Responsible Disclosure Policy:

ResponsibleDisclosure.com (operated by an independent third party, Synack, on behalf of Huntington Bank).

This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.

The details within your request form will be submitted to Synack. If you have reported an issue determined to be within program scope and to be a valid security issue, Synack will validate your finding and you will be allowed to disclose the vulnerability after a fix has been issued. This process is managed exclusively by Synack through their platform, accordingly you must accept the Synack Terms of Service if you wish to proceed. All queries are to be directed to Synack and managed exclusively through the ResponsibleDisclosure.com online portal.

Typical Vulnerabilities Accepted:

• OWASP Top 10 vulnerability categories
• Other vulnerabilities with demonstrated impact

Typical Out of Scope:

• Theoretical vulnerabilities
• Informational disclosure of non-sensitive data
• Low impact session management issues
• Self XSS (user defined payload)

For a full list of program scope please visit the Responsible Disclosure details page

Responsible Disclosure Guidelines:

• Adhere to all legal terms and conditions outlined at responsibledisclosure.com
• Work directly with ResponsibleDisclosure.com on vulnerability submissions
• Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
• Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
• Do not engage in social engineering or phishing of customers or employees
• Do not request for compensation for time and materials or vulnerabilities discovered