • Work with you to understand and attempt to resolve the issue quickly (confirming the report within 5 working days of submission)
  • Recognize your contribution to our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

Reporting a vulnerability

If you have discovered something you believe to be an in-scope security vulnerability, you should follow the procedure:

  • The findings, including contact details, should be sent to [email protected].
  • The findings should be communicated using PGP encrypted messages using the public key (PGP Fingerprint: DEAB 0447 1D10 3A05 9C1C 13F4 4F7E 11A7 0B6C 09FC)) available on this website.
  • As much information as possible regarding the finding should be communicated to ADB to enable it to reproduce and verify the vulnerability, in order to implement appropriate remediation actions.
  • The vulnerability findings must remain confidential until public disclosure of the vulnerability has been made by ADB on this website.

If more information is required regarding a reported vulnerability, ADB may contact the Reporter; therefore, it is important to provide valid contact details, including email address and/or telephone number.

If the conditions listed above are satisfied, ADB will verify the existence of the vulnerability, notify affected parties, and implement actions to mitigate the vulnerability.

Once the vulnerability has been removed, the Reporter will be acknowledged unless he/she wishes to remain anonymous, and listed (at his or her own discretion) on this page with a short description of the vulnerability reported.

By reporting vulnerability findings to ADB, the Reporter acknowledges that such reporting is provided pro bono and without expectation of financial or other compensation, subject to this Policy. 

ADB reserves the right to accept or reject any security vulnerability disclosure report at its discretion.

For any questions about responsible disclosure of results for a submission, please contact us.

Out of scope vunerabilities

The following are considered outside the scope of this Policy:

  • Software version disclosure/Banner identification issues
  • Missing best practices in SSL/TLS configuration
  • Any activity that could lead to the disruption of our service (DoS)
  • Static content over HTTP
  • Physical Testing
  • Cookie valid after logout
  • Cookie valid after password change/reset
  • Cookie expiration
  • Forgot password autologin
  • Autologin token reuse
  • Same Site Scripting
  • Physical Testing
  • Social Engineering (e.g. attempts to steal cookies, fake login pages to collect credentials)
  • Phishing
  • Mail Server Domain Misconfiguration (including email spoofing, missing DMARC, SPF/DKIM, etc.)
  • Issues related to rate limiting
  • Login or Forgot Password page brute force and account lockout not enforced
  • Services listening on port 80
  • Internal IP address disclosure
  • Issues related to cross-domain policies for software such as flash, silverlight etc. without evidence of an exploitable vulnerability
  • Username / Email Enumeration
    • via Login Page error message
    • via Forgot Password error message
    • via Registration
  • Weak password policies
  • Weak Captcha / Captcha bypass
  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:
    • Issues that have had a patch available from the vendor for at least 6 months
    • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
  • Vulnerability reports relating to sites or network devices not owned by ADB
  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g., disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

Hall of Fame

ADB expresses its gratitude to the following individuals or organizations for reporting relevant security vulnerabilities on ADB systems.