Description

Visma delivers software that simplifies and digitizes core business processes in the private and public sector. With presence across the entire Nordic region along with Benelux, Central and Eastern Europe, we are one of Europe’s leading software companies. We want to engage with responsible security researchers around the globe to further secure our services. No code is flawless and we believe that taking part in the Intigriti community can help us improve the security of our systems.

Bounties
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 9.4
Exceptional
9.5 - 10.0
Tier 2
100
250
1,000
3,000
7,500
Tier 2
€100 - €7,500
Rules of engagement
Required
User-Agent: Intigriti-<username>- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
max. 20 requests/sec
X-Bug-Bounty: Intigriti-<username>

In order to gain a positive relationship and avoid misinterpretation and vagueness, we would like you to review the following program rules before you report a vulnerability. By participating in this program, you agree to respect our policy.

Program Rules

  • Please do NOT publicly discuss or publish any vulnerability before it has been fixed and you have received explicit permission from us to do so. You can send us a video as proof of concept, but remember to change its privacy settings to private.
  • Perform testing only on in-scope assets and respect assets and activities which are out-of-scope. If unsure or need advice, contact us at security.testing@visma.com.
  • Only interact with accounts or devices you own or with explicit permission from the owner.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
  • All publicly released 0 day exploits (or new published CVEs) have a blackout period of 5 business days before they will be accepted in this program.
  • Provide an appropriate level of detail with reproducible steps so that the issue can be easily reproduced.
  • Please include the HTTP requests/responses in the report. This will help us to search for duplicate reports using the endpoint and triage reports more effectively; include the vulnerable requests in the comment using markdown.
  • Please be aware that all reports for the same endpoint - regardless the HTTP verbs used (e.g. GET, POST, PUT, DELETE) will be considered duplicates as long as the fix is not applied.We will award, of course the original report. After the fix is applied, if we still get reports, these will be triaged accordingly.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Do not attempt to execute Denial of Service attacks.

Our promise to you

  • We will respond to your report as fast as we can and we aim for the following response targets:
    • Time to triage (from report submission): maximum 4 business days.
    • Time to bounty (from triage): maximum 4 business days.
    • Time to fix: 90 days.
  • We are happy to respond to any questions, please use the button in the right top corner for this.
  • We respect the safe harbour clause that you can find below.

Your promise to us

  • Provide detailed but to-the point reproduction steps
  • Include a clear attack scenario. How will this affect us exactly?
  • Remember: quality over quantity!
  • Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo, etc).

Legal

In connection with your participation in this program you agree to comply with all applicable local and national laws.
You may not participate in this program if you are currently employed or contracted by Visma.
You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.

Vulnerabilities obtained by exploiting Visma users or employees are not eligible for a bounty and will result in immediate disqualification from the program.

Visma has never given permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of Visma's customers and publicize this information on the open, public-facing Internet without customer consent, nor has Visma ever given permission for programs or data belonging to Visma to be modified or corrupted in order to extract and publicly disclose data belonging to Visma.

Visma reserves the right to change this policy at any time. You can subscribe to program updates to be notified of any changes.

Domains
iOS

Visma Scanner
Visma Scanner is a mobile app used for sending receipts and invoices to your Visma accounting system.
The iOS version of the app can be found here:
https://apps.apple.com/us/app/visma-scanner/id564141518
Please read and follow the steps in the Startup guide to create an account and start hacking: https://vismabugbountyprod.z16.web.core.windows.net/VismaScanner-iMXxOpXkhOlTBUQtXfyA-getting-started.pdf

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc)
  • Private screen exposure in the app
  • Stack traces from api calls
  • Jailbroken devices is out of scope
  • All options for login are out of scope, except eAccounting (please see details in the "Getting Started instructions document"

Connect
See instructions for domain "connect.identity.stagaws.visma.com".

Out of scope:

  • Session invalidation after enabling 2FA - by design intended to work like this

Visma Online
This is the old interface for the customer's administrators to administrate the company, where we still have some functionality that has not been moved to the new interface. For example invoicing information and everything regarding collaborations with AO. The collaboration part is out of scope as long as the use of student companies.
Please read the Getting Started Instructions in the "myservices.stage.vismaonline.com" asset description.

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).
  • The collaboration part is out of scope as long as the use of student companies. Collaboration is between Accounting Office and Client

AutoInvoice

This is the main UI for Visma AutoInvoice. AutoInvoice is Visma's automated and fully ERP integrated service for sending, receiving and handling invoices. AutoInvoice converts and exchanges electronic invoices, optionally prints invoices that can't be sent electronically, receives and interpret PDF invoices and offers services for scanning and interpretation of paper invoices. AutoInvoice handles both Business to Business (B2B) and Business to Consumer (B2C) invoices.

Uses partially the embeddable user interface from autointerface-embeddable-stage.maventa.com

Create a test account on https://ai-testing.maventa.com/registrations, or use one of the demo accounts in the getting started instructions below:
https://vismabugbountyprod.z16.web.core.windows.net/VismaAutoinvoice-tHNjPCTbrmGiPY5y0xr8-getting-started.pdf

Out of scope or works as expected (accepted risk):

  • adding users to your own company without consent
  • language change CSRF
  • application level DOS from /gdpr endpoint
  • duplicate BID/organization number check on registration can be circumvented by race condition (e.g. open two accounts with same BID/org number at same time)
  • IDOR to delete Invoice ID's belonging to different companies by using GDPR removal form (background job checks the right to delete invoices)
  • Hyperlink Injection via emails while adding users to your company
  • User Enumeration via Timing Discrepancy while registering new users
  • Logout CSRF

Note! ai-testing.maventa.com and testing.maventa.com point to the same application but have different branding on the UI. Authentication to the user interface is handled using the Visma Connect service.

AI Assistant

The AI Assistant is a AI bot that answers support questions based on public product documentation for Visma Spcs products like Visma eAccounting and Visma Advisor.

You need to register an user to test this system. The sign-up up process is described in this document:

https://vismabugbountyprod.z16.web.core.windows.net/Visma-eAccounting-1GWFyEopW9dTKsGYM3FJ-getting-started.pdf

This video also shows the entire setup (only Swedish audio) https://www.youtube.com/watch?v=kVr_CXgfhi0&t=4s

TLDR: Goto https://admin.stage.vismaonline.com/Customer/StudentSignup.aspx and sign up with the training code "04h2v"

Out of Scope

  • HTML injection, the AI Assistant should be able to output HTML to the chat window.
  • functionalities that belong to other applications that AI Assistant is integrated with (e.g. Visma Advisor or other Visma SPCS products).
URL

Dinero
This is Dinero's Public API.See instructions for "app.workbox.dk"

URL

Dinero
Dinero is an accounting software for sole traders and micro businesses based out of Denmark. Our only target group is danish companies and therefore the interface is in danish only. The application is a SaaS application hosted in the cloud and consists of a main application and a number of supportive microservices.

See the getting started document here: https://vismabugbountyprod.z16.web.core.windows.net/VismaDinero-37UeRwujIXh7r9n3Wol6-getting-started.pdf

Out of scope:

  • Issues related to login /user creation / forgot-password and /profile page
  • The Cookie ".AspNet.Cookies" is not set with HttpOnly which is a known vulnerability - please do not report it.
  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).
  • Getting access to Pro features as Free user.

Dinero
Used for Authorization (OAuth). See instructions for "app.workbox.dk"

AutoInvoice
See instructions for domain 'ai-testing.maventa.com' to get user credentials.

The same resource can be accessed through the URL autointerface-embeddable-stage.maventa.com

All data processing is done through the REST API at ax-stage.maventa.com

Out of scope or works as expected (accepted risk):

  • Clickjacking is out of scope for this asset since it is designed to be framed (embedded) in other 3rd party services.
  • Regular users are allowed to view certain admin settings pages (but not allowed to edit the settings)

AutoInvoice
https://ax-stage.maventa.com is a REST API connected to Visma AutoInvoice.

API documentation is available on https://documentation.maventa.com/rest-api/ and https://ax-stage.maventa.com/swagger/#/

See instructions for domain 'ai-testing.maventa.com' to get user credentials.

Out of scope or works as expected (accepted risk):

  • Regular users are allowed to read certain company settings even though they are not perhaps visible in the UI (but they are not allowed to edit the settings)
Android

Visma Scanner
Visma Scanner is a mobile app used for sending receipts and invoices to your Visma accounting system.
The Andriod version of the app can be found here:
https://play.google.com/store/apps/details?id=com.visma.blue&hl=en
Please read and follow the steps in the Startup guide to create an account and start hacking: https://vismabugbountyprod.z16.web.core.windows.net/VismaScanner-iMXxOpXkhOlTBUQtXfyA-getting-started.pdf

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc)
  • Private screen exposure in the app
  • Stack traces from api calls
  • Jailbroken devices is out of scope
  • All options for login are out of scope, except eAccounting (please see details in the "Getting Started instructions document"

Connect
Visma Connect is featurewise a small but critical component in the Visma portfolio. It is a single sign-on solution used by many Visma services. It is also the place where users manage security preferences such as passwords, MFA, 2FA, email and other account settings.

User accounts for testing can be created on https://connect.identity.stagaws.visma.com (this signup flow is not available in production).

The test accounts will not have access to any other services right now, so testing is limited to the login portal itself.

Out of scope:

  • Session invalidation after enabling 2FA - by design intended to work like this.

eAccounting
This is "Visma eAccounting" (aka Visma eEkonomi / Visma ePasseli) which is an ERP system available in Sweden, Norway, Finland and The Netherlands.

We've added into scope also the eEkonomi "Visma Lön Smart" which is a subservice of eAccounting. This can be found after you activate your account (check out the instructions bellow).

You can read more on https://www.visma.no/eaccounting/english/

You need to register an user to test this system. The sign-up up process is described in this document:
https://vismabugbountyprod.z16.web.core.windows.net/Visma-eAccounting-1GWFyEopW9dTKsGYM3FJ-getting-started.pdf

This video also shows the entire setup (only Swedish audio) https://www.youtube.com/watch?v=kVr_CXgfhi0&t=4s

TLDR: Goto https://admin.stage.vismaonline.com/Customer/StudentSignup.aspx and sign up with the training code "04h2v"

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).

  • Modification of gray-out fields when logged in with an admin account.

  • Improper access control: manipulation of the message conversation by members that have no permission (edit subject, join thread conversation, closing the conversation).

  • Email phishing

  • PDF injection

  • Permissions for Lön Smart (the permissions in eAccounting don´t apply at all for Lön Smart).

  • Possibility to create Orders and Quotes with amount 0€

  • Race Condition in article stock limits

  • We plan to fix all server-side validation for all tabs mentioned below. All these are under Lön Smart in eAccounting. So until all fixes are applied the following will remain out of scope:

    • Fix server-side validation for tab Basic Information on Employee
    • Fix server-side validation for tab Employment on Employee
    • Fix server-side validation for tab Pay on Employee
    • Fix server-side validation for tab Taxes on Employee
    • Fix server-side validation for tab Holiday on Employee
    • Fix server-side validation for tab Reporting on Employee
    • Fix server-side validation for tab Payslip on Employee
    • Fix server-side validation for tab Input values on Employee
    • Fix server-side validation for tab Pay and payments in payroll settings
    • Fix server-side validation for tab Holiday in payroll settings
    • Fix server-side validation for tab Accounting in payroll settings
    • Fix server-side validation for tab Work schedules in payroll settings
    • Fix server-side validation for tab Agreements in payroll settings
    • Fix server-side validation for tab Paycodes in payroll settings
    • Fix server-side validation for tab Shortcuts in payroll settings

eAccounting
You reach this asset by creating and viewing a report under the Accounting/Reports menu as a logged on user in asset "eaccounting.stage.vismaonline.com"

Visma Online
Visma Connect is used as identity provider, but an own identity server is used to provide JWT tokens that are used by MyServices (and others).
Please read the Getting Started instructions document in the "myservices.stage.vismaonline.com" asset description.

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).

Visma Online
This is the API behind "myservices.stage.vismaonline.com".
Please read the Getting Started instructions document in the asset description "myservices.stage.vismaonline.com".

Visma Online
This is an interface where the customer's users can access all their services, and customer's administrators can manage users on the company and manage users' access to services that the company has.
More information about the service and test accounts creation can be found here:
https://vismabugbountyprod.z16.web.core.windows.net/VismaOnline-9Jn9Xh382zaQsQ8IqT2x-getting-started.pdf

Out of scope:

  • Session invalidation issues (e.g. logout, password change, email change, role change, user deletion, etc).

Visma Developer Portal
Visma Developer Portal is used both internally and externally by developers for registering OAuth 2.0/OpenID Connect applications for Single-Sign-On with Visma (Visma Connect) and/or API integration.

Existing Visma Connect users accounts can be used for testing. We also allow registration of new users if needed.

Users need to register an organization as part of the sign-in or to be added (invite) to an existing organization by organization's manager. The user which registers the organization also gets manager role assigned.

Each organization has its own set of OAuth 2.0/OpenID Connect applications.

Please read the Getting Started Instructions here: https://vismabugbountyprod.z16.web.core.windows.net/VismaDeveloperPortal-Ze8WD6GFaIFdLvE2ekbN-getting-started.pdf

Out of scope:

  • session invalidation across browsers/devices - this is how it is intended to work by design
  • issues related to other APIs except DevPortal Bug Bounty Interactive and DevPortal Bug Bounty Non-Interactive

AutoInvoice
https://testing.maventa.com/apis/v1.1/wsdl is a SOAP API connected to Visma AutoInvoice.

API documentation is available on https://documentation.maventa.com/soap-api/

See instructions for domain 'ai-testing.maventa.com' to get user credentials.

In scope

**Thank you all for this year dear colleagues and hackers! We’ve had an epic year with almost 2600 vulnerabilities reported (last 365 days), of which 96 reports were exceptional or critical, wow!

Big thanks to all of our amazing hackers doing an incredible job making Visma more secure! From the bottom of our hearts, we appreciate you.

With that said, it is time for us to gear up for the holiday season and take some rest from this hectic year, with that, we will suspend this program soon for the remainder of the year and be back next year stronger than ever!

Enjoy the holiday season and see you next year,
With love, Visma Security Team**


We are happy to announce the launch of our Public Bug Bounty Program on Intigriti, so if you have discovered a security vulnerability, please inform us through this program and we will do our best to quickly fix it.

Only the assets explicitly listed above are eligible for monetary rewards.

Vulnerabilities in any other Visma service, product or web property can be reported to our Visma Responsible Disclosure program, but those reports do not qualify for this Bug Bounty Program.

We plan to continuously update our scope, so keep an eye on us or subscribe to our program to receive updates.

Out of scope

Additionally to the bellow general out of scopes, please make sure you always check the asset description under each domain and don't submit issues that are out of scope for those specific domains.

In general, please do not submit issues regarding:

  • Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability (ie: Subdomain Takeovers without proof of actually taking over the subdomain)
  • Findings from automated tools without providing a Proof of Concept
  • DoS & DDoS
  • Clickjacking
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Missing or weak security-related HTTP headers
  • Self-XSS unless an impact is proven
  • Non-Sensitive Data Disclosure, for example server version banners
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • DNSSEC
  • Host header injection, unless you have confirmed that it can be exploited in a practical attack
  • Metrics endpoints unless the information can be used to prove impact
  • Previously known vulnerable software or libraries without a working Proof of Concept
  • Password policies
  • CSV/formula injection
  • Flash based exploits
  • Rate limiting or brute force issues on non-authentication endpoints
  • User enumeration unless a list of registered users can be leaked without any kind of brute-forcing
  • Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jail broken smartphones
  • Google Maps API key disclosure
Severity assessment

No impact means no bounty. We will always take into consideration the business impact and security impact when setting the final severity of the reports.
Monetary rewards will be offered for qualifying reports. The amount will vary depending on the severity. The "Bounties" section provides a general guideline for the amounts, but final rewards may be adjusted for actual business impact. For example an SQLi for a database containing no sensitive information may be rewarded a lower amount compared to an SQLi for a database with sensitive information.

We highly value good quality, actionable reports and that’s one of the the requirements for "Exceptional" severity category.

When duplicates occur, we will only accept the first report. A duplicate is a vulnerability that we are already aware of, regardless of how we first became aware of it (it could have also been discovered by us internally).

To get an idea of how we define severities, see the following table as a guideline:

Severity Vulnerability
Exceptional A quality report that shows exceptional impact to Visma and it's customers, typically otherwise in high or critical severity category
Critical Remote Code Execution (RCE)
Critical SQL Injection (SQLi)
Critical Authentication or Authorization Bypass
High Local File Inclusion
High Account Takeover
High Mass PII Extraction
High Horizontal Privilege Escalation across customer contexts
High Vertical Privilege Escalation
High XML External Entity Injection (XXE)
Medium Insecure Direct Object Reference (IDOR)
Medium Horizontal Privilege Escalation within the same customer context
Medium Server-Side Request Forgery (SSRF)
Medium Reflected Cross-Site Scripting
Medium Stored Cross-Site Scripting (XSS)
Medium DOM-based Cross-Site Scripting
Medium Cross-Site Request Forgery (CSRF)
Medium Sensitive Data Exposure
Medium Cross-Site Script Inclusion (XSSI)
Low GUID-based IDOR
Low Mass User Enumeration (without brute-forcing)
Low Clear text Submission of Passwords (over HTTP)
Low Open Redirect
Low HTML content injection
Low Broken Link Hijacking
Low PHP Info Disclosure
Low Rate limit issues on authentication endpoints
Informative Non-State Changing Cross-Site Request Forgery
Informative CSV/formula injection
Informative Server Information Page
Informative User Enumeration including WordPress Mass User Enumeration
Out of scope Text (non-html) content injection
Out of scope Non-Sensitive Data Disclosure
Out of scope Lack of, or weak, security headers
Out of scope Flash based CSRF
Out of scope DoS & DDoS
FAQ

Where can we get credentials for the app?

You can self-register on the application, but please don’t forget to use your @intigriti.me address. For more details, please read each asset description.

All aboard!
Please log in or sign up on the platform

For obvious reasons we can only allow submissions or applications for our program with a valid Intigriti account.

It will only take 2 minutes to create a new one or even less to log in with an existing account, so don't hesitate and let's get started. We would be thrilled to have you as part of our community.

Program specifics
Not managed by Intigriti
Overall stats
submissions received
769
average payout
€386
accepted submissions
218
total payouts
€80,950
Last 90 day response times
avg. time first response
< 24 hours
avg. time to decide
< 6 days
Activity
12/9
Visma
closed a submission
12/8
logo
muhammadwaseem
created a submission
11/29
Visma
closed a submission
11/29
logo
lamscun
created a submission
11/28
Visma
closed a submission
11/28
Visma
closed a submission
11/28
Visma
closed a submission
11/28
Visma
closed a submission
11/28
Visma
closed a submission
11/28
Visma
closed a submission