Visa Vulnerability Disclosure Programme

Cybersecurity is critical to Visa and we want to facilitate the exchange of information about potential vulnerabilities, establish rules for vulnerability testing and provide a Safe Harbour for individuals who follow these rules.

Introduction

At Visa, cybersecurity is core to our values. We want to hear from you if you have information related to potential security vulnerabilities in Visa’s products, services, websites or applications. We have established this Vulnerability Disclosure Programme to facilitate our exchange of information about potential vulnerabilities, establish rules for vulnerability testing and provide a Safe Harbour for individuals who follow these rules.

Expectations

When you report vulnerabilities to us, you can expect us to:

  • Extend a Safe Harbour to you for vulnerability reports submitted in accordance with our Programme Rules
  • Work with you to understand and validate your report, including a timely initial response to the submission
  • Work to remediate discovered vulnerabilities in a reasonable manner

Programme rules

Please note that this Programme should not be construed as encouragement or permission to hack, penetrate or otherwise attempt to gain unauthorised access to Visa applications, systems or data. To avoid any confusion between good-faith reporting and a malicious attack, we ask that you:

  • Report any suspected or confirmed vulnerability you’ve discovered promptly
  • Do not violate the privacy of others, disrupt our systems, destroy data and/or harm the user experience
  • Do not conduct social engineering (e.g., phishing, vishing, smishing)
  • If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal Information, credit card data, or proprietary information) – you are not authorised to access any Visa data
  • Provide us with a reasonable amount of time to remediate vulnerabilities;
  • Keep the details of any discovered vulnerabilities confidential
  • Do not initiate any unauthorised financial transaction
  • Only interact with accounts you own or with explicit permission from the account holder
  • Do not violate any national or local laws or regulations

Safe harbour

Testing activities conducted in accordance with this Programme are protected by a Safe Harbour, meaning that we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted in accordance with our Rules, we will take steps to make it known that your actions were conducted in compliance with Visa’s Vulnerability Disclosure Programme.

In operating this Programme, Visa does not waive any rights that it may have by not exercising (or delaying the exercise of) such rights. Additionally, should you violate the Rules, Visa retains all rights and other remedies available to it at law or in equity, including the rights to seek injunctive, specific performance or other equitable relief.

Thank you for helping us keep Visa customers and data safe. Please submit a report to us before engaging in conduct that may be inconsistent with our Rules.
 

Report a vulnerability

Visa uses HackerOne to triage and validate responsibly disclosed vulnerability reports. Please submit your report.