We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. Consequently, we have developed and implemented the Vulnerability Disclosure Programme that is described in this Vulnerability Disclosure Policy.
Guidelines governing the Vulnerability Disclosure Programme
We require that all researchers:
If you follow these guidelines when reporting an issue to us, we commit to:
Scope of the Vulnerability Disclosure Programme
Out of scope
Any services hosted by 3rd party providers and services are excluded from the scope of the Vulnerability Disclosure Programme.
In the interest of the safety of our organisation and products at large and you as a security researcher, the following test types are excluded from the scope of the Vulnerability Disclosure Programme:
Things we do not want to receive:
Qualifying Vulnerabilities
Any design or implementation issue that is reproducible and substantially affects the security of VISENZE's users is likely to be in the scope of the Vulnerability Disclosure Programme. Common examples include:
Non-Qualifying Vulnerabilities
Depending on their impact, not all reported issues may qualify. However, all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive recognition.
Please refrain from accessing private information/PII and/or personal data, performing actions that may negatively affect ViSenze users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our Vulnerability Disclosure Programme:
Rules
We require that all Researchers must:
As a Researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant ViSenze, its subsidiaries and any other affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way ViSenze deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related to the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Visenze.
To be eligible for the Vulnerability Disclosure Programme, you must not:
Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
Please include the following information with your report:
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@visenze.com. Please include the following details with your report:
If you’d like to encrypt the information, please use our PGP key.
Recognition – Hall of Fame Page
We currently do not offer any monetary compensation. Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.
Consequences of Complying with This Policy
We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.
We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and not to constitute offences under the Computer Misuse Act (Cap 50A) of the Republic of Singapore.
We will not bring a Digital Millennium Copyright Act (DMCA) claim or any similar claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with ViSenze’s Vulnerability Disclosure Programme, ViSenze will take steps to make it known that your actions were conducted in compliance with this policy.
Last Update Status: Updated February 2019
Copyright Act (DMCA) claim or any similar claim against you for circumventing the technological measures we have used to protect the applications in scope.
If legal action is initiated by a third party against you and you have complied with ViSenze’s Vulnerability Disclosure Programme, ViSenze will take steps to make it known that your actions were conducted in compliance with this policy.
Public Disclosure Policy:
By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:
"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO THE PUBLIC, FAILING WHICH YOU SHALL BE LIABLE FOR LEGAL PENALTIES!”
The Fine Print
We may modify the terms of the Vulnerability Disclosure Programme or terminate the Vulnerability Disclosure Programme at any time. We won’t apply any changes retroactively. ViSenze employees and their family members are not eligible for the Vulnerability Disclosure Programme.
Last Update Status: Updated February 2019