Skip To Main Content

FDIC-Insured - Backed by the full faith and credit of the U.S. Government

Hand typing on computer keyboard

Responsible Disclosure Program

This is a Responsible Disclosure Program designed for encouraging researchers to contact us to report potential vulnerabilities identified in any product or system belonging to BankUnited.



BankUnited is committed to ensuring the security of its customers by protecting their information. This program is intended to give security researchers (also referred to in this document as ”you” and “your”) clear guidelines for conducting vulnerability discovery activities and to convey our preferences in how to submit discovered vulnerabilities to us. 


Guidelines


Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

  1. Do not engage in any activity that can potentially or actually cause harm to BankUnited, our customers, or our employees.

  2. Do not engage in any activity that can potentially or actually stop or degrade BankUnited services or assets.

  3. Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.

  4. Do not store, share, compromise or destroy BankUnited or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact BankUnited. This step protects any potentially vulnerable data, and you.

  5. Do not complete fraudulent financial transactions.

  6. When duplicates occur, we only triage the first report that was received (provided that it can be fully reproduced).

  7. Provide BankUnited reasonable time to fix any reported issue.
By responsibly submitting your findings to BankUnited in accordance with these guidelines, BankUnited agrees not to pursue legal action against you. BankUnited reserves all legal rights in the event of noncompliance with these guidelines.


Out-of-Scope Vulnerabilities


Certain vulnerabilities are considered out-of-scope for our Responsible Disclosure Program. Out-of-scope vulnerabilities include:

  • Physical Testing

  • Social Engineering. For example, attempts to steal cookies, fake login pages to collect credentials

  • Phishing

  • Denial of service attacks

  • Resource Exhaustion Attacks
BankUnited does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this document or the law, you may be subject to criminal and/or civil liabilities.


Reporting a Vulnerability


BankUnited may share submitted vulnerability information with relevant governmental or industry security organizations.

By submitting a report to BankUnited, you grant to BankUnited, its subsidiaries and its affiliates, a perpetual, irrevocable, no charge license to all intellectual property rights licensable by you in or related to the use of information or material submitted. You must notify us if any part of your report is not your own work or is the intellectual property of a third-party.


What we would like to see from you


In order to help us triage and prioritize submissions, we recommend that your reports:

  • Describe the location the vulnerability was discovered and the potential impact of exploitation. 

  • Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts or screenshots are helpful).

  • Be in English, if possible.


Submission Instructions


BankUnited uses HackerOne to triage and validate vulnerability reports made pursuant to our Responsible Disclosure Program. Submitting your report through HackerOne via the button below will help ensure timely validation. If you are unable to submit a report via HackerOne, you may send us an email at vulnerabilitydisclosure@bankunited.com.