At the European Central Bank we greatly value the support of IT security researchers and members of cybersecurity communities in helping us to maintain our high IT security standards.
If you identify an IT security vulnerability relating to any of our websites please notify us promptly before disclosing the vulnerability to the outside world, so that we can take the necessary measures. This is known as responsible disclosure.
Please keep all information relating to the discovered vulnerability secret from all third parties for a period of at least 90 days, allowing us to identify and implement the measures needed to address the issue you have reported.
The current scope for reporting includes the following websites:
Other sites, as well as subdomains of the sites listed above, are currently not included within this scope. We do regularly update this page, however, and it will reflect any changes to the scope for reporting.
If you have identified a security vulnerability, please proceed as follows:
Send us your notification as soon as possible via email to IT_responsible_disclosure@ecb.europa.eu.
Please include the following information in your report:
The size of the email communication should not exceed 10MB. Please contact us in advance via the email address above should you need to send an attachment that is larger than this size.
Please use this PGP key to prevent unauthorised users from accessing the information.
Please act responsibly in dealing with your discovery of the identified security vulnerability. Do not take any actions that go beyond what is needed to identify and verify the issue. Please do not use the identified security vulnerability to your own advantage and avoid storing any confidential data obtained as a result of the issue.
We continuously monitor our internet-exposed assets to identify security issues and misconfigurations, and we therefore kindly ask that you avoid reporting the following items if they don’t lead to actual exploitation:
If you report a security vulnerability relating to any of our websites specified above, we will process your report as follows.
You can refer to the privacy statement for more information on how we handle your personal data within the Responsible Disclosure Programme.