Welcome
Send a report
Processing of personal data

BBVA VULNERABILITY DISCLOSURE PROGRAM

 

 

We at BBVA value the security community and believe that a responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our customers. Because the safety and security of our customers' data and the reliability of our products and services are of vital importance to BBVA.

 

Therefore, our goal is always to design, produce and deliver products and services with the highest levels of security, reliability and trust. However, despite all our efforts, vulnerabilities may exist in them.

 

This program is intended to give the security experts who intend to provide feedback to BBVA on possible vulnerabilities identified in its assets will be provided with clear guidelines and defines BBVA's approach to receiving reports and notifications related to potential vulnerabilities in its products and services from those who interact with such products and services.

 

BBVA wants the security community to feel comfortable reporting vulnerabilities they have discovered - as set out in this program - so that we can continue preserving the safety of our customers. We have developed this program to both reflect our values and maintain our sense of responsibility to the security researchers who share their expertise with us in good faith.

 

Customers, users, researchers, partners and anyone else who interacts with BBVA products and services are encouraged to report vulnerabilities identified in those products and services.

 

The preferred method for contacting BBVA regarding such vulnerabilities is by using the form present on this page that could be accessed through vdp.bbva.com (“Site”).

 

BBVA greatly appreciates your efforts  as a reporting party to identify vulnerabilities, and we thank you in advance for doing so. Reporting such vulnerabilities will help to improve the security and reliability of the technology that supports our products and services.

 

Please note that providing your contact information with your report is entirely voluntary and at your discretion. BBVA will use all reports submitted, both anonymous and those that include contact information. 

 

If you submit a report to BBVA using the form on this page reporting vulnerabilities to BBVA, you agree to the following terms:

 

  1. BBVA may use your report to evaluate it and, where appropriate, use its content to correct vulnerabilities that it deems appropriate and that may improve the security and reliability of its products and services. 

 

  1. The intellectual and industrial property rights over the content of your report will correspond to BBVA. For this purpose, you assign, exclusively, without consideration or remuneration for such concept, all intellectual and industrial property rights on your report to BBVA, for the maximum duration of all rights provided for in applicable law until its entry into the public domain. The assignment includes, but is not limited to, all rights that may be protected under intellectual property, industrial property and trade secret laws worldwide. The rights assigned include the rights of use of the contents of the report, the rights of total or partial reproduction by any means and under any form, distribution, public communication, making available, translation, adaptation, arrangement or any form of transformation thereof, by any existing technical procedure or that may be created in the future, including its dissemination via the Internet or networks of a similar technical nature. Included in the above is the exclusive right to transfer by BBVA to any third party/s and/or other companies of the BBVA group, all or any of said rights on an exclusive basis, and you hereby give your consent to such transfer. For clarification purposes, with regard to the right to transform the content of the report, you consent to the carrying out, by BBVA or third parties, of alterations that may involve structural changes for any use and by any means present or to be invented in the future.

 

  1. You will not use the Site for anything other than the analysis, detection and preparation of the report that reports the vulnerabilities that you deem appropriate. In particular, you may not make copies and create derivative works from the Site.

 

  1. You confirm to BBVA that: 

 

  • Only carry out tests to the extent necessary to confirm a vulnerability's presence. You have not used an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to "pivot" to other systems.

  • You have not exploited or used in any manner, and will not exploit or use in any manner (other than for the purposes of reporting to BBVA), the discovered vulnerabilities;

  • You have not engaged, and will not engage, in testing/research of systems with the intention of harming BBVA, its customers, employees, partners or suppliers;

  • You have not used, misused, deleted, altered or destroyed, and will not use, misuse, delete, alter or destroy, any data that you have accessed or may be able to access in relation to the vulnerability discovered;

  • You have not conducted, and will not conduct, social engineering, spamming, phishing, denial-of-service or resource-exhaustion attacks;

  • The content of your report is original, does not contain information subject to a duty of confidentiality and/or secrecy, does not violate the applicable regulations in force and does not infringe any third party rights (among others, your report does not violate intellectual and industrial property rights, honor, privacy, self-image and protection of personal data of third parties).

  • You are solely responsible for any infringements and damages that may be caused to the rights of third parties with the content of your report. Therefore, you will hold BBVA and/or its Group entities harmless at all times against third party claims, and you will be solely responsible, assuming full responsibility for any costs that may arise in favor of third parties as a result of actions, claims or disputes arising from breach and/or inaccuracy and/or untruthfulness of the obligations and statements set forth herein. Likewise, any claim against BBVA by third parties for violation of rights, including but not limited to, intellectual and/or industrial property rights, personal data protection, honor, privacy and/or personal image, or any other, you are obliged to compensate BBVA for any amounts that it may have to pay for any concept derived from or related to such claim. 

  • You agree not to disclose to any third party any information related to your report, the vulnerabilities reported, nor the fact that a vulnerability has been reported to BBVA.

  • BBVA does not guarantee that you will receive any response from BBVA related to your report. BBVA will only contact you regarding your report if BBVA considers it necessary.

  • You agree that you are making your report without any expectation or requirement of reward or other benefit, financial or otherwise, for making such report, and without any expectation or requirement that the vulnerabilities reported are remediated by BBVA.