Responsible Disclosure Program

PNC Security is continually adapting to the changing cybersecurity landscape and to stay ahead of bad actors and threats to our systems and applications. However, keeping our customer and employee information safe is not achieved by technology alone – it takes alert employees, customers and partners, who know how to recognize and report issues.

PNC’s Responsible Disclosure program allows our customers and partners to submit vulnerabilities that they may find on any public-facing website or application owned, operated or controlled by PNC Financial Services. Any services provided or hosted by a third-party are not eligible. If you are unsure if the vulnerability you are reporting meets this criteria, please contact us at ResponsibleDisclosure@pnc.com

Email Vulnerability Reports to:

ResponsibleDisclosure@pnc.com

How to Submit a Vulnerability

Vulnerability reports can be emailed to ResponsibleDisclosure@pnc.com.

The information you provide will be reviewed by members of PNC Financial Services. Your report should include the following information:

  • The application, service, product, or system involved.
  • The type of issue discovered.
  • An estimated impact of the vulnerability.
  • Suggested mitigation or remediation.
  • A detailed description of the potential vulnerability.
  • A complete walk-through describing the steps necessary to reproduce the vulnerability.

A detailed report is crucial to the team to remedy your submitted vulnerability. If the above requirements have been met, we will confirm receiving your report within three business days. The information you provide will be used to correct vulnerabilities and improve the security of our applications and infrastructure. A member of the Security team will reach out to you if additional details are needed.

While confirming the vulnerability, PNC Financial Services will attempt to keep you informed of the status on a reasonable basis.

By submitting your vulnerability disclosure to PNC Financial Services you agree that you will keep information related to the vulnerability confidential and not disclose the vulnerability to any third-party unless PNC Financial Services has provided you with written authorization to do so. Submission of this vulnerability report provides your permission for PNC Financial Services to use, create derivatives of, disclose, or modify any information that you have provided.

PNC Financial Services assumes no obligation or responsibility for providing financial or other types of compensation to you for reporting this vulnerability.

Important Legal Disclosures and Information