ViSenze Vulnerability Disclosure Policy

Last modified 4 June 2020

We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Guidelines

We require that all researchers:

  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
  • Perform research only within the scope set out below;
  • Use the identified communication channels to report vulnerability information to us; and
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and ViSenze until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

  • Not pursue or support any legal action related to your research;
  • Work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission);
  • Recognize your contribution on our Security Researcher Hall of Fame, if you are the first to report the issue and we make a code or configuration change based on the issue.

Scope

Out of Scope

Any services hosted by 3rd party providers and services are excluded from scope. These services include:

  • Cloud providers’ services (AWS, GCP)
  • Any other 3rd Party Services (Hubspot etc.)

In the interest of the safety of our organisation and products at large and you as a security researcher, the following test types are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating)
  • Findings derived primarily from social engineering (e.g. phishing, vishing)
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities

Things we do not want to receive:

  • Personally identifiable information (PII)
  • Credit card holder data

Qualifying Vulnerabilities

Any design or implementation issue that is reproducible and substantially affects the security of VISENZE’s users is likely to be in scope for the program. Common examples include:

  • Cross Site Request Forgery (CSRF).
  • Remote Code Execution (RCE).
  • Unauthorized Access to Properties or Accounts.

Non-Qualifying Vulnerabilities

Depending on their impact, not all reported issues may qualify. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive recognition.

Please refrain from accessing private information, performing actions that may negatively affect VISENZE users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program:

  • Attacks requiring physical access to a user’s device or network
  • Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
  • Login/Logout CSRF
  • Missing security headers which do not lead directly to a vulnerability
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Reports from automated tools or scans
  • Social engineering of VISENZE staff or contractors
  • Denial of Service attacks
  • Mass account and file creation
  • Results acquired by large scale automated test tools
  • Not enforcing certificate pinning
  • Use of ‘weak’ TLS ciphers (we have to support a broad range of (old) web browsers)

Rules

We require that all Researchers must:

  • Make every effort to avoid privacy violations, degradation of user or merchant experience, disruption to production systems, and destruction of data during security testing
  • Not attempt to gain access to any other persons account, data or personal information
  • Use their real email address to signup and report any vulnerability information to us
  • Keep information about any vulnerabilities you’ve discovered confidential between yourself and ViSenze. Visenze will take a reasonable time to remedy such vulnerability (approximately 1 month as a minimum but this is dependent on the nature of the security vulnerability and regulatory compliance by Visenze). The Researcher shall not publicly disclose the bug or vulnerability on any online or physical platform.
  • Not perform any attack that could harm the reliability, integrity and capacity of our Services. DDoS/spam attacks are STRICTLY not allowed
  • Not use scanners or automated tools to find vulnerabilities (noisy and we may automatically suspend your account and ban your IP address)
  • As a Researcher, you represent and warrant that you have the right, title and interest to disclose any vulnerability found and to submit any information, including documents, codes, among others, in connection therewith. Once you inform a vulnerability, you grant Visenze, its subsidiaries and affiliates an irrevocable, worldwide, royalty-free, transferable, sublicensable right to use in any way Visenze deems appropriate for any purpose, such as: reproduction, modification, distribution, adaptation among other uses, the information related with the vulnerabilities. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure accepted by Visenze.

To be eligible for the Program, you must not:

  • Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan, and Syria);
  • Be in violation of any national, state, or local law or regulation and your testing must not violate any law, or disrupt or compromise any data that is not your own
  • Be employed by ViSenze or affiliates;
  • Be an immediate family member of a person employed by ViSenze or affiliates; or
  • Be under 18 years of age. If you are at least 18 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program

Remember that you must never attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Please include the following information with your report:

  • Detailed description of the steps required to help us reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
  • Your email address

How to report a security vulnerability?

If you believe you’ve found a security vulnerability in one of our products or platforms please send it to us by emailing security@visenze.com. Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your name/handle and a link for recognition in our Hall of Fame

If you’d like to encrypt the information, please use our PGP key.

Recognition – Hall of Fame Page

  • By helping Visenze continuously keep our data secure, once the security vulnerability is verified and fixed as a result of report, we would like to put your name on our Hall of Fame page.
  • Of course, we will need to know if you want the recognition, in which case you will be required to give us your name and Twitter handle, LinkedIn Profile as you wish it to be displayed on our Hall of Fame page.

We do not offer any cash reward or financial incentive of any kind for the detection and/or resolution of the validated vulnerability.

Requests or demands for monetary compensation in connection with any identified or alleged vulnerability are non-compliant with this Responsible Disclosure Policy.

Consequences of Complying with This Policy

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act. We will not bring a DMCA claim against you for circumventing the technological measures we have used to protect the applications in scope.

If legal action is initiated by a third party against you and you have complied with Visenze’s VDP, Visenze will take steps to make it known that your actions were conducted in compliance with this policy.

Please note that ViSenze does not and will not in any way:

  • Accord or provide you with any kind of exemption, immunity, indemnity or shield from civil or criminal liability (if any) under applicable laws and regulations
  • Be liable for any expense, damage or loss of any kind which you may incur due to any action taken or not taken by us in relation to any suspected vulnerability you may report
  • Accept or assume any responsibility for the contents of any suspected vulnerability report submitted by you, nor shall our acknowledgment or processing of such report constitute any kind of acceptance or endorsement of the contents therein
  • Be obliged to consult you for any media or public statement that we and/or any stakeholders may decide to publish or release in relation to the suspected or validated vulnerability

Public Disclosure Policy:

By default, this program is in “PUBLIC NONDISCLOSURE” mode which means:

“THIS PROGRAM DOES NOT ALLOW PUBLIC DISCLOSURE. ONE SHOULD NOT RELEASE THE INFORMATION ABOUT VULNERABILITIES FOUND IN THIS PROGRAM TO PUBLIC, FAILING WHICH SHALL BE LIABLE FOR LEGAL PENALTIES!”

The Fine Print

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Visenze employees and their family members are not eligible for bounties.