Description

Visma delivers software that simplifies and digitizes core business processes in the private and public sector. With presence across the entire Nordic region along with Benelux, Central and Eastern Europe, we are one of Europe’s leading software companies. We want to engage with responsible security researchers around the globe to further secure our services. No code is flawless and we believe that taking part in the Intigriti community can help us improve the security of our systems.

Bounties
Low
Medium
High
Critical
Exceptional
Tier 2
€ 100
€ 250
€ 1,000
€ 3,000
€ 7,500
€ 100 - € 7,500
Domains
Tier 2
iOS

Visma Scanner
Visma Scanner is a mobile app used for sending receipts and invoices to your Visma accounting system.
The iOS version of the app can be found here:
https://apps.apple.com/us/app/visma-scanner/id564141518
Please read and follow the steps in the Startup guide to create an account and start hacking: https://vismabugbountyprod.z16.web.core.windows.net/VismaScanner-getting-started.pdf

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc)
  • Private screen exposure in the app
  • Stack traces from api calls
  • Jailbroken devices is out of scope
  • All options for login are out of scope, except eAccounting (please see details in the "Getting Started instructions document"

accountsettings.connect.identity.stagaws.visma.com

Tier 2
URL

Connect
See instructions for domain "connect.identity.stagaws.visma.com".

Out of scope:

  • Session invalidation during password change - this bug is known and the team is working on a fix.
  • Session invalidation after enabling 2FA - by design intended to work like this.
  • Tenant based consent not removed and may lead to unauthorized access; we are aware about this vulnerability and the development team is working to fix it.

admin.stage.vismaonline.com

Tier 2
URL

Visma Online
This is the old interface for the customer's administrators to administrate the company, where we still have some functionality that has not been moved to the new interface. For example invoicing information and everything regarding collaborations with AO. The collaboration part is out of scope as long as the use of student companies.
Please read the Getting Started Instructions in the "myservices.stage.vismaonline.com" asset description.

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).

ai-testing.maventa.com

Tier 2
URL

AutoInvoice
This is the main UI for Visma AutoInvoice. AutoInvoice is Visma's automated and fully ERP integrated service for sending, receiving and handling invoices. AutoInvoice converts and exchanges electronic invoices, optionally prints invoices that can't be sent electronically, receives and interpret PDF invoices and offers services for scanning and interpretation of paper invoices. AutoInvoice handles both Business to Business (B2B) and Business to Consumer (B2C) invoices.
Create a test account on https://ai-testing.maventa.com/registrations, or use one of the demo accounts in the getting started instructions below:
https://vismabugbountyprod.z16.web.core.windows.net/VismaAutoinvoice-getting-started.pdf

Out of scope or works as expected (accepted risk):

  • adding users to your own company without consent
  • language change CSRF
  • application level DOS from /gdpr endpoint

api.home.stag.visma.com

Tier 2
URL

Visma.net Platform/ODP
See instructions for domain "connect.identity.stagaws.visma.com".

api.workbox.dk

Tier 2
URL

Dinero
This is Dinero's Public API.See instructions for "app.workbox.dk"

app.workbox.dk

Tier 2
URL

Dinero
Dinero is an accounting software for sole traders and micro businesses based out of Denmark. Our only target group is Danish companies and therefore the interface is in Danish only.The application is a SaaS application hosted in the cloud and consists of a main application and a number of supportive microservices.
See the getting started document here: https://vismabugbountyprod.z16.web.core.windows.net/VismaDinero-getting-started.pdf

Out of scope:

  • Issues related to login /user creation / forgot-password and /profile page
  • The Cookie ".AspNet.Cookies" is not set with HttpOnly which is a known vulnerability - please do not report it.
  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).
  • CSRF is out of scope until the team will fix all existing ones.

authz.workbox.dk

Tier 2
URL

Dinero
Used for Authorization (OAuth). See instructions for "app.workbox.dk"

Out of scope:

  • Issues related to login /user creation / forgot-password and /profile page
  • The Cookie ".AspNet.Cookies" is not set with HttpOnly which is a known vulnerability - please do not report it.
  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).
  • CSRF is out of scope until the team will fix all existing ones.

autointerface-embeddable-stage.maventa.com

Tier 2
URL

AutoInvoice
See instructions for domain "ai-testing.maventa.com" to get user credentials.

Out of scope or works as expected (accepted risk):

  • Clickjacking is out of scope for this asset since it is designed to be framed (embedded) in other 3rd party services.
  • Regular users are allowed to view certain admin settings pages (but not allowed to edit the settings)

autointerface.stag.visma.net

Tier 2
URL

AutoInvoice
See instructions for domain "ai-testing.maventa.com" to get user credentials.

Out of scope:

  • Clickjacking is out of scope for this asset since it is designed to be framed (embedded) in other 3rd party services.

ax-stage.maventa.com

Tier 2
URL

AutoInvoice
https://ax-stage.maventa.com is a REST API connected to Visma AutoInvoice.
API documentation is available on https://documentation.maventa.com/rest-api/ and https://ax-stage.maventa.com/swagger/#/
See instructions for domain "ai-testing.maventa.com" to get user credentials.

Tier 2
Android

Visma Scanner
Visma Scanner is a mobile app used for sending receipts and invoices to your Visma accounting system.
The Andriod version of the app can be found here:
https://play.google.com/store/apps/details?id=com.visma.blue&hl=en
Please read and follow the steps in the Startup guide to create an account and start hacking: https://vismabugbountyprod.z16.web.core.windows.net/VismaScanner-getting-started.pdf

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc)
  • Private screen exposure in the app
  • Stack traces from api calls
  • Jailbroken devices is out of scope
  • All options for login are out of scope, except eAccounting (please see details in the "Getting Started instructions document"

connect.identity.stagaws.visma.com

Tier 2
URL

Connect
Visma Connect is featurewise a small but critical component in the Visma portfolio. It is a single sign-on solution used by many Visma services. It is also the place where users manage security preferences such as passwords, MFA, 2FA, email and other account settings.
User accounts for testing can be created on https://connect.identity.stagaws.visma.com (this signup flow is not available in production).
The test accounts will not have access to any other services right now, so testing is limited to the login portal itself. In the upcoming months we will add several large services to the scope which will use the Visma Connect portal as a common authentication platform.

Out of scope:

  • Session invalidation during password change - this bug is known and the team is working on a fix.
  • Session invalidation after enabling 2FA - by design intended to work like this.

eaccounting.stage.vismaonline.com

Tier 2
URL

eAccounting
This is "Visma eAccounting" (aka Visma eEkonomi / Visma ePasseli) which is an ERP system available in Sweden, Norway, Finland and The Netherlands.
You can read more on https://www.visma.no/eaccounting/english/
You need to register an user to test this system. The sign-up up process is described in this document:
https://vismabugbountyprod.z16.web.core.windows.net/Visma-eAccounting-getting-started.pdf
This video also shows the entire setup (only Swedish audio) https://www.youtube.com/watch?v=kVr_CXgfhi0&t=4s

TLDR: Goto https://admin.stage.vismaonline.com/Customer/StudentSignup.aspx and sign up with the training code "04h2v"

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).
  • Modification of gray-out fields when logged in with an admin account.
  • Improper access control: manipulation of the message conversation by members that have no permission (edit subject, join thread conversation, closing the conversation).

eaccountingprinting.stage.vismaonline.com

Tier 2
URL

eAccounting
You reach this asset by creating and viewing a report under the Accounting/Reports menu as a logged on user in asset "eaccounting.stage.vismaonline.com"

identity.stage.vismaonline.com

Tier 2
URL

Visma Online
Visma Connect is used as identity provider, but an own identity server is used to provide JWT tokens that are used by MyServices (and others).
Please read the Getting Started instructions document in the "myservices.stage.vismaonline.com" asset description.

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).

myservices-api.stage.vismaonline.com

Tier 2
URL

Visma Online
This is the API behind "myservices.stage.vismaonline.com".
Please read the Getting Started instructions document in the asset description "myservices.stage.vismaonline.com".

myservices.stage.vismaonline.com

Tier 2
URL

Visma Online
This is an interface where the customer's users can access all their services, and customer's administrators can manage users on the company and manage users' access to services that the company has.
More information about the service and test accounts creation can be found here:
https://vismabugbountyprod.z16.web.core.windows.net/VismaOnline-getting-started.pdf

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).

testing.maventa.com

Tier 2
URL

AutoInvoice
https://testing.maventa.com/apis/v1.1/wsdl is a SOAP API connected to Visma AutoInvoice.
API documentation is available on https://documentation.maventa.com/soap-api/
See instructions for domain "ai-testing.maventa.com" to get user credentials.

In scope

We are happy to announce the launch of our Public Bug Bounty Program on Intigriti, so if you have discovered a security vulnerability, please inform us through this program and we will do our best to quickly fix it.

Only the assets explicitly listed above are eligible for monetary rewards.

Vulnerabilities in any other Visma service, product or web property can be reported to our Responsible Disclosure Program, but those reports do not qualify for this Bug Bounty Program.

We plan to continuously update our scope, so keep an eye on us or subscribe to our program to receive updates.

Out of scope

Additionally to the bellow general out of scopes, please make sure you always check the asset description under each domain and don't submit issues that are out of scope for those specific domains.

In general, please do not submit issues regarding:

  • Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability
  • Findings from automated tools without providing a Proof of Concept
  • DoS & DDoS
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Missing or weak security-related HTTP headers
  • Self-XSS
  • Non-Sensitive Data Disclosure, for example server version banners
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • DNSSEC
  • Host header injection, unless you have confirmed that it can be exploited in a practical attack
  • Previously known vulnerable software or libraries without a working Proof of Concept
  • Password policies
  • CSV/formula injection
  • Flash based exploits
  • Rate limiting or brute force issues on non-authentication endpoints
  • User enumeration unless a list of registered users can be leaked without any kind of brute-forcing
  • Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jail broken smartphones
Rules of engagement

In order to gain a positive relationship and avoid misinterpretation and vagueness, we would like you to review the following program rules before you report a vulnerability. By participating in this program, you agree to respect our policy.

Program Rules

  • Please do NOT publicly discuss or publish any vulnerability before it has been fixed and you have received explicit permission from us to do so. You can send us a video as proof of concept, but remember to change its privacy settings to private.

  • Perform testing only on in-scope assets and respect assets and activities which are out-of-scope. If unsure or need advice, contact us at security.testing@visma.com.

  • You can make it easier for us in case we need to check the logs, triage your report or contact you in case it’s needed. Therefore please do the following:

    • Use your @intigriti.me address while creating test accounts.

    • Use a User Agent with Intigriti and your username in it, like for e.g. :
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Intigriti: [USER-NAME]

    • Include a custom HTTP header where this is possible. Burp, Ffuf and other tools allow the easy automatic addition of headers to all outbound requests and most of the tools have the support for this. For e.g. for Burp, see this: https://portswigger.net/bappstore/807907f5380c4cb38748ef4fc1d8cdbc

      Identifier Format Example
      Your username X-Bug-Bounty: Intigriti-<username> X-Bug-Bounty: Intigriti-MotherofHackers

      Please note that this will not be used for monitoring purposes, it is just an easy way to get in touch with you in case needed.

  • Only interact with accounts or devices you own or with explicit permission from the owner.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • All publicly released 0 day exploits (or new published CVEs) have a blackout period of 5 business days before they will be accepted in this program.
  • Provide an appropriate level of detail with reproducible steps so that the issue can be easily reproduced.
  • Please include the HTTP requests/responses in the report. This will help us to search for duplicate reports using the endpoint and triage reports more effectively; include the vulnerable requests in the comment using markdown.
  • Please be aware that all reports for the same endpoint - regardless the HTTP verbs used (e.g. GET, POST, PUT, DELETE) will be considered duplicates as long as the fix is not applied.We will award, of course the original report. After the fix is applied, if we still get reports, these will be triaged accordingly.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Do not attempt to execute Denial of Service attacks.

Our promise to you

  • We will respond to your report as fast as we can and we aim for the following response targets:
    • Time to triage (from report submission): maximum 4 business days.
    • Time to bounty (from triage): maximum 4 business days.
    • Time to fix: 90 days.
  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below.

Your promise to us

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo, etc).

Legal

In connection with your participation in this program you agree to comply with all applicable local and national laws.
You may not participate in this program if you are currently employed or contracted by Visma.
You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.

Vulnerabilities obtained by exploiting Visma users or employees are not eligible for a bounty and will result in immediate disqualification from the program.

Visma has never given permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of Visma's customers and publicize this information on the open, public-facing Internet without customer consent, nor has Visma ever given permission for programs or data belonging to Visma to be modified or corrupted in order to extract and publicly disclose data belonging to Visma.

Visma reserves the right to change this policy at any time. You can subscribe to program updates to be notified of any changes.

Safe harbour for researchers

Visma considers ethical hacking activities conducted consistent with the Researcher Guidelines, the Program description and restrictions (the Terms) to constitute “authorized” conduct under criminal law. Visma will not pursue civil action or initiate a complaint for accidental, good faith violations, nor will they file a complaint for circumventing technological measures used by us to protect the scope as part of your ethical hacking activities.

If legal action is initiated by a third party against you and you have complied with the Terms, Visma will take steps to make it known that your actions were conducted in compliance and with our approval.

Severity assessment

Monetary rewards will be offered for qualifying reports. The amount will vary depending on the severity. The "Bounties" section provides a general guideline for the amounts, but final rewards may be adjusted for actual business impact. For example an SQLi for a database containing no sensitive information may be rewarded a lower amount compared to an SQLi for a database with sensitive information.
We highly value good quality, actionable reports and that’s one of the the requirements for "Exceptional" severity category.

When duplicates occur, we only award the first report.

To get an idea of how we define severities, see the following table as a guideline:

Severity Vulnerability
Exceptional A quality report that shows exceptional impact to Visma and it's customers, typically otherwise in high or critical severity category
Critical Remote Code Execution (RCE)
Critical SQL Injection (SQLi)
Critical Authentication or Authorization Bypass
High Local File Inclusion
High Account Takeover
High Mass PII Extraction
High Horizontal Privilege Escalation across customer contexts
High Vertical Privilege Escalation
Medium Insecure Direct Object Reference (IDOR)
Medium Horizontal Privilege Escalation within the same customer context
Medium Server-Side Request Forgery (SSRF)
Medium Stored Cross-Site Scripting (XSS)
Medium Cross-Site Request Forgery (CSRF)
Medium Sensitive Data Exposure
Medium Cross-Site Script Inclusion (XSSI)
Low GUID-based IDOR
Low Mass User Enumeration (without brute-forcing)
Low Reflected Cross-Site Scripting
Low DOM-based Cross-Site Scripting
Low Clear text Submission of Passwords (over HTTP)
Low Open Redirect
Low HTML content injection
Informative Non-State Changing Cross-Site Request Forgery
Informative CSV/formula injection
Informative Server Information Page
Informative User Enumeration
Out of scope Text (non-html) content injection
Out of scope Non-Sensitive Data Disclosure
Out of scope Lack of, or weak, security headers
Out of scope Flash based CSRF
Out of scope DoS & DDoS
FAQ

Where can we get credentials for the app?

You can self-register on the application, but please don’t forget to use your @intigriti.me address. For more details, please read each asset description.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
no reputation Not managed by intigriti
Researchers
last contributors
logo
logo
logo
logo
logo
logo
leaderboard
logo
Overall stats
submissions received
85
average payout
€425
accepted submissions
7
total payouts
€2,550
Last 90 day response times
avg. time first response
< 16 hours
avg. time to decide
< 3 days
Activity
8/3
Visma
closed a submission
7/31
logo
created a submission
7/28
Visma
closed a submission
7/28
Visma
closed a submission
7/27
logo
created a submission
7/26
Visma
closed a submission
7/22
logo
created a submission
7/22
Visma
closed a submission
7/21
logo
created a submission
7/19
logo
created a submission