Suncorp Vulnerability Disclosure Program

How you can help us safeguard our customers’ data integrity and security.

What is the purpose of the program

At Suncorp, we are dedicated to safeguarding the protection and integrity of our data, systems, and services across all our brands. But there may still be vulnerabilities.

That’s why we value the critical role that security researchers play in helping us identify and mitigate cyber security risks.

Please submit a report to our security team if you have found a potential security vulnerability that may impact the:

  • confidentiality
  • integrity, or 
  • availability 

of Suncorp's information, systems, or services which you are authorised to access or use.

Please note the program relates only to the information, systems or services of the Suncorp Group of companies, which does not include Suncorp Bank (Norfina Limited). Please do not submit any reports related to Suncorp Bank information, systems or services under this program.

How to report a vulnerability

To responsibly disclose a suspected vulnerability, please contact the Suncorp Cyber Security Team by emailing vulnerability@suncorp.com.au.

Provide as much information as possible on your report. We recommend you include:

  • an overview of the vulnerability
  • the impacted information, system or service, including relevant URLs
  • your name and contact details (anonymity or pseudonyms are acceptable if you prefer)
  •  the date, time, and time zone when the vulnerability was identified
  • IP address used when the vulnerability was identified, and
  • the steps taken to reproduce the vulnerability.

If you wish to encrypt your email, you can download our PGP key.

What happens after you submit a report

Once your disclosure is submitted, you will receive an automated confirmation of receipt.

We will carefully review the information provided to improve the integrity of our systems. We may reach out for further details to support our investigation, or to provide you with updates. We may also invite you to re-test the vulnerability once we have addressed it.

In some cases, we may use elements of your report in our engagements with our regulatory and government bodies.

Vulnerability reports are confidential

To protect the privacy and security of our customers, we treat all reports of vulnerabilities as confidential. By submitting a report to us, you agree to refrain from publicly disclosing, discussing, or confirming the details of any suspected security issues until we have had the opportunity to address them and confirmed this to you in writing.

How we handle your privacy

When you submit a report to us, you may be providing us with some personal information. For more information about how we handle personal your personal information, please refer to our Suncorp Privacy Policy. By submitting a report to us, you agree to us collecting and using your Personal Information in accordance with the Suncorp Privacy Policy.

What activities are prohibited

Although we welcome research into Suncorp’s offerings, the areas listed below are not acceptable nor condoned under the program:

  • obtaining or trying to obtain access accounts or information without proper authorisation
  • accessing any information, systems or services you are not ordinarily authorised to access
  • modifying, deleting, or destroying information without permission
  • sending or trying to send unsanctioned or non-permitted emails or messages
  • engaging in social engineering, including phishing, against Suncorp employees, contractors, customers, or any associated parties
  • publishing, sending, loading, or sharing malware that could harm our systems, products, or customers
  • exfiltrating, disclosing, or using any proprietary or classified information (including customer data) without authorisation
  • clickjacking or other methods of bypassing security
  • using automated vulnerability assessment tools
  • physical attacks on Suncorp property
  • exploiting weak or insecure SSL ciphers or certificates
  • performing or attempting Denial of Service (DoS) attacks,
  • testing vulnerabilities in any applications or websites controlled by our suppliers and distribution network or that are otherwise not controlled by Suncorp
  • engaging in any activity that seeks unauthorized access to Suncorp systems or software in violation of the law.

Suncorp reserves the right to act against individuals engaged in any of the activities listed above.

Recognition

We deeply appreciate the valuable contributions of researchers who help us protect our customers and communities by identifying and reporting potential security issues. Your efforts are crucial to maintaining a safe digital environment for everyone.

However, Suncorp does not provide compensation for reporting vulnerabilities.