Responsible Disclosure

Introduction

Read the English version here → 

At Visma Circle, the security of our systems is very important to us. Despite our concern for the security of our systems, it is possible that there is a weak spot.

If you have found a weak spot in one of our systems, we would like to hear about it so that we can take measures as soon as possible. We would like to work with you to better protect our customers and our systems.

What we ask you:

• Email your findings to security.circle@visma.com. Encrypt your findings with our PGP Key to prevent the information from falling into the wrong hands.
• Do not abuse the problem by, for example, downloading more data than is necessary to demonstrate the leak or access, delete or modify data from third parties.
• Do not share the issue with others until it is resolved and erase all confidential data obtained through the vulnerability immediately after the vulnerability is closed.
• Not to use attacks on physical security, social engineering, distributed denial of service, spam or third party applications.
• Provide sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability will suffice, but more complex vulnerabilities may require more.

What we promise you:

• We will respond to your report within 3 days with our assessment of the report and an expected resolution date.
• If you have complied with the above conditions, we will not take legal action against you regarding the report.
• We treat your report confidentially and will not share your personal data with third parties without your permission, unless this is necessary to comply with a legal obligation. Reporting under a pseudonym is possible.
• We will keep you informed of the progress of solving the problem.
• In reporting about the reported problem, we will, if you wish, mention your name as the discoverer.
• As a thank you for your help, we offer a reward for every report of a security problem unknown to us. We determine the size of the reward based on the seriousness of the leak and the quality of the report. You will receive a voucher of EUR 50 anyway, and maybe we'll add a cool t-shirt or hoodie!

We aim to resolve all issues as quickly as possible and would be happy to be involved in any publication of the issue after it has been resolved.

The basis of this text was written (in Dutch) by Floor Terra and is published under a Creative Commons Attribution 3.0 license.

Further changes by Visma Circle (Circle Software Group B.V.) part of the Visma Group.

Keep this in mind:

This policy covers any Visma Circle services, products or web properties.

Most of the reports we receive have little or no security impact or are already known. To avoid a disappointing experience when you contact us, please take a moment and consider whether the issue you are reporting has a realistic attack scenario.

More specifically, we ask that you do not submit issues related to:

• Theoretical vulnerabilities without any proof or demonstration of the real presence of the vulnerability.
• Findings from automated tools without providing a Proof of Concept.
• Vulnerabilities requiring MITM, or physical access to a user’s browser, or a smartphone, or email account, as well as issues on rooted or jailbroken smartphones.
• Missing or weak security-related HTTP headers.
• Non-Sensitive Data Disclosure, for example server version banners.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
• Self-XSS.
• Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
• Host header injection, unless you have confirmed that it can be exploited in a practical attack.
• Expired SSL certificates unless you have confirmed that this can be exploited in a practical attack.
• Previously known vulnerable software or libraries without a working Proof of Concept.
• Rate limiting or bruteforce issues on non-authentication endpoints.
• Denial of Service.
• CSV/formula injection.
• Flash based exploits.
• Clickjacking.