Visma is committed to the security of our customers and their data and we believe that engaging with the security community is important. We allocate resources to fix and patch vulnerabilities as soon as they are discovered by internal tests, researchers, or customers. If you believe you've discovered a security vulnerability in a Visma service, product or web property, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it has been addressed.
Visma does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to our Responsible Disclosure guidelines.
Responsible Disclosure Guidelines
- Provide an appropriate level of detail on the vulnerability so that we can reproduce the issue.
- Allow us a reasonable time period to address the issue before publishing any information or details about the vulnerability.
- Target only your own accounts and devices when investigating and testing a vulnerability. Never attempt to access accounts, devices, or data that you don't own or don't have permission to access.
- Do not use phishing or social engineering.
How to Report a Security Vulnerability
- Send a mail to firstname.lastname@example.org. If you feel that the email should be encrypted, our PGP key is available below.
- You will get an automated response confirming that we have registered the issue.
- A support ticket is automatically created and assigned to a Security Analyst.
- The Security Analyst will triage the issue and escalate to the correct team within Visma.
- The issue is fixed!
We believe in open communications and will keep you updated throughout this process. We aim to triage all reports within 12 business hours and address all vulnerabilities within 30 days.
Our PGP key
Click here for our PGP key