How to Report a Vulnerability
You can report potential security issues by sending an e-mail to our security team. We strongly encourage you to utilize the provided Public PGP key for encryption purposes.
We request your submission include the following:
- The full URL
- Steps you took
- Objects (as filters or entry fields) possibly involved
- Evidence / Proof of Concept / how to reproduce (i.e. video, screenshots if possible)
- Risk or exploitability
- Offering a solution is highly encouraged but not required
When we receive your email, we will send an automatic email as acknowledgement. We will only respond back to you with additional emails if we need further information to help investigate the issue. For the protection of our customers, Citi will not disclose, discuss, or confirm security issues.
This program is not intended for:
Submitting complaints about Citi's services or products, reporting issues with ATM's, fraud, malware or asking questions about the availability of Citi's websites or mobile banking services. This program is also not intended for submitting suspicious or phishing e-mails. Please report suspicious e-mails or phishing to firstname.lastname@example.org