Security is core to our values, and we value the input of security researchers acting in good faith to help us maintain a high standard for the security and privacy for our customers and associates. This includes encouraging responsible vulnerability research and disclosure. This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.

If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines below. Thank you in advance for your submission, we appreciate researchers assisting us in our security efforts.

If you suspect fraud on your account, please visit our Report Fraud page.

Expectations

When working with us according to this policy, you can expect us to:

• Extend Safe Harbor for your vulnerability research that is related to this policy;
• Work with you to understand and validate your report, including a timely initial response to the submission; and
• Work to remediate discovered vulnerabilities in a timely manner

Regions Bank Asks that Researchers:

Please make sure your report contains a detailed description of the discovered vulnerability and steps to reproduce it. We would appreciate if the report would include the following information at minimum:

• The application, service, product, or system where the vulnerability was discovered
• Vulnerability class or type
• Possible security impacts
• Steps to reproduce the vulnerability
• Suggested vulnerability mitigation or remediation

Ratings:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

Learn more about Bugcrowd’s VRT.