Reporting a cyber security threat

Keeping our information, systems and services secure is a top priority for ASB.

Responsible disclosure programme

We value insights from security researchers that may help us mitigate cyber security risk. Our responsible disclosure programme helps ensure any potential risk is managed promptly, safely and securely.
If you believe you have discovered a suspected cyber threat or security issue that affects the confidentiality, integrity or availability of ASB's information, systems or services ("vulnerability"), please submit a report to our security team using one of the methods below.
To ensure the protection of our customers, we treat all information regarding a vulnerability as confidential and ask that you do not publicly disclose, discuss or confirm the details of any suspected security issues.

How to report a security issue

Email our Cyber Security Team at vulnerability@asb.co.nz. If you feel the email should be encrypted you can download our PGP key here.

We recommend using this email structure to help us investigate your report:

  1. Affected product or service, including URL(s)
  2. Your name and contact information
  3. If you do not wish to provide your personal information, you may contact us anonymously or use a pseudonym
  4. Date, time and time zone of when the suspected vulnerability was discovered
  5. The IP address used when suspected vulnerability was discovered
  6. What steps to take to reproduce the vulnerability

What happens next?

You'll receive an automated reply when we receive your cyber security disclosure.
We will use the information you provide to enhance the security of our systems. We may also use the information in notifications to regulatory bodies, to comply with laws, and assist government or law enforcement agencies. This includes those of our parent company, Commonwealth Bank of Australia.

Phishing or scam content

Please do not use this disclosure programme to report phishing or scam attempts. If you've received a hoax or phishing email or text message, send it to phishing@asb.co.nz.

Prohibited research

We encourage security research on our products and services and welcome your feedback. Research with malicious intent is strictly prohibited, and includes:

  • Accessing or attempting to access accounts or information you are not authorised to
  • Any attempt to modify or destroy information
  • Sending or attempting to send unsolicited or unauthorised email or other types of messages
  • Conducting social engineering (including phishing) of ASB employees, contractors, customers or any other related party
  • Posting, transmitting, uploading, linking to, sending or storing malware that could impact our services, products or customers
  • Exfiltration, disclosure or use of any proprietary or confidential information or data of ASB (including customer data) under any circumstances
  • Clickjacking
  • Any physical attempts against ASB property
  • Weak or insecure SSL ciphers and certificates
  • Any attempts of a Denial of Service (DoS)
  • Any activity or attempt to gain unauthorised access to ASB software or systems in violation of law

ASB does not waive any rights or claims with respect to such activities.


If you have provided your personal information in your email to us, we may contact you for more information to assist us with investigating your disclosure.
For more information about how we handle your personal information, refer to our ASB Privacy Statement.


ASB does not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities. We sincerely thank all researchers who have helped keep our customers and communities safe by reporting security vulnerabilities.