Security Policy

 

ViSenze Vulnerability Disclosure Policy

 

Overview

We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users. Consequently, we have developed and implemented the Vulnerability Disclosure Programme that is described in this Vulnerability Disclosure Policy.

Guidelines governing the Vulnerability Disclosure Programme

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and ViSenze until we’ve had 90 days to resolve the issue.

 

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

Scope of the Vulnerability Disclosure Programme

Out of scope
Any services hosted by 3rd party providers and services are excluded from the scope of the Vulnerability Disclosure Programme.

In the interest of the safety of our organisation and products at large and you as a security researcher, the following test types are excluded from the scope of the Vulnerability Disclosure Programme:

  • findings from physical testing such as office access (e.g. open doors, tailgating);
  • findings derived primarily from social engineering (e.g. phishing, vishing);
  • findings from applications or systems not listed in the ‘Scope’ section;
  • UI and UX bugs and spelling mistakes; or
  • network level Denial of Service (DoS/DDoS) vulnerabilities.

Things we do not want to receive:

  • personally identifiable information (PII) and/or  personal data (as defined in the General Data Protection Regulation); and
  • credit card /payment card cardholder data.

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of VISENZE's users is likely to be in the scope of the Vulnerability Disclosure Programme. Common examples include:

  • Cross Site Request Forgery (CSRF);
  • Remote Code Execution (RCE); and
  • unauthorized access to properties or accounts.

 

Non-Qualifying Vulnerabilities

Depending on their impact, not all reported issues may qualify. However, all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive recognition.

Please refrain from accessing private information/PII and/or personal data, performing actions that may negatively affect ViSenze users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our Vulnerability Disclosure Programme:

  • attacks requiring physical access to a user's device or network;
  • forms missing CSRF tokens (we require evidence of actual CSRF vulnerability);
  • Login/Logout CSRF;
  • missing security headers which do not lead directly to a vulnerability;
  • use of a known - vulnerability library (without evidence of exploitability);
  • reports from automated tools or scans;
  • social engineering of ViSenze staff or contractors;
  • Denial of Service attacks;
  • mass account and file creation;
  • results acquired by large scale automated test tools;
  • not enforcing certificate pinning; and
  • use of 'weak' TLS cyphers (we have to support a broad range of (old) web browsers).

Rules

We require that all Researchers must:

  • make every effort to avoid privacy violations, degradation of user or merchant experience, disruption to production systems, and destruction of data during security testing;
  • not attempt to gain access to any other person’s account, personally identifiable  information (PII) and/or personal data and/or credit card information;
  • use their real email address to signup and report any vulnerability information to us;
  • keep information about any vulnerabilities you’ve discovered confidential between yourself and ViSenze; ViSenze will take a reasonable time to remedy such vulnerability (approximately 1 month as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by ViSenze). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform;
  • not perform any attack that could harm the reliability, integrity and capacity of our Services. DDoS/spam attacks are STRICTLY not allowed;
  • not use scanners or automated tools to find vulnerabilities (noisy and we may automatically suspend your account and ban your IP address); and

As a Researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant ViSenze, its subsidiaries and any other  affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way ViSenze deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related to the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Visenze.

 

To be eligible for the Vulnerability Disclosure Programme, you must not:

  • be a resident of, or make your submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
  • be in violation of any national, state, or local law or regulation and your testing must not violate any law or disrupt or compromise any data that is not your own.
  • be employed by ViSenze or any subsidiary or other affiliate of ViSenze;
  • be an immediate family member of a person employed by ViSenze or any subsidiary or other affiliate of ViSenze; or
  • be less than 18 years of age. If you are at least 18 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the Vulnerability Disclosure Programme

Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Please include the following information with your report:

  • a detailed description of the steps required to help us reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • your email address.

How to report a security vulnerability?
If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@visenze.com.  Please include the following details with your report:

  • description of the location and potential impact of the vulnerability;
  • a detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • your name/handle and a link for recognition in our Hall of Fame.

If you’d like to encrypt the information, please use our PGP key.

Recognition – Hall of Fame Page

    • By helping ViSenze continuously keep our data secure, once the security vulnerability is verified and fixed as a result of report, we would like to put your name on our Hall of Fame page.
    • Of course, we will need to know if you want the recognition, in which case you will be required to give us your name and Twitter handle, LinkedIn Profile as you wish it to be displayed on our Hall of Fame page.
    • We currently do not offer any monetary compensation. However, we may send out ViSenze swag in some cases.

We currently do not offer any monetary compensation. Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.

We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and not to constitute offences under the Computer Misuse Act (Cap 50A) of the Republic of Singapore.

We will not bring a Digital Millennium Copyright Act (DMCA) claim or any similar claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with ViSenze’s  Vulnerability Disclosure Programme, ViSenze will take steps to make it known that your actions were conducted in compliance with this policy.

Last Update Status: Updated February 2019

Copyright Act (DMCA) claim or any similar claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with ViSenze’s Vulnerability Disclosure Programme, ViSenze will take steps to make it known that your actions were conducted in compliance with this policy.

Public Disclosure Policy:

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:

"THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO THE PUBLIC, FAILING WHICH YOU SHALL BE LIABLE FOR LEGAL PENALTIES!”

The Fine Print

We may modify the terms of the Vulnerability Disclosure Programme or terminate the Vulnerability Disclosure  Programme at any time. We won’t apply any changes retroactively. ViSenze employees and their family members are not eligible for the Vulnerability Disclosure Programme.

 

Last Update Status: Updated February 2019