How do I report a potential Cyber security issue, error or security vulnerability?
For any declaration of vulnerability, please fill out the form https://gbk.vulnerability-disclosure.com
Gulf Bank Bug Bounty Program
Cyber Researcher, Enthusiast Hackers - How to register in our Bug bounty program?
- Go to www.yeswehack.com
- Register your account and complete the KYC validation
- Contact us on bugbounty@gulfbank.com.kw with your registered UserID
GULF BANK PROGRAM TERMS & CONDITIONS
These Terms & Conditions (these “Terms”), which form a legally binding contract between Gulf Bank KSCP (“Gulf Bank” or “us” or “our” in context) and qualifying individuals (“Participant” or “you” and “your” in context) who wish to participate in this Bug Bounty Program (the “Program”) and identify vulnerabilities in our in-scope products (“Vulnerabilities”). Participants that submit acceptable Vulnerability Reports shall be eligible to earn a payout (a “Bounty Payout”), as determined solely at Gulf Bank's discretion, in accordance with these Terms & Conditions.
1. DEFINITIONS
"Bug"
A bug means an error or a flaw in the code that causes it to not work as expected.
"Vulnerability"
A vulnerability is a weakness in a website or application system that can be exploited by attackers to gain unauthorized access or cause harm.
2. ELIGIBILITY
Subject to these Bug Bounty Terms, to be eligible to participate in the Program, during the period of your participation, you must:
- Not submit the existing known vulnerabilities by the bank as it will not result in a payout and priority will be given to vulnerabilities that result in real world compromise of the bank’s systems.
- be of legal age in the jurisdiction in which you reside and/or are domiciled and you must have the legal capacity to enter into, and be bound by, these Bug Bounty Terms if you are participating in the Program as an individual.
- be the first person to report or disclose the Vulnerability to Gulf Bank in accordance with these Bug Bounty Terms, including by submitting sufficient information to gulf bank vulnerability disclosure program
- provide sufficient information to enable Gulf Bank to reproduce and fix the applicable Vulnerability.
- not engage in any unlawful conduct when discovering, reporting or disclosing the Vulnerability to Gulf Bank, including the use of threats, demands or any other coercive tactics.
- not have exploited or attempted to exploit the Vulnerability in any way, including by making such Vulnerability public or by obtaining a profit or other benefit (other than the reward under the Program).
- make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any Services or Site (as defined in the Terms of Use), including using automated testing that generates significant amounts of traffic.
- submit only one (1) Vulnerability per report or disclosure, unless you need to combine vulnerabilities to provide sufficient information with respect to any of the applicable vulnerabilities.
- not to submit a Vulnerability caused by the same underlying issue on which the reward has been provided under the Program.
- not to ask for a reward in exchange for Vulnerability details or dispute the applicability of the Program to you, including the amount of any proposed or actual reward or categorization of a Vulnerability; and
- Not a current or former employee (within 6 months), vendor, contractor, or agent for Gulf Bank.
Gulf Bank reserves the right to limit or refuse your eligibility to participate in the Program for any reason, by any Applicable Law. If Gulf Bank becomes aware of any violation of these Terms, Gulf Bank may elect to, among other things:
- prohibit you from using the Services or the site.
- withhold, amend or cancel the benefits of our rewards under the Program.
- require a return of any reward made to you, including taking any action at law to obtain such reward.
3. DISCLOSURE AND REPORTING REQUIREMENTS
Any Vulnerability discovered must be only reported to the bank vulnerability disclosure programme and must comply with all other requirements in this Program.
The Vulnerability must not be publicly disclosed or shared with any other party before Gulf Bank has been notified, the issue has been resolved and has granted permission for such disclosure, if at all. The disclosure to Gulf Bank must be made within twenty-four (24) hours following discovery of the applicable Vulnerability. If similar vulnerabilities are reported within the applicable twenty-four (24)-hour period any reward may be split by Gulf Bank between such reporters, or may be paid to the first person to make such report, and in either case shall be determined in the sole discretion of Gulf Bank
4. FINANCIAL REWARDS
Subject to these Bug Bounty Terms, you might receive a financial reward of up to USD 1,200 depending on the severity of the security vulnerability reported or disclosed. The classification, severity rating, and reward value are determined at Gulf Bank's sole discretion.
5. INDEMNITY AND LIMITATION OF LIABILITY
Participant will be liable for and indemnify Gulf Bank against any losses which Gulf Bank may incur that arise from Participant's breach of these Terms, including losses arising from Participants' gross negligence, willful misconduct and breach of law.
Notwithstanding anything else set out under these Terms, our cumulative liability to you under these Terms apart from the reward of Bounty Payout to which you may be entitled shall be USD 30. Participant further waives all rights to have damages multiplied or increased.
6. PRIVACY
By participating in the Program, you acknowledge and agree that any personal information that you provide will be maintained in accordance with the Privacy Policy below. By participating in the Program, you hereby:
- grant to Gulf Bank the right to use your name, country of residence, email address and any other information you provide to Gulf Bank (“Personal Information”) for the purpose of administering the Program;
- grant to Gulf Bank the right to use your Personal Information for publicity, promotional, marketing and advertising purposes relating to the Program, in any media now known or hereafter devised, without further compensation unless prohibited by Applicable Law; and
- acknowledge that Gulf Bank may disclose your Personal Information to its third-party agents and service providers in connection with any of the foregoing activities.
Gulf Bank will use your Personal Information only for the identified purposes and as contemplated in the Privacy Policy. Any conflict between the Privacy Policy and any authorization and/or licensing provided herein shall be governed by these Terms.
If you access any personal information or other sensitive information for which you do not have authority to access, then you must immediately stop accessing such information, immediately notify Gulf Bank and destroy all copies thereof.
7. PRIVACY POLICY
All information of Gulf Bank, including, without limitation, non-public information derived from the businesses of Gulf Bank, concerning Gulf Bank or its affiliates or their Gulf Bank or other entities, shall be deemed confidential information of Gulf Bank.
In relation to the Personal Information obtained from Gulf Bank by the Participant, the Participant agrees:
- not to disclose any Personal Information (as defined in this clause) to any third party or to any employee or agent who does not need to have access to such Personal Information to perform the Participant’s obligations under this Agreement,
- not to use Personal Information for any other purpose other than to perform its obligations under this Agreement,
- that it shall have in place adequate security measures to protect Personal Information against leakage, loss, or abuse,
- To allow Gulf Bank to inspect its handling of Personal Information and to provide any report on the Participant’s management of Personal Information at the request of Gulf Bank.
- Notify Gulf Bank immediately if a leak, loss or abuse of Personal Information or any breach of applicable personal data protection laws or regulations is discovered by the Participant. “Personal Information” means information concerning a living person and includes the full name, date of birth and any other description, number, symbol or other code, image or sound attributable to an individual that can be used to identify a particular person, and which is obtained by the Parties in connection with this Agreement.
8. NO ASSIGNMENT
Participant shall not assign or transfer any rights or obligations under this Agreement under any circumstances. Any purported assignment or transfer of rights in violation of this Section is void.
9. GOVERNING LAW & JURISDICTION
This Agreement shall be governed and interpreted in accordance with the laws of the State of Kuwait without regard to the conflict of laws principles thereof. All conflicts arising out of this Agreement will be submitted to the competent courts of the State of Kuwait.