Responsible disclosure policy
Reporting a vulnerability
If you have discovered an issue you want to report, please do the following:
- Email your findings to responsible-disclosure@vipps.no, encrypt the email to protect the content.
- We prefer encryption with PGP, you can find our PGP key on the bottom of the page.
- Include details of what the issue is, how you discovered it, and attach any screenshots and such if possible.
- Ensure you give enough details for us to reproduce the issue.
- Please do not take advantage of the vulnerability you have found.
- Please do not disclose the vulnerability to others until it is resolved.
Reward eligibility
Reports need to meet the following criteria to qualify for a reward:
- Severity medium or above (severity is to be determined by Vipps security team).
- Our security team is able to reproduce and verify the issue.
- The issue is not previously known or already reported.
- Security researchers that has spent a lot of time and effort to investigate and report to us may also be rewarded as we do want to recognize their work.
What to expect
When reporting issues and communicating with us, you can expect us to:
- Send you an automatic confirmation that we have received your report.
- Give you a manual answer within a reasonable time, and at the latest within a business week.
- Work with you to understand and validate the issue.
- Handle your report in a confidential and secure manner.
- Recognize your effort to help us improve security in Vipps.
Vulnerability related information
1. Product or service in which the vulnerability is found: product or service name, product or service URL, version and deviation from standard configuration
2. Anomalous behavior caused by the vulnerability.
3. Procedure for reproduction of the vulnerable condition.
4. Probability of the reproduction, choose one from the following three: Always, Often or Rarely.
5. Possible threat caused by the vulnerability.
- Workaround.
- PoC (Proof of Concept) code.
- Other comments from the reporter (including severity assessment)
- Describe the specific impact and how you would envision it being used in an attack scenario.
- Do you believe the vulnerability is being exploited? Yes/No
- Is an exploit publicly available? Yes/No
Scope
Any of Vipps services, products or web properties are in scope.
The following issues are currently considered out of scope:
- Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests).
- Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
- Vulnerabilities requiring MITM, or physical access to a user's device or account.
- Self-XSS.
- Social engineering and physical security attacks.
- Brute force attacks.
- SSL/TLS configuration weaknesses.
- CSV/formula injection.
- Clickjacking and other issues only exploitable through clickjacking.
- Spoofing attacks.
Bug Bounty
Phishing
Ground Rules
We will not take legal action against security researchers reporting their findings in a responsible manner to us or our Customer Service Center by following the instructions in this document. We ask you to:
- Play by the rules and follow our Disclosure Policy.
- Do not violate the privacy of others by e.g. sharing or not properly securing data.
- Never attempt to gain access to another user’s account or data.
- Promptly report any vulnerabilities you find to us as described in this document.
- Do not disclose any vulnerabilities or associated details to anyone other than your dedicated Vipps security analyst.
- Allow our security team reasonable time to resolve the issue.
Feedback: If you want to give feedback or suggestions to this policy, submit your feedback to our Contact Form. We are continually improving this policy and appreciate your input.
