Gå til forsiden
Digital detective 2 original.png

Vipps greatly appreciates input from security researchers wanting to help. We encourage responsible vulnerability research and disclosure. If you discover a vulnerability in any of our systems, please let us know about it so we can address it as quickly as possible.

Reporting a vulnerability

If you have discovered an issue you want to report, please do the following:

  • Email your findings to responsible-disclosure@vipps.no. We appreciate it if you can encrypt the email to protect the content. We prefer encryption with PGP, you can find our PGP key on the bottom of the page.
  • Include details of what the issue is, how you discovered it, and attach any screenshots and such if possible. See the section below for additional details that are useful to include in the report.
  • Ensure you give enough details for us to reproduce the issue.
  • Please do not take advantage of the vulnerability you have found.
  • Please do not disclose the vulnerability to others until it is resolved.

Vulnerability related information

  1. Product or service in which the vulnerability is found.
    - Product or service name
    - Product or service URL
    - Version
    - Deviation from standard configuration
  2. Anomalous behavior caused by the vulnerability.
  3. Procedure for reproduction of the vulnerable condition.
  4. Probability of the reproduction, choose one from the following three:
    a. Always
    b. Often
    c. Rarely
  5. Possible threat caused by the vulnerability.
  6. Workaround.
  7. PoC (Proof of Concept) code.
  8. Other comments from the reporter (including severity assessment)
  • Describe the specific impact and how you would envision it being used in an attack scenario.
  • Do you believe the vulnerability is being exploited? Yes/No
  • Is an exploit publicly available? Yes/No

Scope

Any of Vipps services, products or web properties are in scope.

The following issues are currently considered out of scope:

  • Volumetric/Denial of Service vulnerabilities (i.e. simply overwhelming our service with a high volume of requests).
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  • Vulnerabilities requiring MITM, or physical access to a user's device or account.
  • Self-XSS.
  • Social engineering and physical security attacks.
  • Brute force attacks.
  • SSL/TLS configuration weaknesses.
  • CSV/formula injection.
  • Clickjacking and other issues only exploitable through clickjacking.
  • Spoofing attacks.

Phishing

If you want to report cases of suspicious emails that seems to be coming from Vipps, please forward it to phishing@vipps.no. If you have any questions or comments about the reporting process please use our Contact Form.

Bug Bounty

We currently do not offer a paid bug bounty program. However, we do offer tokens of appreciation when certain thresholds for reported findings are met. Reporters that qualify for a reward will be offered a special Vipps reward.

Reward eligibility

Reports need to meet the following criteria to qualify for a reward:

  • Severity medium or above (severity is to be determined by Vipps security team).
  • Our security team is able to reproduce and verify the issue.
  • The issue is not previously known or already reported.

Security researchers that has spent a lot of time and effort to investigate and report to us may also be rewarded as we do want to recognize their work.

What to expect

When reporting issues and communicating with us, you can expect us to:

  • Send you an automatic confirmation that we have received your report.
  • Give you a manual answer within a reasonable time when we are in the process of evaluating the report, and at the latest within a business week.
  • Work with you to understand and validate the issue.
  • Handle your report in a confidential and secure manner.
  • Recognize your effort to help us improve security in Vipps.

Ground Rules

We will not take legal action against security researchers reporting their findings in a responsible manner to us or our Customer Service Center by following the instructions in this document. We ask you to:

  • Play by the rules and follow our Disclosure Policy.
  • Do not violate the privacy of others by e.g. sharing or not properly securing data.
  • Never attempt to gain access to another user’s account or data.
  • Promptly report any vulnerabilities you find to us as described in this document.
  • Do not disclose any vulnerabilities or associated details to anyone other than your dedicated Vipps security analyst.
  • Allow our security team reasonable time to resolve the issue.

Feedback

If you want to give feedback or suggestions to this policy, submit your feedback to our Contact Form. We are continually improving this policy and appreciate your input.

PGP public key

Vipps Security Hall of fame

See who contributed to keep Vipps safe

Back