Vulnerability Disclosure Policy

This policy applies to all digital assets owned, operated or maintained by Swiss Life. The focus is on the web portals of Swiss Life in Switzerland. These domains specifically include swisslife.ch, swisslife.com and swisslife-select.ch. Further information is welcome.

If you work with us in accordance with this policy, you can expect the following:

• We will respond to your message immediately.
• We will take measures to close the security gap as soon as possible.
• We will do our best to keep you informed of the progress.
• We will treat your report and your personal data in strict confidence.
• We will not restrict your access to our web portals.
• We will adhere to our Vulnerability Disclosure Policy.
  

If you would like to help us identify vulnerabilities in good faith, please:

• Follow the rules, including adherence to this policy and all other relevant agreements. In the event of any contradictions between this policy and other applicable provisions, the provisions of this policy shall take precedence.
• Avoid invading the privacy of others (e.g. no social engineering, phishing or spam).
• Avoid disrupting our systems and/or impairing the user experience (e.g. no DDoS).
• You must not spy on, modify, download, delete or pass on any data.
• Use only the official channels to discuss vulnerability information with us.
• Allow us a reasonable time (at least 90 days from initial notification) to resolve the issue before you make it public.
• Only perform tests on systems within the scope (see above) and respect any systems and activities that are outside the scope.
• Stop testing immediately and submit a report if you come across any personal data as defined in the Swiss Federal Act on Data Protection (FADP).
• Use only access data that belong to you or with the express permission of the account holder.
  

Any reports that you send us should include the following:

• Type of vulnerability
• Description of vulnerability (including the browser used and, if applicable, the browser settings)
• Example (unambiguous request or PoC code)
• Sufficient information for us to reproduce and analyse the problem
• Step-by-step instructions are best
• Screenshots are welcome
• An indication of a possible solution is welcome
• Contact details for queries are welcome

The information reported may include:

• Cross scripting (XSS) vulnerabilities
• SQL injection vulnerabilities
• Encryption vulnerabilities
• Cross Site Request Forgery (CSRF)
• Insecure Direct Object Reference
• Remote Code Execution (RCE) – Injection Flaws
• Potential for data/information exfiltration
• Active backdoors that could be exploited
• Potential for unauthorised system use

The following should not be reported:

• Reports from automated tools or scans without explanatory documentation
• Messages regarding a missing security feature without exploitability
• Disclosure of non-sensitive information
  

When conducting vulnerability research pursuant to this policy, we will consider such research conducted in accordance with this policy to be:

• Authorised with respect to applicable anti-hacking laws. We will not initiate or support any legal action against you for inadvertent violations of these laws in good faith.
• Authorised with respect to relevant anti-circumvention laws. We will not assert any claims against you for the circumvention of technology controls.
• Excluding any restrictions in our Terms of Use that would interfere with the conduct of security research, and we waive such restrictions to a limited extent.
• Lawful, and helpful for the overall security of the internet and carried out in good faith.

As always, you are expected to comply with all applicable laws. If legal action is taken against you by a third party and you have complied with this policy, we will take steps to make it known that your actions were carried out in accordance with this policy. If at any time you have concerns or are unsure whether your security research complies with this policy, please submit a report through one of our official channels before proceeding. Please note that the Vulnerability Disclosure Policy only applies to legal claims under the control of the organisation participating in this policy and that the policy is not binding on independent third parties.