Responsible Disclosure Policy

The information on this page is intended for security researchers interested in reporting security vulnerabilities to the Visma security team. If you are a customer and have a question about security or a password or account issue, please contact us through the standard support channels available for your product.

Visma is committed to the security of our customers and their data and we believe that engaging with the security community is important. We allocate resources to fix and patch exploitable vulnerabilities as soon as they are discovered by internal tests, researchers, or customers. If you believe you've discovered a security vulnerability in a Visma service, product or web property, we strongly encourage you to inform us as quickly as possible and to not disclose the vulnerability publicly until it has been addressed.

Visma does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to our Responsible Disclosure guidelines.

Responsible Disclosure Guidelines

  • Provide an appropriate level of detail on the vulnerability so that we can reproduce the issue.
  • Allow us a reasonable time period to address the issue before publishing any information or details about the vulnerability.
  • Target only your own accounts and devices when investigating and testing a vulnerability. Never attempt to access accounts, devices, or data that you don't own or don't have permission to access.
  • Do not use phishing or social engineering.

How to Report a Security Vulnerability

  1. Send a mail to responsible-disclosure@visma.com. If you feel that the email should be encrypted, our PGP key is available below.
  2. You will get an automated response confirming that we have registered the issue.
  3. A support ticket is automatically created and assigned to a Security Analyst.
  4. The Security Analyst will triage the issue and escalate to the correct team within Visma.
  5. The issue is fixed!

We believe in open communications and will keep you updated throughout this process. We aim to triage all reports within 12 business hours and address all exploitable vulnerabilities within 30 days.

Our PGP key

Click here for our PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v2.0.0
Comment: https://www.mailvelope.com

xsFNBFolcs0BEADhn3g0A+sHKKJLzxhI6oRNAXf+nDNoTiwVA5J+mk88NPhk
vIDA0MfvhvTInHJZSgtwV0QpyCoF2zxnP28pNT+EjxeiZkpbVKjEeXEyV9vG
wH+bocKAnHKtvVD6NPFnzeb9xat2MxbcWCOeYBPVauEOXNdcGqWjkx7CNYU2
YT3NwR0Ytw68nFZyJc8dm7x2UQW7SKIwJdW9jx3Zyu1wDCRmFCzsWuUn/vGw
TjrXhJtrqgvLwIDafDLFgiYWeT1I22LPWKWFPTLySzH1dNx3ZrF6eEQoWLhH
JuRSOgQ7IQ0WASxsGiQU1oEy8vWgiA4ZKT4BLdJH0/E0NeDotZICe+LR3HGq
1w+bYawim1+YBjsQrYcH6MqY5VZ3sCcvknN4xAbA2SZNv8YATrG1gfKUd0M/
yrSDJbF/ZE5xxTcSFC0vN9nF8UyCkTtTLTBIDA2p2ZHkEyVaxmVX9lS0GnAM
X62HmNpUC0cjBxGQUwyEPdduO6IOmrF/uGGFos2svzfveD1bMAyUAf5hcx1N
NsqspUiF3x3xjhT2Qzm12aBuATN5Jmckf4IVNkpZw6Ou1KPfpWej7hIb74oZ
DGYtTgyEhNTfOaEsklh1wcJL6JP07QdMBKOKf+TTjlXdiDSpNUju+W3Ci1Om
cxwzi/jLzSKsEfmgSl6NlW4lK5uxHCqwWMhWKQARAQABzT9WaXNtYSBSZXNw
b25zaWJsZSBEaXNjbG9zdXJlIDxyZXNwb25zaWJsZS1kaXNjbG9zdXJlQHZp
c21hLmNvbT7CwXUEEAEIACkFAlolctAGCwkHCAMCCRACIJNLR31TqAQVCAoC
AxYCAQIZAQIbAwIeAQAA+WcP/jv/n9MSXRhbK1wDZEnicvAnPblh0BYnhVen
H54AHkPHflWuAHHLYlS7Ez1Pjp9sBA7ZhVgW7Gw7GgnvvGSWCcs4/NjJKh1Q
wWIDyu6ikqxewfy160Qd1QbVIMkiBy902ZG0YJivDPGGFscCa5YRODNT5GcY
XI4WNd5Xj3DCf7qDImWTTZvCq5waq5O2pE0d2flzesvDuxta0gj9SbS1Soiq
LAeqzv0Y8nnTkK7HcF/dbnqqw/I3zGlo4Y5zwgEdlRFcMtXiN3pRQx3ZacVV
4YvI2XWNGxABMqqoJU6zXfjGaVZHfkXrCkf0xPC3nYStL1iontCaNAscH6iZ
EcR2l8qOreJdvNwY3L0U1FIJbKyHGo63Cb3k0yw1DITKh6QQnwZCaL2B9BER
eJ59l9ipwO2/G0U5yjsds8xsLpwN3R1Lwx20dY/IOaamsNGeskR2nmmlz3vP
sTRKO6CMKNnLphaXC3l0pvkil4Cilk4X3l0YFocjwSFQLv145l7yIm1yovdV
bHan5kckuShbRiqA4J8JgMAJvEPhStI0ISQ/aUUXSMtWQ+AX7BC6iTGjAbHY
39GJDC3EjxCXXjqmYSb8lx3CbODB02rOXfK5qjuZTc/ppAT6sEv3QNPP/+Ku
N7MVJ968J4Q3CazsnCRLGu5f8yeh7VT00mlzrs4kBW1ZvW0PzsFNBFolcs0B
EADKyvqR/qhZUFixJCOH+ZXcTQfT1IxcPoqUH+ItaPp+6zRU4sbe03G/VI+G
q5BJWlwcesn4qJLn+B8EpFka/+sXozGV144b1qFcQIfetog9b71pLkDNA3hZ
t8FP3nW1iddr1wLQ/qPwlwScOsnZOjo1fJK/s/ATxzDALZkI6YufHZmx5RPV
H6z4d/IKWSaFUDe/boEw78DMHFbiOdgrVMVjAVbhlI5iiG6dnekv4M3tdJd2
qPbeeawd+x7bQVPTCLvUrPhaev2wIHQVUNB6XCAgJcxP8PBnFbKPjvGxeKUf
YrpPlf2BqeQ+08aSNdJYw9szu0PHp2oNPh+mna7XtL9GtpcvoTtKRPVNunFz
eaiOtf8Xo7s51UUML8jkrTu36/RL45qfNIhksY31BOS5Gu0Gi2qpMv9rJ3tB
4AMcteGO24J0KZTZkJrULQMEj083U/r+KwXyuLH6o+R9Pnhq7jpDNu5xNmjo
eGWyPaVGVw+DyTMAn82O3Mo8u/8DFlRXuxvauDFzRumW6rJGf9XXYrnIEb1t
bD34nzp4V+PusAwdwWAwF8ABF5lMMYlhUUfq4o0Y6zqNYMMwW2Au4+0KFtER
STfS9i2w0NHUdS89b+Gh3xn4VxSk5veUnFx/FsXo/Rfr/teGO3xIxnESH9oV
78t7k6roTLV20jtQPfQTqq7XWQARAQABwsFfBBgBCAATBQJaJXLRCRACIJNL
R31TqAIbDAAA0loQANM/XFObeQa/rGlMI6K6j9nt/CISbRDkDzAXY0Vk93Ik
02N1fvkJHBq8zi900UOn9vCJTLeu3VBpR/sBwh16Qtq3mHhCG/2WyniBkgdz
iyknLQ0SGW09AFac3NQHYQ8bGJc/+iAWlCQvYlzIqtZfux3kUoz1uUIpbE7x
rA6O0JJ2s7YZDpAbN+tGCcfEG/JqfRvk5lLNoQWG+KCIsZKWyDVBe+9Uht+d
0HusOm2RBnTJ/JS5Dvs0yDUodtYWnplxjOOkn80/MmYZoD2Ue60vGabrgLmg
pt1Vbo6m6lMWKYPb1GQ+H1C4f0SfHSgu2SfWQIRRpaxStvRKQdp+p8M8ZOYi
nyxA2zSKoM4VJBDkHdfL/IjrgElPIllTAI0se9ZqS0CEq/7d4u+TpEn+mwjz
4t/dMqcYxN2F0JJ7ec1Z0RB/SUgX2CJggmnsZG1vNQV6EFOEuVN6rKFedjgP
AerySOPJ2DHXmdmppSbP5lRzwKyWwGnh7c/ksaku4HTz8/hIjoTmcnWpOuf/
Wl2413InypvPslfs7MwrWrzcvMm83QQz9SK5rq1kjIFAjhke3P+AFENvC6BY
Ulef1fKRZVse//nCDYj5+puI3rIzhbiH2tfox9zrY3U5i4EMTjUD6XI9E1xf
1KR0Aq+5JIiBF15X1wcG5kXQx5W1i7YdmsGHI83h
=O8N3
-----END PGP PUBLIC KEY BLOCK-----
We use cookies to collect information on your interaction with our website and combine this with the data you provide us to build a profile so we can show you content tailored to your interests. By accepting, you allow us to collect and process your personal information as described here.