Latvijas Banka has joined the initiative coordinated by the Information Technology Security Incident Response Institution CERT.LV. Under this initiative, public authorities enable researchers active in the field of information technology security (cyber security) to identify shortcomings and vulnerabilities on the public websites of the above authorities.
Latvijas Banka supports good practices of detecting vulnerabilities and security gaps and provides a possibility for cyber security researchers to identify shortcomings and vulnerabilities on Latvijas Banka's official website www.bank.lv, sales platform for coin purchase www.e-monetas.lv and economic education website www.naudasskola.lv.
The vulnerability disclosure policy of Latvijas Banka lays down guidelines for detection of vulnerabilities and security gaps of the websites www.bank.lv, www.e-monetas.lv and www.naudasskola.lv and for the submission of the respective reports.
The vulnerability disclosure policy refers exclusively to Latvijas Banka's official website www.bank.lv, sales platform for coin purchase www.e-monetas.lv and economic education website www.naudasskola.lv. Testing of other websites, resources and systems of Latvijas Banka within the framework of this initiative is not permitted.
Should you have any questions prior to the test launch, please contact Latvijas Banka by e-mail: cyber.web@bank.lv.
The following types of testing are not allowed:
- carrying out social engineering attacks;
- using a vulnerability to access information (except a strict minimum of information to prove the existence of a vulnerability);
- employing a vulnerability to remove, change or delete information;
- trying to affect access to services, using a service failure (DoS, DDoS) attack;
- robotised password guessing/finding.
Suspend testing and contact Latvijas Banka immediately in the manner prescribed above if you are exposed to any of the following types of information during testing:
- information on a person's identity;
- financial information, e.g. bank account or credit card numbers;
- commercial secrets or ownership information.
Latvijas Banka untertakes to perform no legal actions against honest cyber security researchers and persons who:
- comply with this policy during testing;
- engage in testing without harming the operation of Latvijas Banka and its services and/or customers;
- refrain from disclosing any details on the identified security gaps prior to the end of the mutually agreed deadline;
- obey the laws of Latvia and those of their country of location.
Submitting a report to Latvijas Banka
The report on the identified vulnerabilities and security gaps has to be submitted to Latvijas Banka by e-mail: cyber.web@bank.lv or through cvd.cert.lv – the vulnerability reporting platform of CERT.
In order to ensure a successful examination of the report and the implementation of the necessary improvements by Latvijas Banka, the report has to be clear and structured. It has to be drawn up in Latvian or English. The report has to include indications on the location of each identified vulnerability and its impact as well as a description of the possible elimination of the vulnerability.
The report has to contain a description of the sequence of actions at a level of detail which allows for replication of the vulnerability. Where possible, conceptual scripts, screenshots or other graphic elements have to be added to increase the level of detail.
Information on the identified vulnerability must not be disclosed before its elimination. Prior to making information public, the stakeholders agree on the time when it has to be published and on its scope.
Latvijas Banka undertakes to provide a reply to the submitted report within four business days. To address the situation in more complicated cases there is a possibility to engage in dialogue with the person submitting the report to eliminate vulnerability.
Latvijas Banka reserves the right to share the obtained information with a neutral third party, e.g. CERT.LV to get help for the elimination of the identified vulnerability.
Latvijas Banka is grateful to cyber security researchers for their time and reports that help to improve the security of Latvijas Banka's official website, but it will not provide any financial compensation.
Additional information
- For action in case of detecting an information technology security gap, see Paragraphs two and three of Section 6.1 of the Law on the Security of Information Technologies
- For a coordinated process of identification of vulnerabilities in public administration, see the information report "On the Introduction of a Coordinated Process of Identification of Vulnerabilities in Public Administration".
- The vulnerability reporting platform intended for reporting the vulnerabilities identified in resources of public authorities and for processing reports (https://cvd.cert.lv/).