Banner object (1)

Hack and Take the Cash !

822 bounties in database
  Back Link to program      
04/02/2020
Visma Bug Bounty Program logo
Thanks
Gift
Hall of Fame
Reward

Reward

Visma Bug Bounty Program

Visma delivers software that simplifies and digitizes core business processes in the private and public sector. With presence across the entire Nordic region along with Benelux, Central and Eastern Europe, we are one of Europe’s leading software companies.

Policy

Visma wants to engage with responsible security researchers around the globe to further secure our services. No code is flawless and we believe that taking part in the HackerOne community can help us improve the security of our systems.

If you have discovered a security vulnerability, please inform us through this program and we will do our best to quickly fix it.

Disclosure

We believe in transparency and will request disclosure of reports in the Hackerone platform when they have been mitigated in the production environment.

Response Targets

Visma aims to meet the following resolution times:

  • Time to triage (from report submission): 4 business days
  • Time to bounty (from triage): 4 business days
  • Time to fix: 90 days

Program Rules

In order to gain a positive relationship and avoid misinterpretation and vagueness, we would like you to review the following program rules before you report a vulnerability. By participating in this program, you agree to respect our policy.

  • Be aware of and respect the HackerOne's disclosure guidelines: https://www.hackerone.com/disclosure-guidelines __
  • Perform testing only on in-scope assets, and respect assets and activities which are out-of-scope
  • Please only use your @wearehackerone.com address while creating test accounts. Multiple accounts can be self created using [username]+[any_identifier]@wearehackerone.com
  • Only interact with accounts or devices you own or with explicit permission from the owner
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
  • If a vulnerability provides unintended access to data, limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept
  • Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information
  • All publicly released 0 day exploits have a blackout period of 5 business days before they will be accepted in this program
  • Do not publicly discuss or publish any vulnerability before we have disclosed the report in HackerOne
  • Provide an appropriate level of detail with reproducible steps so that the issue can be reproduced
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited
  • Do not attempt to execute Denial of Service attacks

Scope

Only the assets explicitly listed are eligible for monetary rewards.

Vulnerabilities in any other Visma service, product or web property can be reported to our Responsible Disclosure Program __, but those reports do not qualify for this bounty program.

Exclusions

Please do not submit issues regarding:

  • Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability
  • Findings from automated tools without providing a Proof of Concept
  • DoS & DDoS
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Missing or weak security-related HTTP headers
  • Self-XSS
  • Non-Sensitive Data Disclosure, for example server version banners
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • DNSSEC
  • Host header injection, unless you have confirmed that it can be exploited in a practical attack
  • Previously known vulnerable software or libraries without a working Proof of Concept
  • Password policies
  • CSV/formula injection
  • Flash based exploits
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jailbroken smartphones

Rewards

At Visma we understand that you want to know how much you can expect in rewards when submitting a report. Therefore we have defined a table of guaranteed minimum bounty levels for some of the most common vulnerabilities.

Severity | Vulnerability
---|---
Critical | Remote Code Execution (RCE)
Critical | SQL Injection (SQLi)
High | Local File Inclusion (LFI)
Medium | Insecure Direct Object Reference (IDOR)
Medium | Server-Side Request Forgery (SSRF)
Medium | Cross-Site Scripting (XSS)
Medium | Cross-Site Request Forgery (CSRF)
Low | Open Redirect
Low | HTML content injection

Any reports outside these categories will be triaged on a case by case basis by Security Analysts from Visma. The higher the impact a vulnerability has, the more valuable it is for us and the higher severity we assign to it.

Please note that scenarios and vulnerabilities explicitly listed under ‘Exclusions’ above are not covered by the guaranteed bounty and that they will be categorically rejected.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Legal

In connection with your participation in this program you agree to comply with all applicable local and national laws.

You may not participate in this program if you are currently employed or contracted by Visma.

You may not participate in this program if you are a resident or individual located within a country appearing on any U.S. or E.U. sanctions list.

Vulnerabilities obtained by exploiting Visma users or employees are not eligible for a bounty and will result in immediate disqualification from the program.

Visma has never given permission/authorization (either implied or explicit) to an individual or group of individuals to extract personal information or content of Visma's customers and publicize this information on the open, public-facing Internet without customer consent, nor has Visma ever given permission for programs or data belonging to Visma to be modified or corrupted in order to extract and publicly disclose data belonging to Visma.

Visma reserves the right to change this policy at any time. You can subscribe to program updates to be notified of any changes.

In Scope

Scope Type Scope Name
web_application

eaccounting.stage.vismaonline.com

web_application

https://www.visma.no/eaccounting/english/ __

web_application

https://vismabugbountyprod.z16.web.core.windows.net/Visma%20eA%20Bug%20Bounty%20Onboarding%20Guide.pdf __

web_application

https://www.youtube.com/watch?v=kVr_CXgfhi0 &t=4s __

web_application

https://admin.stage.vismaonline.com/Customer/StudentSignup.aspx?country=en &uilang=en&companyId= __

web_application

eaccountingprinting.stage.vismaonline.com

web_application

connect.identity.stagaws.visma.com

web_application

https://connect.identity.stagaws.visma.com __

web_application

accountsettings.connect.identity.stagaws.visma.com

web_application

api.home.stag.visma.com


This program have been found on Hackerone on 2020-02-04.

FireBounty © 2015-2020

Legal notices