Our program

At CommBank, we are committed to ensuring the security of our information, systems and services and value the role of security researchers in helping us mitigate cyber security risk.

If you believe you have discovered a suspected cyber threat or security issue that affects the confidentiality, integrity or availability of the Bank’s information, systems or services (“vulnerability”), please submit a report to our security team via one of the methods below.

For the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.

Phishing or scam content

Please do not use this disclosure program to report phishing or scam attempts. If you have received a hoax or phishing email or SMS please send it to hoax@cba.com.au. You can also access our list of recently reported scam emails impersonating CommBank

What’s not allowed?

While we encourage security research on our products and services, the following types of research are strictly prohibited:

  • Accessing or attempting to access accounts or information you are not authorised to
  • Any attempt to modify or destroy information
  • Sending or attempting to send unsolicited or unauthorised email or other type of message
  • Conducting social engineering (including phishing) of Commonwealth Bank Group employees, contractors, customers or any other related party
  • Posting, transmitting, uploading, linking to, sending or storing malware that could impact our services, products or customers
  • Exfiltration, disclosure or use of any proprietary or confidential information or data of CommBank (including customer data) under any circumstances
  • Clickjacking
  • Any physical attempts against Commonwealth Bank property
  • Weak or insecure SSL ciphers and certificates
  • Any attempts of a Denial of service (DoS)
  • Any activity or attempt to gain unauthorised access to CommBank software or systems in violation of law.

CommBank does not waive any rights or claims with respect to such activities.

Reporting a security issue

You can responsibly disclose suspected vulnerabilities to the CommBank Cyber Security Team by emailing vulnerability@cba.com.au.

If you feel the email should be encrypted, our PGP key can be found below. 

Download PGP key

To assist us in investigating your report, we recommend you follow the structure:

  • Affected product or service, including affected URL(s)
  • Your name and contact information (if you do not wish to provide your personal information, you may contact us anonymously, or by using a pseudonym)
  • Date, time and time zone of when the suspected vulnerability was discovered
  • IP address used when suspected vulnerability was discovered
  • Steps to reproduce the vulnerability

Next steps

Upon submitting your disclosure, you will receive confirmation that we’ve received it by way of an automated reply.

We will use the disclosure information you provide to enhance the security of our systems. We may also use the information in notifications to regulatory bodies, to comply with laws, and assist government or law enforcement agencies. 

Privacy

If you have provided your personal information, we may contact you for more information to assist us with investigating your disclosure. 

For more information about how we handle your personal information, you can refer to our CommBank Privacy policy

Recognition

CommBank does not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. We sincerely thank the researchers who have helped keep our customers and communities safe by reporting security vulnerabilities.