Report a security vulnerability

When disclosing a security issue to us we expect you to act responsibly.

If you’re reporting a new issue, or one that may only be understood by a specialist, you’ll need to fully explain it citing references and sources. For more common vulnerabilities, you can simply let us know where it was found.

You must not:

• Break any applicable law or regulations.
• Access unnecessary, excessive or significant amounts of data.
• Modify data in Nationwide’s systems or services.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Attempt or report any form of denial of service, for example overwhelming a service with a high volume of requests.
• Disrupt Nationwide’s services or systems.
• Communicate any vulnerabilities or associated details other than by means described on this page or in the published security.txt file.
• Social engineer, ‘phish’ or physically attack Nationwide’s staff or infrastructure.
• Demand financial compensation in order to disclose any vulnerabilities.

When submitting a security issue to us, we ask that you are as detailed as possible. Include as much of the information set out below as you can:

• A description of the vulnerability, including how exploitable it is. If not a common attack type, include what the impact of this issue is.
• The steps required to exploit the vulnerability including:
  • URL(s)
  • application(s) affected
  • prior conditions required, for example, logged in, not logged in, previous actions
  • how to demonstrate or replicate the problem, issue or vulnerability
• IP addresses used when the vulnerability was discovered.
• If post authentication, the user ID being used when the vulnerability was discovered. 
• A proof of concept (provided it is benign and non-destructive).
• Names of files uploaded to our systems (if any).

Provide your name, job role (if appropriate) and contact details. This will enable us to confirm that we’ve received your submission and update you on progress in resolving the vulnerability.

We will not respond to the following submissions:

• Vulnerabilities dependent upon social engineering techniques. For example, shoulder attack, stealing devices, phishing, fraud, stolen credentials or passwords.
• Vulnerabilities which require/involve a jailbroken mobile device.
• Vulnerabilities involving active content such as web browser add-ons.
• Disclosure of public information or information that does not present risk to Nationwide or our members. For example, web server type disclosure.
• Vulnerabilities contingent on a client system previously being compromised.
• Reports detailing non-exploitable vulnerabilities, or reports indicating that the services do not fully align with “best practice”, for example missing security headers.
• Presence of common public files, such as robots.txt or files in the .well-known directory.
• Self-XSS issues.
• Vulnerabilities relating to systems, websites or apps which are not owned or controlled by us.

We do not offer financial compensation or any other form of reward for submissions. Also, we will not refund any expenses you may have incurred.

But we do believe in public recognition for anyone who helps us to ensure our systems and data are secure. We won’t name you without your consent. If we feel that a public endorsement is appropriate, we’ll discuss the details with you in advance.

We request that you treat all information which is not publicly available as strictly confidential. This includes anything about our systems, websites, apps, staff or members that you become aware of. This information should not be shared or used for any purpose other than disclosing it to us as a submission as described above.

We in turn will respect the confidentiality of your details and your information.

By emailing or providing a disclosure to us, you agree to our terms. This means that we can use your submission and its contents to ensure the security, integrity and reliable operation of our technology and business.