Responsible Disclosure Policy
The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Visma security team. If you are a customer and have a question about security or a password or account issue, please contact us through the support channels available for your product.
This policy sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
When working with us according to this policy, you can expect us to:
- Extend Safe Harbor for your vulnerability research that is related to this policy;
- Work with you to understand and validate your report, including a initial response to the submission within 12 business hours;
- Work to remediate discovered vulnerabilities in a timely manner.
When conducting vulnerability research according to this policy, we consider this research to be authorized, lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our Official Channel before going any further.
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we ask that you:
- Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Keep the details of any discovered vulnerabilities confidential until they are fixed, according to the Disclosure Policy;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
- Do not attempt to execute Denial of Service attacks.
- Do not use phishing or social engineering.
We do not currently offer money or swag as rewards. We will however, as a small token of appreciation, offer a place in our Security Hall of Fame (HoF) for all researchers that submits a previously unknown vulnerability that triggers a code or configuration change for an asset in scope.
How to Contact Us
Our official communication channel is via email to email@example.com. The issues are triaged by a Security Analyst before being escalated to the appropriate team. If you feel that the email should be encrypted, our PGP key is available below.
Visma service, product or web property
Please note! The majority of reports we receive have very little or no impact on the security of our services and products or are already known, and these will not be very prioritized by us. To avoid a disappointing experience when contacting us, please take a moment and consider if the issue you want to report actually has a realistic attack scenario.
More specifically, we ask you to not submit issues regarding:
- Spam-fighting policies such as DKIM, SPF or DMARC.
- Absence of HTTP Strict Transport Security (HSTS) headers, HSTS preloading, and HSTS policies.
- Absence of DNSSEC.
- Absence of other security headers such as Content-Security-Policy, X-Frame-Options, X-XSS-Protection, etc.
- Password policies.
- Host header injection, unless you have confirmed that it can be exploited in a practical attack.
- Out of date software, unless you have confirmed that it can be exploited in a practical attack.
- Anything where the PoC requires you to run Burp on the victims computer.
- We prefer text based descriptions so don't spend time on creating videos.
- Do not submit findings from a tool without verifying that an actual vulnerability exists.
Our PGP key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v2.0.0
-----END PGP PUBLIC KEY BLOCK-----