Inviting ethical hackers to find bugs in Visma applications

In software products and services, there is always a risk of bugs and vulnerabilities. Through our Bug Bounty program, we and our partner companies invite ethical hackers to help us find these vulnerabilities, so that they can be fixed faster.

Bug Bounty: Inviting ethical hackers to find bugs in Visma applications

Read on to learn more about how we, and our partner Nmbrs, work with security together with ethical hackers. 


Despite the constant effort and care companies worldwide take in regards to keeping their networks, products, and services secure, bugs exist. 


In Bug Bounty programs, ethical hackers are invited to test and challenge applications. Within the Visma family of companies, when a hacker finds a vulnerability or bug, the hacker reports this back to our developers. 


Also read: Better together through APIs.

Why is Bug Bounty important?

Every application is built with code: This code is the foundation of every software application. It takes thousands of lines of code to make a modern program, web service, car, or airplane. 


If we look at the average iPhone app it has less than 50,000 lines of code, while Google’s entire code base on Feb 8. 2017, had two billion lines for all services. In the end, we have to face it: all software has bugs, and so as a software company it is our job to find them quickly.


“The vast complexity of the modern-day software makes it impossible to catch all the bugs, regardless of how advanced the automated tests and checks may be. Nothing compares to having actual, skilled people looking for security issues. 

The bug bounty program allows us to leverage the immense power of thousands of brilliant minds all over the world. These people have the incentive to look for and to responsibly disclose security issues to Visma – continuously,” – Joona Hoikkala, Application Security Architect in Visma.  

In Bug Bounty programs, ethical hackers are invited to test and challenge applications. Within Visma, when a hacker finds a vulnerability or bug, the hacker reports this back to us. 


We fix these flaws and report back to the hacker, and they are rewarded with a spot on our Hall of Fame–a quality branding for the person. This is often referred to as a “true quality check” of developers and engineers and is very highly valued by recruiters and companies. 


Read more: How to fix security issues in code faster

Nmbrs’ disclosure policy and bug bounty

Earlier this year, the Dutch company Nmbrs became part of the Visma family. In the security onboarding process, they presented their responsible disclosure policy. For over three years Nmbrs has invited ethical hackers from around the world to test their security. They do this to ensure the security of the platform, network, and products, as a top priority. 


When an ethical hacker finds a bug, they report it to Nmbrs. In return, Nmbrs fixes the problem. Nmbrs and the rest of the Visma family share this mindset with other big tech giants like; Apple, Google, Airbnb, Paypal, Twitter, and Uber who have implemented the same policy. 


Data Protection Officer at Nmbrs, Floris Drost, explains that it is naive of a software company today to assume people won’t hack your products and services–which is why they have facilitated for the Bug Bounty program: 


“Just like boys will be boys, hackers will be hackers. They are going to hack you anyway, so it would be stupid not to use their skills to improve your product. But you do need to facilitate them, that’s why we have the responsible disclosure.”

Do you want to take part in our Bug Bounty program, or read more about our security initiatives

Visit our Trust Centre


Most popular

  • Learning UX Fundamentals remotely and getting to know the Visma UX value loop

    Learning UX Fundamentals remotely

    In the midst of my colleagues and I working from home, I had the opportunity to learn and test the basics of how we work with UX in Visma. During three days, I participated in a remote version of the training “UX Fundamentals”. At first I was a bit sceptical about the concept of effectively taking and teaching remote classes, but not anymore. By using Google Meet together with the collaboration tool Mural, we had no problems.

  • What is financial cybercrime and how to prevent it?

    What is financial cybercrime and how to prevent it?

    Financial cybercrime can affect companies of all sizes and in all sectors – as well as private individuals – and can have dramatic consequences. But what are the types of attacks motivated by financial gains and how can we prevent these attacks from succeeding?