Responsible disclosure guideline
Purpose: Tryg strives to make our customers and partners feel "tryg", i.e. safe and secure.
Hence it's important for us, our customers, and our partners to know that any threat to us and them is handled effectively and efficiently, which is why we maintain these responsible disclosure guidelines giving clear directions to anyone on how to report security issues to us for swift action.
Intended audience: This guideline is aimed to be read and followed by any individual, who believe to have found a security issue in Tryg's in-scope assets.
For other types of problems:
- Experiencing problems with or concerned regarding your personal data? You must report such issues to our data protection officer (DPO)
- Denmark: https://tryg.dk/om-tryg/persondatapolitik (under section "Kontaktinformation")
- Norway: https://www.tryg.no/sikkerhet-og-personvern/personvern.html (in the bottom)
- Sweden: https://www.modernaforsakringar.se/integritet/ (under section "Dina rättigheter samt kontakt")
- Want to file a general complaint over Tryg?
- General inquiries (disregarding whether you're a current customer)?
It's illegal to test the security of Tryg’s systems as some tests may constitute hacking. This is regulated by the Danish Penal Code and as such is not for Tryg to decide.
If you come across a security issue, you may not continue to explore it after you have become aware of its existence; this includes for the purpose of demonstrating additional issues.
Contact us immediately instead as described in the section "How to report a security issue".
In-scope assets are all Tryg services, applications, and websites; all non-public Tryg-data incl. personal information, financial information, and proprietary information; or Tryg-data involuntarily publicised anywhere.
In-scope security issues also include:
- Ability to see, modify or hinder availability to above-mentioned Tryg-data.
- Security issues regarding implementation of third-party plugins.
- Security issues in third-party services or -libraries used in any of the in-scope Tryg assets.
- Non-technical issues which can impact Tryg as if it was a technical security issue, e.g. a business process with a specific, vulnerable setup.
- Sites imitating Tryg assets, but not owned by Tryg, e.g. sites aiming to phish Tryg, Tryg customers, or misuse the Tryg brand.
If you're in doubt, you're welcome to ask questions at firstname.lastname@example.org.
Out of scope
Out of scope security issues include:
- Non-sensitive cookies.
- Security issues requiring a jailbroken mobile device, unless the issue enables a server-side compromise.
- Social engineering attacks (e.g. phishing) on Tryg (but not sites aimed to social engineer Tryg or our customers cf. the previous section).
- Findings from automated scans.
How to report a security issue
If you detect a security issue in our in-scope assets, please email us at email@example.com.
Please include the string "Responsible disclosure" in the subject to ensure proper handling of your email.
When reporting a security issue, please include these points:
- Description of the security issue with as many details as possible.
- Please describe the attack chain, which can lead to an impact to Tryg using the security issue discovered.
- Any thoughts on how we can mitigate the security issue.
- Contact details and preferred method of follow-up conversation (e.g. email, Skype, Teams or phone).
You must ensure that your email is sent with ≥TLS1.2 (“forced TLS”) and a cipher suite currently considered secure.
If you can’t ensure forced TLS, please use the (fool-proof) option of emailing us the relevant information in a .zip- or .7z-file within a regular email to the above address, the file encrypted with a secure algorithm and password. Deliver this password via an alternative communication channel. Please contact us on firstname.lastname@example.org to arrange this alternative communication channel (probably a text, phone call or a virtual meeting room depending on your preference).
After receiving your report, we will make our best efforts to respond to you within 15 business days.
Processing of personal data
Please note that when you report a security issue, we will store and process all personal data included in your report and follow-up conversation, but strictly only as required to act on your report.
This will usually be limited to your initial email and any follow-up conversation being processed and stored in our ITSM, email servers and -clients.