Description

Visma delivers software that simplifies and digitizes core business processes in the private and public sector. With presence across the entire Nordic region along with Benelux, Central and Eastern Europe, we are one of Europe’s leading software companies. We want to engage with responsible security researchers around the globe to further secure our services. This program is dedicated for all Visma assets (services, products, web properties).

Bounties

This is a responsible disclosure program without bounties.

Rules of engagement
Required
User-Agent: Intigriti-<username>- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
max. 20 requests/sec
X-Bug-Bounty: Intigriti-<username>

To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, by participating in this program, you agree to the following program rules.

Program Rules

  • Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail.
  • Respect the Community Code of Conduct
  • Respect the Intigriti Terms and Conditions
  • Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
  • Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
  • Only interact with accounts or devices you own or with explicit permission from the owner.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. If unsure or need advice, contact us at security.testing@visma.com.
  • If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • Do not attempt to execute Denial of Service attacks.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Report any vulnerability you’ve discovered promptly.
  • Do not engage in extortion by demanding a reward before disclosing vulnerability details.
  • Use only the Official Channels to discuss vulnerability information with us.

Expectations

When working with us according to this policy, you can expect us to:

  • Extend Safe Harbor for your vulnerability research that is related to this policy
  • Work with you to understand and validate your report, including a initial response to the submission within 12 business hours
  • Work to remediate discovered vulnerabilities in a timely manner
Domains
No bounty
URL

This program covers all Visma services, products or web properties.
We do not offer money rewards for this program, but as a small token of appreciation for all researchers that submit a previously unknown vulnerability that triggers a code or configuration change, we will offer a place on our Security Hall of Fame (HoF).
Also for all valid Medium+ reports, we will offer swags.

For money rewards, the only exceptions are the specific assets listed in our Public Bug Bounty Program, see https://app.intigriti.com/programs/visma/visma/detail. Please note that we will only accept reports for the explicitly listed assets under our Public program.

In scope

This program covers all Visma services, products or web properties.

Please note! Most reports we receive have little or no security impact or are already known. To avoid a disappointing experience when reporting us, please take a moment and consider if the issue you want to report actually has a realistic attack scenario.

Out of scope

We ask you to not submit issues regarding:

  • Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability ((ie: Subdomain Takeovers without proof of actually taking over the subdomain).
  • Findings from automated tools without providing a Proof of Concept.
  • Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jailbroken smartphones.
  • Missing or weak security-related HTTP headers.
  • Non-Sensitive Data Disclosure, for example server version banners.
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Self-XSS.
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Host header injection, unless you have confirmed that it can be exploited in a practical attack.
  • Expired SSL certificates, weak SSL Ciphers, or issues regarding old TLS/SSL versions.
  • Previously known vulnerable software or libraries without a working Proof of Concept.
  • Metrics endpoints unless the information can be used to prove impact
  • Rate limiting or bruteforce issues on non-authentication endpoints.
  • Denial of Service.
  • CSV/formula injection.
  • Flash based exploits.
  • Clickjacking.
  • Google Maps API key disclosure.
Severity assessment

We will always take into consideration the business impact and security impact when setting the final severity of the reports, so in case there's no impact, the report will not be accepted.

When duplicates occur, we will only accept the first report. A duplicate is a vulnerability that we are already aware of, regardless of how we first became aware of it (it could have also been discovered by us internally).

To get an idea of how we define severities, see the following table as a guideline, but please know that the severity may be adjusted depending on the actual business impact:

Severity Vulnerability
Exceptional A quality report that shows exceptional impact to Visma and it's customers, typically otherwise in high or critical severity category
Critical Remote Code Execution (RCE)
Critical SQL Injection (SQLi)
Critical Authentication or Authorization Bypass
High Local File Inclusion
High Account Takeover
High Mass PII Extraction
High Horizontal Privilege Escalation across customer contexts
High Vertical Privilege Escalation
High XML External Entity Injection (XXE)
Medium Insecure Direct Object Reference (IDOR)
Medium Horizontal Privilege Escalation within the same customer context
Medium Server-Side Request Forgery (SSRF)
Medium Reflected Cross-Site Scripting
Medium Stored Cross-Site Scripting (XSS)
Medium DOM-based Cross-Site Scripting
Medium Cross-Site Request Forgery (CSRF)
Medium Sensitive Data Exposure
Medium Cross-Site Script Inclusion (XSSI)
Low GUID-based IDOR
Low Mass User Enumeration (without brute-forcing)
Low Clear text Submission of Passwords (over HTTP)
Low Open Redirect
Low HTML content injection
Low Broken Link Hijacking
Low PHP Info Disclosure
Low Rate limit issues on authentication endpoints
Informative Non-State Changing Cross-Site Request Forgery
Informative CSV/formula injection
Informative Server Information Page
Informative User Enumeration including WordPress Mass User Enumeration
Out of scope Text (non-html) content injection
Out of scope Non-Sensitive Data Disclosure
Out of scope Lack of, or weak, security headers
Out of scope Flash based CSRF
Out of scope DoS & DDoS
FAQ

Where can we get credentials for the app?

No credentials provided for this program. In case you register accounts, please use your @intigriti.me address so that we can track researchers in our production environments.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
no reputation Not managed by Intigriti
Overall stats
submissions received
1826
average payout
N/A
accepted submissions
917
total payouts
N/A
Last 90 day response times
avg. time first response
< 16 hours
avg. time to decide
< 2 weeks
Activity
11/20
logo
13ph03nix
created a submission
11/19
Visma
closed a submission
11/17
logo
roys
created a submission
11/14
logo
emptymahbob
created a submission
11/8
Visma
accepted a submission
11/8
Visma
closed a submission
11/7
logo
habisocn
created a submission
11/7
Visma
accepted a submission
11/4
logo
geireeni
created a submission
11/4
Visma
accepted a submission