Re: Bank of America Contact

[peloy () chapus net (Eloy A. Paris)]

Jon,

This is a message directed more to your company's incident response team
that to you, but I don't know how to reach them. I hope they follow
Bugtraq, or that you forward the message.

Jon W <jonw () ripco com> writes:

> I work at Bank of America. I asked our incident-response team, and
> they would like the BUGTRAQ community to know that
> abuse () bankofamerica com is monitored for reports by real security
> admins.
>
> So that would be the main point of contact for reports.

Let's say that you didn't happen to be monitoring Bugtraq. How does
someone not associated with your company find the right point of contact
information for reporting security problems to your company?

I quickly searched BoA's web site and couldn't find anything that
pointed to the e-mail address you mention. I found information on how to
report a lost or stolen ATM, check, and credit cards, how to handle
identity theft, but nothing on how to report, for example, a
vulnerability in a BoA web application. Please correct me if I missed
the obvious.

In other words, it seems fairly easy for a customer to find information
on how to report fraud, but it is not easy for a security researcher (or
even a regular customer) to find information on how to report
vulnerabilities in the company's infrastructure.

This type of information should be provided in a very prominent place at
the company's website.

Cheers,

Eloy.-