Responsible disclosure policy

Vipps greatly appreciates input from security researchers wanting to help. We encourage responsible vulnerability research and disclosure. If you discover a vulnerability in any of our systems, please let us know about it so we can address it as quickly as possible.
image

Vulnerability related information

1. Product or service in which the vulnerability is found: product or service name, product or service URL, version and deviation from standard configuration

2. Anomalous behavior caused by the vulnerability.

3. Procedure for reproduction of the vulnerable condition.
4. Probability of the reproduction, choose one from the following three: Always, Often or Rarely.
5. Possible threat caused by the vulnerability.

  • Workaround.
  • PoC (Proof of Concept) code.
  • Other comments from the reporter (including severity assessment)
  • Describe the specific impact and how you would envision it being used in an attack scenario.
  • Do you believe the vulnerability is being exploited? Yes/No
  • Is an exploit publicly available? Yes/No

Scope

Any of Vipps services, products or web properties are in scope.
The following issues are currently considered out of scope:

  • Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests).
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities requiring MITM, or physical access to a user's device or account.
  • Self-XSS.
  • Social engineering and physical security attacks.
  • Brute force attacks.
  • SSL/TLS configuration weaknesses.
  • CSV/formula injection.
  • Clickjacking and other issues only exploitable through clickjacking.
  • Spoofing attacks.

Bug Bounty

We currently do not offer a public paid bug bounty program. However, we do offer tokens of appreciation when certain thresholds for reported findings are met. Reporters that qualify for a reward will be offered a special Vipps reward.

Phishing

If you want to report cases of suspicious emails that seems to be coming from Vipps, please forward it to phishing@vipps.no. If you have any questions or comments about the reporting process please use our Contact Form.

Ground Rules

We will not take legal action against security researchers reporting their findings in a responsible manner to us or our Customer Service Center by following the instructions in this document. We ask you to:

  • Play by the rules and follow our Disclosure Policy.
  • Do not violate the privacy of others by e.g. sharing or not properly securing data.
  • Never attempt to gain access to another user’s account or data.
  • Promptly report any vulnerabilities you find to us as described in this document.
  • Do not disclose any vulnerabilities or associated details to anyone other than your dedicated Vipps security analyst.
  • Allow our security team reasonable time to resolve the issue.

 

Feedback: If you want to give feedback or suggestions to this policy, submit your feedback to our Contact Form. We are continually improving this policy and appreciate your input.

image