In my previous piece I pulled together a quick summary of the public-facing security reporting policies (or lack thereof) for a number of big sites on the web. Recently I started doing the same for financial institutions. I tried finding disclosure policies online for major financial institutions such as Citibank, Wells Fargo, Washington Mutual, Chase, Fidelity, etc. I was unable to find a externally accessible security reporting/disclosure policy for any of the major financial institutions I looked at.
Why is that?
- Fear that a disclosure policy makes it look like they could have a security issue?
- Worried about too many people contacting them about bogus issues?
- They don't want to be the first to publish one?