GreenSky® Responsible Disclosure Guidelines

Our Commitment

The safety and privacy of customer information is GreenSky’s top priority. We want to hear from you if you have information related to potential security vulnerabilities in GreenSky’s systems, products or services.

Reporting

We appreciate security researchers and other individuals who take the time to report vulnerabilities, and we sincerely value your contributions. Please email your findings to reportvulnerabilities@greensky.com and be sure to identify the relevant system, product or service, where you found the issue, and as many details as possible to help us identify the issue.

By submitting any vulnerabilities to GreenSky, you represent that, to your knowledge your submission contains findings that are original to you and you irrevocably grant GreenSky and its affiliates the unconditional right to use, modify, create derivative work from, distribute, disclose, and store the information included in your report.

Guidelines

GreenSky will not pursue legal action against contributors who report vulnerabilities if the contributor complies with all of the following requirements and the contributor’s research is not out of scope as indicated in the following section:

  • Do not intentionally access non-public GreenSky data any more than is necessary to demonstrate the vulnerability;
  • Do not disclose the vulnerability to any third party without GreenSky’s prior written approval (other than reporting the vulnerability GreenSky in the manner described above), so that GreenSky may attempt to resolve the vulnerability
  • Do not intentionally delete or modify GreenSky data;
  • Do not put a backdoor into any GreenSky systems;
  • Do not initiate a fraudulent transaction or loan application;
  • Do not compromise the privacy or safety of customers, merchants, bank partners or other persons;
  • Do not compromise the operation of GreenSky’s systems, products, services or other assets;
  • Do not use social engineering tactics against our employees;
  • Do not violate any applicable law; and
  • Do not publicly disclose vulnerability details without GreenSky’s explicit written approval.

Out of Scope

Certain vulnerabilities and tactics are considered out of scope for the responsible disclosure program:

  • Phishing attempts on GreenSky associates and/or partners
  • Denial of service or any other attempt to interrupt or degrade GreenSky’s systems, products or services, including impacting the ability for end users to use GreenSky’s systems, products or services
  • Any attempts to access a user’s account or data
  • Resource Exhaustion
  • Social Engineering – ex: stealing cookies, fake login pages
  • Any physical attempt against GreenSky property

GreenSky reserves the right to modify or terminate any or all of its Responsible Disclosure Guidelines at any time.