Skip to main content

Reporting a Vulnerability

The security of your account information is of the utmost importance to us

If you believe you've found a security issue in one of our products or services, we encourage you to notify us.

How to Report a Vulnerability

You can report potential security issues by sending an e-mail to our security team at responsible.disclosure@citi.com.


We request your submission include the following:


  • The full URL
  • Steps you took
  • Objects (as filters or entry fields) possibly involved
  • Evidence / Proof of Concept / how to reproduce (in other words video, screenshots if possible)
  • Risk or exploitability
  • Offering a solution is highly encouraged but not required

When we receive your email, we will send an automatic email as acknowledgement. We will only respond back to you with additional emails if we need further information to help investigate the issue. For the protection of our customers, Citi will not disclose, discuss, or confirm security issues.

Out of Scope Items


This program is not intended for submitting complaints about Citi's services or products, reporting issues with ATMs, fraud, malware or asking questions about the availability of Citi's websites or mobile banking services. This program is also not intended for submitting suspicious or phishing e-mails. Please report suspicious e-mails or phishing to spoof@citi.com.


Please note that this program should not be construed as encouragement or permission to perform any of the following activities:


  • Hack, penetrate or otherwise attempt to gain unauthorized access to Citi software or systems in violation of applicable law
  • Disclose or use any proprietary or confidential Citi info or data, including any customer data
  • Adversely impact Citi or the operation of Citi software or systems

Citi does not waive any rights or claims with respect to such activities.

// Branding Header Dropdown fix