Responsible disclosure policy

Have you found a vulnerability or other security issue related to nbim.no? Thanks for reporting it to us!

 

Security is core to our values at Norges Bank Investment Management. We value and appreciate security researchers acting in good faith and contacting us with findings that can help us protect and secure our organisation and assets.

If you would like to contribute

Please e-mail your findings to: responsibledisclosure@nbim.no and:

  • Play by the rules - as explained here and stay within applicable laws and relevant agreements
  • Await full disclosure until we approve
  • Stay within scope of this policy
  • Stop when you have enough information to demonstrate your findings on a conceptual level - do not take advantage of the vulnerability by downloading unnecessary data, destruct data, cause disruption or degradation of our services

When you report, we will

  • Ensure timely response
  • Work with you to understand and validate your finding
  • Work to remediate validated vulnerabilities in a timely manner
  • Recognise your contribution if you are the first to discover a vulnerability

Scope

*.nbim.no, *.generasjonsfondet.no

Out of scope

  • Norges Bank’s other entities (*.norges-bank.no)
  • 3rd parties to Norges Bank
  • DoS or other forms of resource exhaustion attacks
  • Attacks on physical security, social engineering, phishing/spam

Reward

Norges Bank Investment Management currently does not provide a bug-bounty program or any monetary rewards for reporting vulnerabilities. We will, however, recognise those that help us improve our security.

Security hall of fame

2023: Rajesh Sagar – No rate limit leads to potential email flooding on website  
2022: Timothy Salomonsson – Vulnerability: XSS/HTML Injection Vulnerability
2022: Harsh Bhanushali - Vulnerability: Prototype Pollution via jQuery
2022: Yash Kushwah - Vulnerability: Prototype Pollution via jQuery
2022: Arjun E – Vulnerability: No rate limit leads to potential email flooding on website
2022: Nikhil Rane –  Vulnerabilities: Error Page Content Spoofing or Text Injection, Host Header Injection
2022 : Kokalagi Rushikesh - Vulnerability: Exposed API key
2021: Shivam Khambe - Vulnerability: Same-site scripting
2021: Priti Navale - Vulnerabilities: Clickjacking

Security hall of fame

2023: Rajesh Sagar – No rate limit leads to potential email flooding on website  
2022: Timothy Salomonsson – Vulnerability: XSS/HTML Injection Vulnerability
2022: Harsh Bhanushali - Vulnerability: Prototype Pollution via jQuery
2022: Yash Kushwah - Vulnerability: Prototype Pollution via jQuery
2022: Arjun E – Vulnerability: No rate limit leads to potential email flooding on website
2022: Nikhil Rane –  Vulnerabilities: Error Page Content Spoofing or Text Injection, Host Header Injection
2022 : Kokalagi Rushikesh - Vulnerability: Exposed API key
2021: Shivam Khambe - Vulnerability: Same-site scripting
2021: Priti Navale - Vulnerabilities: Clickjacking