Responsible disclosure policy

Have you found a vulnerability or other security issue related to nbim.no? Thanks for reporting it to us!

Please e-mail your findings to: [email protected]

Security is core to our values at Norges Bank Investment Management. We value and appreciate security researchers acting in good faith and contacting us with findings that can help us protect and secure our organisation and assets.

If you would like to contribute


Please e-mail your findings to: [email protected] and:

  • Play by the rules - as explained here and stay within applicable laws and relevant agreements
  • Await full disclosure until we approve
  • Stay within scope of this policy
  • Stop when you have enough information to demonstrate your findings on a conceptual level - do not take advantage of the vulnerability by downloading unnecessary data, destruct data, cause disruption or degradation of our services

When you report, we will

  • Ensure timely response
  • Work with you to understand and validate your finding
  • Work to remediate validated vulnerabilities in a timely manner
  • Recognise your contribution if you are the first to discover a vulnerability

Scope


*.nbim.no, *.generasjonsfondet.no

Out of scope

  • Norges Bank’s other entities (*.norges-bank.no)
  • 3rd parties to Norges Bank
  • DoS or other forms of resource exhaustion attacks
  • Attacks on physical security, social engineering, phishing/spam

Reward

Norges Bank Investment Management currently does not provide a bug-bounty program or any monetary rewards for reporting vulnerabilities. We will, however, recognise those that help us improve our security.

Security hall of fame

2021 – Shivam Khambe – Same-site scripting
2021 – Priti Navale - Clickjacking

Last saved: 05/08/2021