Submit bug report: https://six-group.com@sixgroup
Policy
SIX operates the infrastructure for the financial centers in Switzerland and Spain, thus ensuring the flow of information and money between financial market players. SIX offers exchange services, financial information and banking services with the aim of increasing efficiency, quality and innovative capacity along the entire value chain. SIX is also building a digital infrastructure for the new millennium.
The threat of cyberattacks is a major risk and one that SIX takes very seriously. With strict security guidelines and a strong cyber-defense, we protect assets such as data centers, confidential information and our property as well as that of third parties.
The collaboration with security researchers is an additional valued measure to identify and mitigate existing vulnerabilities in a timely manner. Thus, if you have information about a vulnerability in any of our systems or web applications, then we want to hear from you!
Response Times
SIX Group will make a best effort to meet the following SLAs for hackers participating in our program:
Type of Response SLA in business days
First Response 2 days
Time to Triage 2 days
Time to Bounty 14 days
Time to Resolution depends on severity and complexity
We’ll try to keep you informed about our progress throughout the process.
Eligibility Guidelines
General
You agree and adhere to the Program Rules and Legal terms as stated in this policy.
Do not engage in any activity that can potentially or actually cause harm to SIX, our customers, or our employees.
Do not engage in any activity that can potentially or actually stop or degrade SIX services or assets.
Social engineering (e.g. physical, phishing, vishing, smishing) is prohibited.
Testing and/or research must be on in-scope systems only. If you’re not sure whether a system is in scope, please ask.
Security researchers should refrain from disclosing issues publicly prior to a mutually agreed upon disclosure date.
Do not store, share, compromise or destroy SIX or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact SIX. This step protects any potentially vulnerable data, and you.
SIX employees and third-party assets employees are not eligible for participation in this program.
Accounts
Only interact with accounts you own or granted by the program team. This also applies to password brute force attacks.
Tooling
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
Do not attempt to conduct post-exploitation, including modification or destruction of data, establishing persistence.
Out of scope vulnerabilities
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access or control over a user's device.
Cross-domain referer leakage (except there is an actual impact like disclosure of authenticated session cookies).
Cross-domain script inclusions.
Previously known vulnerable libraries without a working Proof of Concept.
Missing best practices in SSL/TLS configuration.
Rate limiting or brute force issues on non-authentication endpoints
Denial of service attacks (DDOS/DOS)
Missing cookies security flags (e.g., HttpOnly or Secure)
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest released stable version)
Information disclosure vulnerabilities like software version disclosure / internal path disclosure issues / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors) (except there is an actual impact like disclosure of sensitive information)
Zero-days or known vulnerabilities disclosed publicly within the past 30 days.
Open redirect - unless an additional security impact can be demonstrated
Submission / Reporting Criteria
Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
You are the first to submit a sufficiently reproducible report for an issue in order to be eligible for a bounty.
You are available to supply additional information, as needed by our team, to reproduce and triage the issue.
Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
In case that a reported vulnerability was already known to the company from our own tests, it will be flagged as a duplicate.
If applicable, provide information about necessary cleanup steps (e.g., removal of uploaded files) to establish the targets initial state prior to testing.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep SIX Group and our users safe!
Policy:
https://www.six-group.com/en/company/governance/security.html
