Introduction
The Viva Wallet Group (“viva.com”, “Viva Wallet” or “Group”) Information Security team works diligently to protect Group’s assets, services, products, and customer information. Additionally, we recognize the valuable role the research community plays in submitting responsible disclosures that may aid our security posture, and we welcome the opportunity to partner with you.
We accept reports of potential security vulnerabilities that may provide an attacker with the ability to compromise the integrity, availability, or confidentiality of our products, services, or information technology infrastructure. Please see below for specific submission criteria.
If you believe you have found a qualifying security vulnerability in a viva.com product or website, please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution. All relevant submissions should be made through the vulnerability disclosure form located at this page.
Legal Notice
1. By providing a vulnerability report submission to viva.com you represent and warrant that your submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the submission to viva.com.
2. You agree that by submitting such information to viva.com you grant viva.com a worldwide, perpetual, irrevocable, exclusive, transferable, sublicensable, fully-paid and royalty-free license under any and all intellectual property rights that you own or control to use, copy, modify, create derivative works based upon and otherwise exploit such information for any purpose.
3. Maintaining this private disclosure vulnerability programme does not constitute a permission or allowance to damage or attempt to damage any resources and services provided by or used by viva.com, or to use illegal means to perform your testing, and any such action is not authorized by viva.com and may be punishable by law.
4. Any activity which involves the intentional compromise of the privacy of our customers or employees or the intentional disruption of the operation of our products, services, or information technology infrastructure will result in viva.com taking action, including but not limited to, bringing legal claims, against you.
5. Viva.com makes every effort to handle promptly all submissions and improve our systems.
6. We kindly request that you do not publicly disclose the vulnerability until we have had an opportunity and reasonable time (60-90 days) to investigate and address the issue.
7. Viva.com is not responsible for any damages or claims related to your report.
8. Report submissions regarding vulnerabilities with third party affiliates, SaaS solutions, licensing sites and applications that are not directly provided by viva.com can be reported using this form but are not part of the vulnerability disclosure programme and viva.com can make no claims on review and/or resolution of such vulnerabilities.
9. Viva.com reserves the right to modify these terms in its sole discretion, at any time and without prior notice.
10. The purpose of processing of the personal data you may reveal to us is to administer the bug report and to contact you if we need more information about the bug you have reported. The legal basis for our processing is our legitimate interest to improve the security of our products and services. We retain your personal data until we agree that the reported vulnerability has been resolved or for as long as required for the establishment, exercise or support any legal claims. We may also share your personal data with processors that assist us in the reporting process, including cloud software and data hosting providers. If we transfer your personal data to another country, we will make sure that your personal data is sufficiently protected and that strict data protection safeguards are in place before we transfer your personal data. You have the following rights in relation to the personal data we process about you: object to our processing of your data, access the data we hold about you, ask for rectification or restriction of your data, request that we delete your data, obtain the personal data you provide to us in a structured, machine-readable format and ask us to share this data to another party and finally you can file a complaint with the competent data protection supervisory authority.
11. By clicking "Submit" or proceeding with the report, you acknowledge and agree to the terms of this legal disclaimer.
Submission Rules
Acceptable Submissions
To ensure a submission is acceptable, you must:
- not provide the mere outcome of automated scanners/tools as a vulnerability that you have discovered on your own,
- not cause harm to viva.com or its customers,
- avoid compromising the privacy of our customers or employees, or disrupting the operation of our products, services, or information technology infrastructure,
- test for vulnerabilities against accounts you own or accounts you have permission from the account holder to test against,
- not violate any law,
- exercise a responsible disclosure code of conduct prior to publicly disclosing or sharing vulnerability details,
- report a confirmed vulnerability in a timely manner and not exploit it further, and
- not keep any copies of any non-public viva.com information or share such information with any third party.
Please act in good faith by conducting your activities under this policy and reporting the vulnerability with us promptly, in sufficient detail for us to determine the validity of the vulnerability, and without coercion, dishonesty, or fraudulent intent.
Violation of any of these rules can result in viva.com taking further action, including but not limited to, bringing legal claims, against you.
When reporting a security vulnerability, viva.com will not pursue claims against you in response to your report.
The following submissions are not accepted by viva.com
- Submissions that have resulted in or have been implemented through the alteration or theft of viva.com data or the interruption (DoS, DDoS) or degradation of ICT systems.
- Attacks which require internal network access or are from viva.com employees or contractors.
- Social engineering attempts.
- Any activity involving Group’s physical locations, including but not limited to conducting physical attacks against assets (e.g., any equipment within our facilities, Point of Sale (POS) systems).
- Attacks requiring access to the victim’s network or physical access to a user's device.
- Testing that requires mass creation of accounts, rate limit testing, credential stuffing, etc.
- User enumeration.
- Activity that could lead to the disruption of service (DoS), including Cache Poisoning.
- Known vulnerable libraries without a working Proof of Concept.
- Missing best practices in SSL/TLS configuration.
- Cross-Site Request Forgery (CSRF) with no security impact (e.g., unauthenticated/logout/login CSRF).
- Comma Separated Values (CSV) injection without demonstrating the vulnerability.
- Content spoofing and text injection issues without showing an attack vector or being able to modify HTML/CSS.
- Missing best practices in Content Security Policy.
- Missing HTTPOnly, Secure, Same-Site flags on cookies unless they are proven to control session authentication.
- Clickjacking / Tapjacking attacks.
- Banner Exposure / Version Disclosure.
- Missing email best practices (e.g., invalid, incomplete, or missing SPF/DKIM/DMARC records).
- Open Redirects that are not chained into a more impactful vulnerability.
- Broken links in documentation.
- Additional missing security controls often considered “Best practice”, such as certificate pinning or mitigating information disclosures.
Viva.com reserves the right, in its sole discretion, to reject any submission that falls under the categories listed above.
Report Data
To help streamline our intake process, we ask that submissions include:
- Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
- Title of the reported Vulnerability
- Description of the reported vulnerability.
- Steps to reproduce the reported vulnerability.
- Proof of exploitability (e.g., Request and Response messages, screenshots, videos).
- Perceived impact to another user or the organization.
- Proposed CVSSv3 Vector & Score (without environmental and temporal modifiers).
- List of URLs, applications and affected parameters.
- Other vulnerable URLs, additional payloads, Proof-of-Concept code.
- Browser, OS or app version used during testing.
Please report findings in English. All supporting evidence and other attachments must be stored only within the report you submit. Do not host any files on external services. Failure to adhere to these minimum requirements may result in delay. Also please note that whether a disclosure provides a positive contribution to the security community is a key factor in our evaluation.
Response
Viva.com will make a reasonable effort to address the disclosed vulnerability within a reasonable timeframe. Should further triaging details be required or the vulnerability is closed, you will be contacted appropriately through your contact email address, if provided.