To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, by participating in this program, you agree to the following program rules.

Program Rules

• Play by the rules. This includes following this policy, as well as any other relevant agreements. If there is any inconsistency between this policy and any other relevant terms, the terms of this policy will prevail.
• Respect the Community Code of Conduct
• Respect the Intigriti Terms and Conditions
• Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope.
• Not discuss or disclose vulnerability information without prior written consent (including PoC's on YouTube and Vimeo)
• Only interact with accounts or devices you own or with explicit permission from the owner.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. If unsure or need advice, contact us at security.testing@visma.com.
• If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept.
• Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
• Do not attempt to execute Denial of Service attacks.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Report any vulnerability you’ve discovered promptly.
• Do not engage in extortion by demanding a reward before disclosing vulnerability details.
• Use only the Official Channels to discuss vulnerability information with us.

Expectations

When working with us according to this policy, you can expect us to:

• Extend Safe Harbor for your vulnerability research that is related to this policy
• Work with you to understand and validate your report, including a initial response to the submission within 12 business hours
• Work to remediate discovered vulnerabilities in a timely manner

This program covers all Visma services, products or web properties.

Please note! Most reports we receive have little or no security impact or are already known. To avoid a disappointing experience when reporting us, please take a moment and consider if the issue you want to report actually has a realistic attack scenario.

We ask you to not submit issues regarding:

• Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability ((ie: Subdomain Takeovers without proof of actually taking over the subdomain).
• Findings from automated tools without providing a Proof of Concept.
• Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jailbroken smartphones.
• Missing or weak security-related HTTP headers.
• Non-Sensitive Data Disclosure, for example server version banners.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Self-XSS.
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Host header injection, unless you have confirmed that it can be exploited in a practical attack.
• Expired SSL certificates, weak SSL Ciphers, or issues regarding old TLS/SSL versions.
• Previously known vulnerable software or libraries without a working Proof of Concept.
• Metrics endpoints unless the information can be used to prove impact
• PHP Info Disclosure unless the information can be used to prove impact
• Rate limiting or bruteforce issues on non-authentication endpoints.
• Denial of Service.
• CSV/formula injection.
• Flash based exploits.
• Clickjacking.
• Google Maps API key disclosure.

We will always take into consideration the business impact and security impact when setting the final severity of the reports, so in case there's no impact, the report will not be accepted.

When duplicates occur, we will only accept the first report. A duplicate is a vulnerability that we are already aware of, regardless of how we first became aware of it (it could have also been discovered by us internally).

To get an idea of how we define severities, see the following table as a guideline, but please know that the severity may be adjusted depending on the actual business impact:

Where can we get credentials for the app?

No credentials provided for this program. In case you register accounts, please use your @intigriti.me address so that we can track researchers in our production environments.