VFS Global Bug Bounty Program

VFS Global

VFS Global is the world's largest visa outsourcing and technology services specialist for governments and diplomatic missions worldwide. The company manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments. This enables them to focus entirely on the critical task of assessment.

Program Rules

At VFS Global, we recognize the important role that security researchers play in helping to keep VFS Global sites and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

Denial of service (DoS) attacks on VFS Global applications, servers, networks or infrastructure are strictly forbidden.
Avoid tests that could cause degradation or interruption of our services.
Do not use automated scanners or tools that generate large amount of network traffic.
Only perform tests against your own accounts to protect our users' privacy.
Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
Do not copy any files from our applications/servers and disclose them.
No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Guidelines

We would be focusing on vulnerabilities of practical impacts that we would rate as CRITICAL (max $1500):

Leak / Dump of visa applicant PII data.
Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information (one user able to see data of another user) depending on the extent of data leaked.
Scripts that can automate the completion of the user registration flow are of interest to us. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be blocked, and real users are denied of making an appointment.
Researchers are encouraged to identify issues in our applications which will allow them to tamper / change the applicant name while rescheduling an appointment. For e.x an appointment has been booked in one person’s name but during rescheduling, the name is changed to some other person’s name. Such issues identified would be eligible for a bounty amount of USD 2000.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of VFS Global, however only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below).
The report must contain the following elements:
- Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and VFS Global, and remediation advice on fixing the vulnerability
- Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
- Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
You must not break any of the testing policy rules listed above
You must not be a former or current employee of VFS Global or one of its contractors.
Refrain from uploading any POC videos through youtube and provide a secure download link for us to access/download it instead. Failure to comply to this may result in ineligibility for a reward.

Reward amounts are based on:

Reward grid of the report's scope
CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Additional reward guideline

We are interested in vulnerabilities of practical impacts.
The below scenario could make your report qualified for a higher Critical reward (up to $1500):

Leak / Dump of visa applicant PII data.
Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information (one user able to see data of another user) depending on the extent of data leaked.
Scripts that can automate the completion of the user registration flow are of interest to us. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be blocked, and real users are denied of making an appointment.
Researchers are encouraged to identify issues in our applications which will allow them to tamper / change the applicant name while rescheduling an appointment. For e.x an appointment has been booked in one person’s name but during rescheduling, the name is changed to some other person’s name. Such issues identified would be eligible for a bounty amount of USD 1,000+.

For other findings such as payment tampering / bypass, login bypass / access control issues, where there is no or less significant impact to VFS as compared to above, then the bounty amount will be up to 700 USD.

VFS retains the sole authority to determine and reward accordingly to our analysis.

Notes on Vulnerabilities

Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information will usually be rewarded as High/Critical depending on the extent of data leaked.
- Note: In findings where the researcher claims he/she can get access to another applicant data, only findings where the researcher has no knowledge of the other applicant related information and was able to successfully to get access to the same by any other means (for e.x. brute force / parameter tampering / data manipulation, etc.) will be considered as valid.
- If the researcher creates 2 applicants and from one applicant login, he/she was able to get access to another applicant data (since he/she was aware of the same) will not be counted as a valid finding.
- Scripts that can automate the completion of the user registration flow are of interest to us, and will be rewarded as High/Critical. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be consumed, and real users are denied of making an appointment.
The triage team will use the "OneFixOneReward" process: if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the others weakness, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. In any case, all reports will be reviewed edge by edge.`

Reward Grid(s)

Critical

Rating	CVSS score	Bounty
None	0.0	No bounty
Low	0.1 - 3.9	$50
Medium	4.0 - 6.9	$100 - 300
High	7.0 - 8.9	$400 – 800
Critical	9.0 - 10.0	$1000 - 1500

In Scope

Scope Type	Scope Name
web_application	*.vfsglobal.(com\|co.uk\|ca)
web_application	www.vfsvisaonline.com
web_application	www.dvpc.net
web_application	www.vfsvisaservicesrussia.com
web_application	biometservices.com
web_application	agents.tasheer.com
web_application	*.vfsevisa.com
web_application	https://gaadmin.vfsglobal.com/GlobalAdmin/
web_application	https://gaadmin.vfsglobal.com/Global-Admin/
web_application	https://rusadminappt.vfsglobal.com/Global-Admin/
web_application	https://gaadmin.vfsglobal.com/AustraliaApptAdmin/
web_application	https://gaadmin.vfsglobal.com/GAR1Ph1ApptAdmin/
web_application	https://onlinena.vfsglobal.dz/AppointmentAdmin/
web_application	https://gaadmin.vfsglobal.com/DHAAppointmentAdmin
web_application	https://equatorialguinea-evisa.com
web_application	https://online.srilankaevisa.lk/lka/en/login
web_application	https://online.mustaqel.qa/qat/en/login
web_application	https://appointment.vfsglobal.com.dz/forms/FRDZ/
web_application	https://www.vfsvisaservice.com/
web_application	https://indonesiavoa.vfsevisa.id/
web_application	https://vfs.mioot.com/
web_application	https://vfseu.mioot.com/
web_application	https://www.vfsglobalservices-germany.com/Global-Appointment/
web_application	https://www.vfsvisaservice.com/IHC-SouthKorea-Appointment
web_application	https://vc.tasheer.com/
web_application	*.vfsglobal.by
web_application	*. vfsevisa.id
web_application	*.onevasco.com
web_application	*.vascoworldwide.net
web_application	*.directverify.in
web_application	*.docswallet.com

Out of Scope

Scope Type	Scope Name
undefined	All other VFS assets that are not listed above as in scope are automatically out of scope
web_application	https://india-usa.vfsglobal.com
web_application	https://vire.vfsglobal.com
web_application	vfsglobal.com.ru
web_application	myeasydocs.co.il
web_application	nssr-7.vfsglobal.com
web_application	https://uat-lift.vfsglobal.com/_angular/main.8dbd1aa97c38b188.js?v=6.0.29
web_application	https://liftassets.vfsglobal.com/_nuxt/46217fc777819548fddb.js
web_application	https://ukvitest.vfsglobal.com/_angular/main.3ca04c44a2718f71.js?v=1.0.22
web_application	https://online.vfsevisa.com/main-es2015.521ef2e1d9f68fd1bb90.js
web_application	https://online.vfsevisa.com/main-es5.521ef2e1d9f68fd1bb90.js?v=3.1.6
web_application	https://portal.vfsevisa.com/main-es2015.987b1b526aa8041bfdee.js
web_application	https://portal.vfsevisa.com/main-es5.987b1b526aa8041bfdee.js?v=3.1.6
web_application	https://uat-lift.vfsglobal.com/_angular/main.c05c54e8703c3a9f.js?v=6.0.36
web_application	https://online.vfsevisa.com/main-es2015.6d514e86ec7c6492aafc.js?v=3.1.2
web_application	https://portal.vfsevisa.com/main-es2015.7857657af609ca5e4bc5.js?v=3.1.4
web_application	https://egonline.vfsevisa.com/main-es2015.c7bb991442356b23f23e.js?v=3.1.3

Firebounty have crawled on 2022-12-05 the program VFS Global Bug Bounty Program on the platform Yeswehack.