In order to gain a positive relationship and avoid misinterpretation and vagueness, we would like you to review the following program rules before you report a vulnerability. By participating in this program, you agree to respect our policy.

Program Rules

• Please do NOT publicly discuss or publish any vulnerability before it has been fixed and you have received explicit permission from us to do so. You can send us a video as proof of concept, but remember to change its privacy settings to private.
• Perform testing only on in-scope assets and respect assets and activities which are out-of-scope. If unsure or need advice, contact us at security.testing@visma.com.
• Only interact with accounts or devices you own or with explicit permission from the owner.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
• Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
• All publicly released 0 day exploits (or new published CVEs) have a blackout period of 5 business days before they will be accepted in this program.
• Provide an appropriate level of detail with reproducible steps so that the issue can be easily reproduced.
• Please include the HTTP requests/responses in the report. This will help us to search for duplicate reports using the endpoint and triage reports more effectively; include the vulnerable requests in the comment using markdown.
• Please be aware that all reports for the same endpoint - regardless the HTTP verbs used (e.g. GET, POST, PUT, DELETE) will be considered duplicates as long as the fix is not applied.We will award, of course the original report. After the fix is applied, if we still get reports, these will be triaged accordingly.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Do not attempt to execute Denial of Service attacks.

Our promise to you

• We will respond to your report as fast as we can and we aim for the following response targets:
  • Time to triage (from report submission): maximum 4 business days.
  • Time to bounty (from triage): maximum 4 business days.
  • Time to fix: 90 days.
• We are happy to respond to any questions, please use the button in the right top corner for this.
• We respect the safe harbour clause that you can find below.

Your promise to us

• Provide detailed but to-the point reproduction steps
• Include a clear attack scenario. How will this affect us exactly?
• Remember: quality over quantity!
• Please do not discuss or post vulnerabilities without our consent (including PoC's on YouTube and Vimeo, etc).

Legal

In connection with your participation in this program you agree to comply with all applicable local and national laws.
You may not participate in this program if you are currently employed or contracted by Visma.
You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.

Vulnerabilities obtained by exploiting Visma users or employees are not eligible for a bounty and will result in immediate disqualification from the program.

Visma has never given permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of Visma's customers and publicize this information on the open, public-facing Internet without customer consent, nor has Visma ever given permission for programs or data belonging to Visma to be modified or corrupted in order to extract and publicly disclose data belonging to Visma.

Visma reserves the right to change this policy at any time. You can subscribe to program updates to be notified of any changes.

We are happy to announce the launch of our Public Bug Bounty Program on Intigriti, so if you have discovered a security vulnerability, please inform us through this program and we will do our best to quickly fix it.

We plan to continuously update our scope, so keep an eye on us or subscribe to our program to receive updates.

As stated in the program description vulnerabilities in any other Visma service, product or web property outside this program's domain scope are not eligible for bounties, please report them to our Visma Responsible Disclosure program instead.

Additionally to the below general out of scopes, please make sure you always check the asset description under each domain and don't submit issues that are out of scope for those specific domains.

In general, please do not submit issues regarding:

• Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability (ie: Subdomain Takeovers without proof of actually taking over the subdomain)
• Findings from automated tools without providing a Proof of Concept
• DoS & DDoS
• Clickjacking
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Missing or weak security-related HTTP headers
• Self-XSS unless an impact is proven
• Non-Sensitive Data Disclosure, for example server version banners
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• DNSSEC
• Host header injection, unless you have confirmed that it can be exploited in a practical attack
• Metrics endpoints unless the information can be used to prove impact
• PHP Info Disclosure unless the information can be used to prove impact
• Previously known vulnerable software or libraries without a working Proof of Concept
• Password policies
• CSV/formula injection
• Flash based exploits
• Rate limiting or brute force issues on non-authentication endpoints
• User enumeration unless a list of registered users can be leaked without any kind of brute-forcing
• Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jail broken smartphones
• Google Maps API key disclosure

No impact means no bounty. We will always take into consideration the business impact and security impact when setting the final severity of the reports.

Monetary rewards will be offered for qualifying reports. The amount will vary depending on the severity. The "Bounties" section provides a general guideline for the amounts, but final rewards may be adjusted for actual business impact. For example an SQLi for a database containing no sensitive information may be rewarded a lower amount compared to an SQLi for a database with sensitive information.

We highly value good quality, actionable reports and that’s one of the the requirements for "Exceptional" severity category.

When duplicates occur, we will only accept the first report. A duplicate is a vulnerability that we are already aware of, regardless of how we first became aware of it (it could have also been discovered by us internally).

To get an idea of how we define severities, see the following table as a guideline:

Where can we get credentials for the app?

You can self-register on the application, but please don’t forget to use your @intigriti.me address. For more details, please read each asset description.