At Live Oak Bank we are committed to maintaining the security of our customers’ information and of our systems. We encourage security researchers to contact us to report any potential vulnerabilities identified in any of our products, systems, or assets.
If you believe you have identified a potential security vulnerability, please share it with us. You may follow the submission guidelines below. While we appreciate security researchers assisting us in our security efforts, do note that Live Oak Bank does not operate a public bug bounty program; therefore, we make no offer of reward or compensation in exchange for the disclosure of any potential issues.
Vulnerability Disclosure Policy
We take the security of our systems seriously, and we value the contributions of the security community in this mission. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.
Guidelines
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Use the identified communication channels to report vulnerability information to us; and
- Keep information about any vulnerabilities you have discovered confidential between yourself and Live Oak Bank until we have had an opportunity to resolve the issue.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your research;
- Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours (about 3 days) of submission);
- Recognize your contribution, if you are the first to report the issue and we make a code or configuration change based on the issue.
Out of Scope Vulnerabilities
In the interest of the safety of our users, staff, the Internet at large and you as a security researcher, the following test types are excluded from scope:
- Any services hosted by 3rd party providers and services are excluded from scope
- Findings from physical testing such as office access (e.g., open doors, tailgating)
- Findings derived from social engineering UI and UX bug and
- Content copy errors, including spelling or grammatical mistakes
- Network-level Denial of Service (DoS/DDoS) vulnerabilities
- Denial of service attacks
- Resource Exhaustion Attacks
Data elements that should NOT be included in your submission:
- Personally Identifiable Information (PII)
- Credit card holder data
How to report a security vulnerability?
If you believe you have found a security vulnerability in one of our products or platforms, complete the form below to create your submission. Please include the following details with your report:
- Description of the location and potential impact of the vulnerability;
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
- Your name or how you would like us to provide attribution to you.
Responsible Disclosure Program Guidelines
Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
- Do not engage in any activity that can cause harm to Live Oak Bank, our customers, or our employees.
- Do not engage in any activity that can stop or degrade Live Oak Bank services.
- Do not engage in any activity that violates federal or state laws or regulations.
- Do not share any Personally Identifiable Information (PII) you may come across, as part of your initial contact to disclose a finding to Live Oak Bank.
- Do not purposely initiate any fraudulent financial transactions.
- Keep disclosure information confidential between yourself and Live Oak Bank until we have resolved the issue.
Once a report is submitted, we commit to keeping you informed of the status of any validated vulnerability that you report through this program.
If you suspect fraud on your account, please visit this page for more information.
Note: By responsibly submitting your findings to Live Oak Bank in accordance with these guidelines, Live Oak Bank agrees not to pursue legal action against you. Live Oak Bank reserves all legal rights in the event of noncompliance with these guidelines.
