MainBanner Group Security Disclosure Policy

Emirates NBD Group Security Disclosure Policy

If you believe you have found a security issue in one of our systems or services, we encourage you to notify us.

The submission of your report implies your acceptance of our terms as set out in this Emirates NBD Group Security Disclosure Policy (“policy”).


At Emirates NBD Bank PJSC, along with our subsidiaries and affiliates (referred as to “Emirates NBD Group”, “us”, “our”, “we” which depending on the context, may be interpreted as collective group or individual entities within Emirates NBD group), we prioritize information security as an essential and integral part of our mission. We value the efforts of ethical security researchers who help us uphold the highest privacy and security standards for the products and services we offer to our customers via our technology assets. We are committed to thoroughly investigating and resolving security issues on our technology assets and services in collaboration with the security community.

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities. It outlines our preferred approach for submitting identified vulnerabilities to us. The document also defines the scope covered by the policy and do’s & don’ts. Additionally, it provides instructions on how to transmit vulnerability reports.

We appreciate security researchers that can contribute to improvement of Emirates NBD security posture and its services as part of the outlined Bug Bounty program.


Provided that you adhere to this policy’s provisions during your security research, we will cooperate with you to understand and resolve the issue quickly. Only in such cases, your research will be considered as authorized, and the Emirates NBD Group will neither pursue nor recommend initiating legal action pertaining to the conducted research.


Vulnerabilities in Emirates NBD Group’ products and services are only within the scope of the Bug Bounty program when they meet the following conditions:

  • They have not been previously reported or have not already been discovered by our own internal procedures.
  • It can be demonstrated that there would be a real impact to the Emirates NBD Group, its users or its customers should the vulnerability reported be exploited by a malicious actor. The existence of a vulnerability does not necessarily demonstrate that such a potential impact exists theoretical impacts will not be considered as within the scope of the scheme.

Testing is only authorized for the systems and services listed above, which fall within our permitted scope. (* and * and any other international domain/subdomains which are managed and maintained by Emirates NBD) This authorization does not extend to vulnerabilities found in systems belonging to any third party. In such instances, please follow the third party’s vulnerability disclosure policy, if provided.

We request you to focus your testing and research solely on the services and systems outlined in this policy. If you believe that testing is necessary for systems beyond the mentioned scope, we encourage you to contact us to discuss your concerns prior to any attempt.

Test methods - Do’s and DON’Ts
  • Explain where you found the vulnerability and what the potential impact could be
  • Work directly with the Emirates NBD on vulnerability submissions
  • Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
  • Submit your interest in joining ENBD Bounty Program
  • Submit the report in English, if possible.
  • Test systems different from those mentioned in the section “Scope”
  • Attempt non-technical testing such as physical (e.g., tailgating, office access etc.) or social engineering (e.g., phishing vishing etc.) involving customers or employees.
  • Upload of any vulnerability or client-related content to third-party platforms (e.g., GitHub, DropBox, YouTube).
  • Test Third-party Services. Third-party Services mean services that interact with Emirates NBD technology assets to provide value add to customers but are not owned by Emirates NBD.
  • Dive deeper to determine how much more is accessible if your able access to a system, accounts, users, or user data, stop at point of recognition and report.
  • Breach any applicable laws in connection with our services or products, your report, or your interaction with Emirates NBD Group.
  • Engage in any disruptive testing like Denial of Service or Distributed Denial of Service (DoS/DDoS) or any action that could impact the data, confidentiality, integrity, or availability of ENBD information and systems or interrupt access to them.
  • Access unnecessary amounts of data. For example, 2 or 3 records is enough to demonstrate most vulnerabilities (such as an enumeration or direct object reference vulnerability).
  • Violate the privacy of Emirates NBD Group’s customers, users, staff, contractors, systems etc. For example, by accessing, using, disclosing, sharing, redistributing and/or not properly securing any data retrieved from our systems or services.
  • Communicate any vulnerabilities or associated details via methods not described in this policy or with anyone other than your dedicated Emirates NBD Group’s security contact, modify data in our systems/services with an intent to demonstrate security risk.
  • Disclose any vulnerabilities you found in Emirates NBD Group’s systems or services to third parties or the public until Emirates NBD Group confirms that those vulnerabilities have been fixed. However, if a vulnerability affects a third party directly (like a software library or framework they use) you can inform them, but don’t mention specific details related to Emirates NBD Group vulnerability. If you are not sure, ask at before notifying a third party.
  • Copy, retain, share, alter or delete Emirates NBD Group data
  • Test using malicious software
Out of Scope (Low Impact Vulnerabilities)

The following vulnerabilities are considered to have a minimal impact and would be deemed “Out of Scope”, if submitted:

  • TLS configuration weaknesses (e.g., "weak" cipher suite support, TLS1.0 support, sweet32 etc.)
  • SSL/TLS best practices that do not contain a fully functional proof of concept reports indicating that our services do not fully align with "best practice" (e.g., missing security headers or suboptimal DNS or email-related configurations such as CAA, SPF, DMARC, etc.)
  • Host header injection where the resulting impact is minimal. (Which does not have any significant impact in nature) Network data enumeration techniques (e.g., banner grabbing, existence of publicly available server diagnostic pages)
  • Google Maps API Keys
  • Account/e-mail enumeration using brute-force attacks
  • Account/e-mail enumeration that does not require brute-force attacks may be considered VALID upon approval
  • Clickjacking/UI redressing
  • Client-side application/browser autocomplete or saved password/credentials
  • Descriptive or verbose error pages without proof of exploitability or obtaining sensitive information
  • Issues related to password/credential strength, length, lock outs, or lack of brute-force/rate limiting protections
  • Leaking Session Cookies, User Credentials, or other sensitive data will be reviewed on a case-by-case basis
  • If leaking of sensitive data requires MiTM positioning to exploit, it will be considered out of scope
  • Low impact Information disclosures (including Software version disclosure)
  • Missing Cookie flags
  • Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability
  • Heartbleed requires a valid POC which shows sensitive data leakage. The sensitivity of the data will be determined by Emirates NBD Security team.
  • POODLE requires a POC demonstrating a downgrade, not just the result of SSLScan or Nmap scan.
  • Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e., jQuery outdated version leads to low impact XSS).
  • Vulnerabilities affecting users of outdated browsers, plugins, or platforms
  • Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
  • Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e., Self-XSS)
  • Self-XSS for a Persistent/Stored XSS will be considered due to the possibility that an admin/superuser may stumble across and execute a payload
Reporting a vulnerability

If you have come across a potential security vulnerability which falls In Scope, please email at

In accordance with industry convention, we ask you to provide a benign (i.e., non-destructive) proof of exploitation wherever possible. This approach reduces the change of duplicate reports and the potential misuse of certain vulnerability types (e.g., sub-domain takeovers). However, if the vulnerability is still exploitable, please avoid including the proof of exploitable, please avoid including the proof of exploit in your initial plaintext email. Please also ensure that all proof of exploits is in accordance with our guidance (below), if you are in any doubt, please email for advice.

Security researchers are prohibited from publicly disclosing vulnerabilities without the prior written consent of Emirates NBD Security team.

Data Protection
  • Protection of customer data

Any testing or research conducted as part of this vulnerability disclosure policy must not compromise or expose Emirates NBD Group’s customer data or any personal data in any way. Researchers are strictly prohibited from accessing, manipulating, or sharing any customer data or personal data during the testing process. Any accidental exposure or access to customer data or any personal data must be reported immediately at Failure to comply with this provision may result in immediate legal actions, as applicable. Emirates NBD Group is committed to safeguard customer and personal data and maintaining the highest standards of data privacy and security.

  • Your personal data

Please note that supplying your contact information with your report is entirely voluntary and at your discretion. You can be assured that Emirates NBD will only use such information to clarify the details of your report with you, if necessary. To learn more about our general privacy policy, please visit:

Bug Bounty

Regrettably, we do not currently offer a paid Bug Bounty program. However, we would like thank security researchers who take the time and effort to investigate and report security vulnerabilities to us according to this policy.

What to expect from us

In response to your initial email as vulnerability submission to you will receive an acknowledgement reply email from the Emirates NBD Group Security Team, this is usually within 24 hours of your report being received.

Following the initial contact, our security team will work to triage the reported vulnerability and will respond to you as soon as possible to confirm whether further information is required and/or whether the vulnerability qualifies as per the above scope or is a duplicate report. From this point, necessary remediation work will be assigned to the appropriate Emirates NBD Group teams and/or supplier(s). Priority for bug fixes and/or mitigations will be assigned based on the severity of impact and complexity of exploitation. Vulnerability reports may take some time to triage and/or remediate and researchers are welcome to enquire on the status of the process but please limit this to no more than once every 14 business days; this helps our security team to focus on the reports as much as possible.

Governing Laws

All testing and research activities conducted under this policy must fully adhere to the laws, regulations and guidelines set forth by the United Arab Emirates and/or any other jurisdiction where Emirates NBD Group entity/subsidiary or affiliate is located as applicable. These includes but is not limited to relevant cybercrime or data protection laws.

Any testing or research activities that violate any applicable laws or compromise the privacy, integrity or availability of our systems, customer data, personal data or any other sensitive information are strictly prohibited. By engaging in testing under this policy, researchers acknowledge their responsibility to comply with applicable laws.

By engaging in vulnerability testing and research under this policy you agree to conduct your activities in full compliance with the laws, regulations, and guidelines as well as best practices of the UAE and any other applicable jurisdictions. Emirates NBD Group shall not be held responsible for any legal repercussions arising from the researchers’ non-compliance with the aforementioned laws.

UAE Cyber Crime Laws, Regulations and Policies, include:


If you wish to provide feedback or suggestions on this policy, please contact our security team: This policy will evolve over time and your input will be valued to ensure that it is clear, complete and remains relevant.

* The document was last updated in August 2023.

Thank you for your feedback!

How was your experience?

We'd love to know.

1 = Poor, 10 = Excellent