Have you found a security flaw? Tell us about it!

It is important for us at BankID that our users can feel safe and secure when using BankID at different service providers. We have therefore a structured approach to security in all of our development and management of systems and constantly strive to achieve the highest possible security and quality. Despite this, an error may slip by. If you have found a security flaw, we would like to hear more about it to be able to correct the problem as soon as possible.

What can you report?

Send an email to us at responsible-disclosure@bankid.com. We prefer that you use our public PGP key to protect the information you send over. Make sure to have included the following information.

  • Detailed description of the vulnerability containing such info as URL and type of vulnerability.
  • The necessary information that we need in order to reproduce the problem.
  • If applicable, a screenshot of the vulnerability you have found.
  • Contact information, name, email, phone number and your public PGP key (if you have one).

What can you report?

You can report security flaws that you have found in any of our services. The reporting service is not for other logical errors, errors in texts, questions about our services or questions about the security of our services or similar.

What can you expect of BankID?

We will confirm that we have received your description, continuously keep you updated while we process the issue and inform you when the issue is fixed. Claims for compensation as a condition for reporting a vulnerability is not accepted.

What is required of you?

It is important for both us and our user’s security that you follow good practice, i.e. that:

  • You do not use the vulnerability to access or attempt to access information that does not belong to you.
  • You do not use the vulnerability to remove or modify information.
  • You do not affect the availability of our services through denial of service attacks.
  • You give us an opportunity to fix the reported vulnerability before going public with it.

Can you file a report anonymously?

Yes, but then we cannot respond back and keep you updated on the status.

PGP Key

Fingerprint: 74AD 1332 0BA3 69DC A622 CBD8 5633 21BB 9B4F 0656