Bug Bounty and Responsible Disclosure

Bug Bounty is a great and proven way of “battle testing” the security of a service with ethical hackers around the world paid to report security vulnerabilities to us. This program is meant to complement the Visma Application Security Program (VASP) and is a partnership with Intigrity, one of Europe’s biggest platforms for such purposes.

In this program, we encourage external security professionals and ethical hackers to search for security bugs in our products and report them to us.

If the reporters follow the policy (or rules of conduct) that we have published, we will reward them with money for every valid bug they report. In this way, we increase the chances that friendly testers will report bugs, which allows us to fix them before they are found and abused by cyber criminals.

We have two levels of bug bounty programs. A "private" program, used by around 150 specifically invited testers, and a "public" program, available for several thousands of testers.

For both programs, we have only specific assets that are in scope and only those are eligible for bounties.

The strength of a Bug Bounty program lies within the number of eyes and expertise because more researchers means more findings and better security.

Responsible Disclosure Program is an extension of the Bug Bounty program where all the Visma assets are in scope. We invite security researchers to find vulnerabilities and report them to us and provide transparent rules for them:

https://www.visma.com/trust-centre/security/products-and-services/bug-bounty-and-responsible-disclosure/

In this case, we do not offer monetary rewards, but as a sign of appreciation, for valid reports, we offer them a place in our Hall of Fame:

https://www.visma.com/trust-centre/security/products-and-services/bug-bounty-and-responsible-disclosure/hall-of-fame/