Vulnerability Disclosure Policy.
We welcome reports from security researchers and experts about potential weak points in our IT systems.
We are particularly interested in receiving information about security vulnerabilities which could damage the confidentiality or integrity of user information or user systems, or which could be exploited to surreptitiously obtain SBB services.
If you think you have discovered a potential security vulnerability in the SBB’s IT systems, please contact us using the linked form. In your report, please submit information and detailed instructions which will enable our security team to recreate the problem.
Any public-facing system owned by SBB or SwissPass are in scope.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
How to report security vulnerabilities to SBB.
To submit a vulnerability to SBB, please use the linked form.
Alternatively you can send us your report using this Email: firstname.lastname@example.orgLink opens in new window.
What we would like to see from you:
- Well-written reports in German or English.
- Describe in detail how you found the bug.
- Include a proof of concept.
- Reports out of the scope list will most likely be ignored.
- Do not submit reports from automated tools without verifying them.
What you can expect from us:
- A timely response to your report (within 5 business days).
- An open dialog to discuss issues.
- An expected timeline for patches and fixes (usually within 180 days).
In order to protect our customers and services, please do not publicize or share any information about a potential vulnerability.
SBB does not permit the following types of security research:
- Performing actions that may negatively affect SBB or its customers (e.g. social engineering, phishing, spam, denial of service).
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you.
- Social engineering any SBB employee, contractor or customer.
- Using vulnerability testing tools that automatically generate significant traffic.
Please note: Have you found any railway-related security vulnerabilities and weak points that are unrelated to our IT systems? Please report such instances here as well, and we will pass on your report.