Visa Bug Bounty Program Rules

Visa is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency.

We have established this Bug Bounty Program to facilitate our exchange of information about potential vulnerabilities, establish rules for vulnerability testing, and provide a safe harbor for individuals who follow these rules.

We look forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Visa will make a best effort to respond to incoming reports within 2 business days and make a bounty determination after validating a legitimate security issue within 15 business days. We’ll try to keep you informed about our progress throughout the process.

Eligibility

To be eligible to receive rewards, you must:

• Be at least the age of majority in the country where you reside.
• Not be a current Visa employee or a relative of a current Visa employee, and you and/or your relatives cannot have worked at Visa within the past 6 months.
• Be acting in your individual capacity and not on behalf of another company with whom you are employed or have otherwise been retained.
• Not be a resident of a jurisdiction against which the United States has issued comprehensive sanctions or other trade restrictions (e.g., Iran, North Korea, Syria, Cuba, and the Crimea Donetsk, and Luhansk regions of Ukraine,) or a person against whom the United States has issued blocking sanctions (e.g., a Specially Designated National or Blocked Person).
• Conduct all testing and research in accordance with applicable law.

You must also follow the HackerOne rules at all times and have cleared HackerOne’s sanctions screenings and other applicable procedures. Determinations as to whether a submission is eligible for a bounty and otherwise consistent with these rules are within Visa’s sole discretion.

Disclosure

If you believe you have discovered a potential security issue or other vulnerability, you must:

• Let us know as soon as possible and we’ll make every effort to quickly resolve the issue.
• Keep your discovery confidential, as no public disclosure is allowed in our bug bounty program.
• Provide detailed reports with reproducible steps, including any necessary proof of concept artifacts (screenshots, videos, etc.). If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward. See HackerOne’s report guidance.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Submit only original vulnerability reports identified by you as a HackerOne user and do not copy or otherwise reproduce works to which others may have a claim.

Determinations as to whether a submission is eligible for a bounty, the severity of the disclosed vulnerability, and whether a researcher’s conduct is consistent with these rules are within Visa’s sole discretion.

Program Terms

By accepting the invitation and participating in Visa's bug bounty program, you agree that you will:

• Keep any proposed vulnerabilities strictly confidential
• If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal Information, credit card data, or proprietary information). You are not authorized to access any confidential Visa information, nor to further share any confidential Visa information to which you may be inadvertently exposed
• Not initiate any unauthorized financial transactions
• Not violate any national, state, or local laws or regulations, including any data privacy or security laws or regulations
• Not upload proof of concept artifacts on third party hosting/cloud providers. Upload these artifacts directly to HackerOne portal.
• Not conduct social engineering attacks (e.g. phishing, vishing, smishing) against Visa employees, partners, or customers.
• Not test the physical security of Visa offices or facilities.
• Only interact with accounts you own. Use test accounts where possible.
• Make a good faith effort to avoid modification or destruction of data, and interruption or degradation of our service, and will notify Visa or HackerOne immediately if you believe you inadvertently cause any of these issues.
• Not perform any testing that could harm our services such as Denial of Service (DoS) attacks or destructive injection attacks. Do not spam or brute force any registration or contact functionality.

Creating Testing Accounts

Using or accessing accounts that belong to other users is absolutely prohibited. For testing applications that require authentication, you may only test using accounts you self-register. If self-registration is not possible, you may only conduct unauthenticated testing.

When creating test accounts, you must follow these conventions:

• Use prefix “visa_bb” + your HackerOne username
• Use your @wearehackerone.com email address

Automated Scanning

We don’t need help running automated vulnerability scanners. We’ve got those covered. We need your brainpower, not your processing power. Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue won't be accepted. Please be respectful of our applications. Do not spam application forms through automated vulnerability scanners.

If you employ automated scanning tools, their requests must be rate limited to not exceed 1 request per second without prior approval. Failure to do so may be considered a DoS attack and will result in disqualification from the program.

To help us identify test traffic, please include a custom HTTP header with your HackerOne username in all your traffic: X-Hackerone: <username>. Even so, all traffic is subject to layers of defensive architecture which may automatically block anything that appears to be attack traffic.

General Terms

Relationship of the Parties

Nothing in these Terms will be construed as creating a joint venture, partnership, employment or agency relationship between you and Visa, and you do not have any authority to create any obligation or make any representation on Visa's behalf.

Proprietary Rights

All ownership rights in the Visa branded-sites listed as in Scope for this program are retained by Visa, its Affiliates and their licensors, and protected under applicable copyrights, trademarks and other proprietary (including intellectual property) rights and international treaties. All rights not expressly granted to you through these Terms are retained by Visa, its Affiliates and their licensors. Nothing in these Terms grants to you any right to use any of Visa's, its Affiliates' or any other third party's trademarks, service marks, logos or other indicia of origin. An “Affiliate” is an entity that is controlled by, controls or is under common control with Visa. Visa grants no rights to an intellectual property on any of the sites listed below and you are not permitted to create derivative works of any such websites.

Finder Representations

You acknowledge that Visa is reliant on the representations you made to HackerOne and that all representations made to HackerOne are true and accurate.

Safe harbor

Visa wants to encourage responsible security research and coordinated vulnerability disclosure. So, if your research, testing, and disclosure is conducted consistent with these rules:

• We will not pursue civil action for research, testing, or disclosure or refer such activities to law enforcement.
• We consider security research and vulnerability disclosure activities conducted consistent with these Rules to constitute “authorized” conduct under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act (DMCA), and other anti-hacking laws.
• And we waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the systems and applications in scope of this Bug Bounty program.

Please note that Visa cannot and does not authorize security research or testing of any other entity’s systems or applications. If your research involves systems or applications not owned by Visa, that third party may determine whether to pursue legal action. If legal action is initiated by a third party against you in connection with activities conducted in accordance with our Rules, we will take steps to make it known that your actions were conducted in compliance with Visa’s Bug Bounty Program.

In operating this Program, Visa does not waive any rights that it may have by not exercising (or delaying the exercise of) such rights. Additionally, should you violate the Rules, Visa retains all rights and other remedies available to it at law or in equity, including the rights to seek injunctive, specific performance or other equitable relief.

Scope

Only assets listed in the Scopes table as "In Scope" are valid targets for this program. Any Visa asset not listed as "In Scope" is outside the scope of this program; testing of those assets is not authorized. Reports for assets not "In Scope" may not be eligible for bounty, even if they are accepted to be fixed.

If you have discovered a vulnerability on an asset that is not listed in scope as part of Visa’s incentivized bug bounty program and it is a Visa owned asset, please submit it to Visa’s Vulnerability Disclosure program here:

• https://usa.visa.com/about-visa/vulnerability-disclosure.html

Please note that some of the assets in scope have multiple websites/URLs that share the same code base; if the same issue exists on multiple sites that share the same code base, only one report will be accepted. Similarly, only one report may be accepted for vulnerabilities that share the same root cause and fix or for systemic issues.

If you’re not sure whether a particular asset or vulnerability class is in scope, please ask us!

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

• Clickjacking on pages with no sensitive actions.
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actionsUnauthenticated/logout/login CSRF.
• Attacks requiring MITM or physical access to a user's device.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Missing best practices in SSL/TLS configuration.
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Rate limiting or bruteforce issues on non-authentication endpoints.
• Missing best practices in Content Security Policy.
• Missing HttpOnly or Secure flags on cookies.
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
• Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).Banner grabbing and fingerprinting (figuring out what web server or technology is in use, etc.).
• Any finding related to frameable content will be considered only on its merit based on a working PoC.
• Issues that require unlikely user interaction.
• Findings on SaaS applications where there is no clear impact or risk to Visa.
• There are some services where the ability to query for a username or email is a product feature. User enumeration will only be rewarded or fixed in cases where it is a deemed a security vulnerability as opposed to a feature.
• Any activity that could lead to system disruption or Denial of Service (DoS).
• Previously known vulnerable libraries without a working Proof of Concept.

Retest Policy

Retest Invitation: Once a fix has been deployed, Visa may invite the researcher to retest and confirm that the issue is fully fixed.  Retest SLA:  To maintain our remediation SLAs, researchers are required to complete the retest within 48 hours. If you cannot complete the retest with the SLA, please decline the request. Retests submitted after the 48 hour window will be considered void and ineligible for retest reward. Retest Reward: The researchers will be rewarded based on the severity of the original issue

• $400 for Critical  
• $250 for High  
• $100 for Medium 
• $50 for Low

Changes to the Rules

Visa may change these Rules or cancel the Bug Bounty program at any time without prior notice. Any changes to the program or these Rules will be posted on Visa’s HackerOne site. If you continue to participate in the program after any such changes are posted, you must follow the Rules as modified.

Thank you for helping keep Visa and our users safe!