avatar
Bug bounty
Public

VFS Global Bug Bounty Program

VFS GLOBAL SERVICES PVT. LTD.

Reward

Bounty
$5
Low
$50
Medium
$300
High
$800
Critical
$1,500

Program

Avg reward
-
Max reward
-

Scopes
40
Supported languages
English

Hacktivity

Reports
1662
1st response
< 1 day
Reports last 24h
5
Reports last week
17
Reports this month
12

VFS Global

VFS Global is the world's largest visa outsourcing and technology services specialist for governments and diplomatic missions worldwide. The company manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments. This enables them to focus entirely on the critical task of assessment.

Program Rules

At VFS Global, we recognize the important role that security researchers play in helping to keep VFS Global sites and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Denial of service (DoS) attacks on VFS Global applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Only perform tests against your own accounts to protect our users' privacy.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Guidelines

We would be focusing on vulnerabilities of practical impacts that we would rate as CRITICAL (max $1500):

  • Leak / Dump of visa applicant PII data.
  • Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information (one user able to see data of another user) depending on the extent of data leaked.
  • Scripts that can automate the completion of the user registration flow are of interest to us. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be blocked, and real users are denied of making an appointment.
  • Researchers are encouraged to identify issues in our applications which will allow them to tamper / change the applicant name while rescheduling an appointment. For e.x an appointment has been booked in one person’s name but during rescheduling, the name is changed to some other person’s name. Such issues identified would be eligible for a bounty amount of USD 2000.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of VFS Global, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • The report must contain the following elements:
    • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and VFS Global, and remediation advice on fixing the vulnerability
    • Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
    • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
  • You must not break any of the testing policy rules listed above
  • You must not be associated directly either currently or in the past with any company/organization in the same line of business as VFS.
  • You must not be a former or current employee of VFS Global or one of its contractors or suppliers.
  • Refrain from uploading any POC videos through youtube and provide a secure download link for us to access/download it instead. Failure to comply to this may result in ineligibility for a reward.

Reward amounts are based on:

  • Reward grid of the report's scope
  • CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Additional reward guideline

We are interested in vulnerabilities of practical impacts.
The below scenario could make your report qualified for a higher Critical reward (up to $1500):

  • Leak / Dump of visa applicant PII data.
  • Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information (one user able to see data of another user) depending on the extent of data leaked.
  • Scripts that can automate the completion of the user registration flow are of interest to us. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be blocked, and real users are denied of making an appointment.
  • Researchers are encouraged to identify issues in our applications which will allow them to tamper / change the applicant name while rescheduling an appointment. For e.x an appointment has been booked in one person’s name but during rescheduling, the name is changed to some other person’s name. Such issues identified would be eligible for a bounty amount of USD 1,000+.
  • Researchers are encouraged to identify issues in facial verification feature in our below applications which will allow them to tamper / change the applicant details or photo while rescheduling an appointment. For e.x an appointment has been booked in one person’s name and photo but the name and photo is changed to some other person’s name. Such issues identified would be eligible for an additional bounty amount of USD 500. This feature is enabled on the login urls below:

For other findings such as payment tampering / bypass, login bypass / access control issues, where there is no or less significant impact to VFS as compared to above, then the bounty amount will be up to 700 USD.

VFS retains the sole authority to determine and reward accordingly to our analysis.

Notes on Vulnerabilities

  • Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information will usually be rewarded as High/Critical depending on the extent of data leaked.

    • Note: In findings where the researcher claims he/she can get access to another applicant data, only findings where the researcher has no knowledge of the other applicant related information and was able to successfully to get access to the same by any other means (for e.x. brute force / parameter tampering / data manipulation, etc.) will be considered as valid.
    • If the researcher creates 2 applicants and from one applicant login, he/she was able to get access to another applicant data (since he/she was aware of the same) will not be counted as a valid finding.
  • Scripts that can automate the completion of the user registration flow are of interest to us, and will be rewarded as High/Critical. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be consumed, and real users are denied of making an appointment.

  • The triage team will use the "OneFixOneReward" process: if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the others weakness, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. In any case, all reports will be reviewed edge by edge.`

Reward Grid(s)

Critical

Rating CVSS score Bounty
None 0.0 No bounty
Low 0.1 - 3.9 $50
Medium 4.0 - 6.9 $100 - 300
High 7.0 - 8.9 $400 – 800
Critical 9.0 - 10.0 $1000 - 1500

Reward

Asset value CVSS
Low
CVSS
Medium
CVSS
High
CVSS
Critical
Critical
$50$300$800$1,500

Systemic issues

1st report100%
2nd report100%
3rd report75%
4th report50%
5th report25%
6th+ report10%

We appreciate all valid reports submitted to our program that enhance our security. However, please note that if a similar issue (see definition in 'More info') has already been reported, by you or any other hunter, the reward will be decreasing according to these percentages.


Scopes

ScopeTypeAsset value
*.vfsglobal.(com|co.uk|ca) Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
*.vfsevisa.com Wildcard
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
*.onevasco.com Wildcard
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
*.vascoworldwide.net Wildcard
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.vfsvisaonline.com Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.dvpc.net Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.vfsvisaservicesrussia.com Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
*.directverify.in Wildcard
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
*.docswallet.com Wildcard
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
biometservices.com Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
agents.tasheer.com Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/GlobalAdmin/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/Global-Admin/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://rusadminappt.vfsglobal.com/Global-Admin/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/AustraliaApptAdmin/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/GAR1Ph1ApptAdmin/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://onlinena.vfsglobal.dz/AppointmentAdmin/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/DHAAppointmentAdmin Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://equatorialguinea-evisa.com Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://online.srilankaevisa.lk/lka/en/login Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://online.mustaqel.qa/qat/en/login Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://appointment.vfsglobal.com.dz/forms/FRDZ/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://vfs.mioot.com/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://vfseu.mioot.com/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://www.vfsvisaservice.com/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://indonesiavoa.vfsevisa.id/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://www.vfsglobalservices-germany.com/Global-Appointment/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://www.vfsvisaservice.com/IHC-SouthKorea-Appointment Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://vc.tasheer.com/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
*.vfsglobal.by Wildcard
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
*. vfsevisa.id Wildcard
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
*.vfsai.com Wildcard
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://cicforms.mioot.com/forms/PS/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
svtselb.tasheer.com Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://vfs-ai-tiff-image-api-hchkdabjdsdya6ea.switzerlandnorth-01.azurewebsites.net/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://vfsforms.mioot.com/forms/IFAL/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
ru-yandex-api-app.vfsevisa.com API
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
udaanindia.com Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
udaanindia.in Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://mohesr.vfsglobal.com/forms/CVUAE/admin/ Web application
Critical
Low
$50
Medium
$300
High
$800
Critical
$1,500

Out of scopes

  • All other VFS assets that are not listed above as in scope are automatically out of scope
  • https://india-usa.vfsglobal.com
  • https://vire.vfsglobal.com
  • vfsglobal.com.ru
  • myeasydocs.co.il
  • nssr-7.vfsglobal.com
  • https://uat-lift.vfsglobal.com/_angular/main.8dbd1aa97c38b188.js?v=6.0.29
  • https://liftassets.vfsglobal.com/_nuxt/46217fc777819548fddb.js
  • https://ukvitest.vfsglobal.com/_angular/main.3ca04c44a2718f71.js?v=1.0.22
  • https://online.vfsevisa.com/main-es2015.521ef2e1d9f68fd1bb90.js
  • https://online.vfsevisa.com/main-es5.521ef2e1d9f68fd1bb90.js?v=3.1.6
  • https://portal.vfsevisa.com/main-es2015.987b1b526aa8041bfdee.js
  • https://portal.vfsevisa.com/main-es5.987b1b526aa8041bfdee.js?v=3.1.6
  • https://uat-lift.vfsglobal.com/_angular/main.c05c54e8703c3a9f.js?v=6.0.36
  • https://online.vfsevisa.com/main-es2015.6d514e86ec7c6492aafc.js?v=3.1.2
  • https://portal.vfsevisa.com/main-es2015.7857657af609ca5e4bc5.js?v=3.1.4
  • https://egonline.vfsevisa.com/main-es2015.c7bb991442356b23f23e.js?v=3.1.3

Vulnerability types

Qualifying vulnerabilities

  • Scripts that can automate the completion of the user registration flow
  • Cross-Origin Resource Sharing (CORS)/Cross-site Request Forgery (CSRF) with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Business logic vulnerability with real security impact
  • Authentication bypass & broken authentication
  • Horizontal and vertical privilege escalation
  • Code injections (HTML, JS, SQL, PHP, ...)
  • Insecure Direct Object References (IDOR)
  • Remote Code Execution (RCE)
  • Cross-Site Scripting (XSS)
  • SQL Injection (SQLi)
  • Insecure Direct Object Reference (IDOR)
  • Open Redirect
  • Vulnerabilities affecting outdated browsers or platforms
  • CSV injection
  • Malicious file upload (e.g. EICAR files, .EXE)
  • Disclosed or misconfigured public API keys (e.g. Google Maps, Firebase, analytics tools...)
  • Lack of code obfuscation

Non-qualifying vulnerabilities

  • Cache Poisoning
  • Broken Link/Social media Hijacking
  • Tabnabbing
  • Missing cookie flags
  • Content/Text injections
  • Clickjacking/UI redressing
  • Denial of Service (DoS) attacks
  • Recently disclosed CVEs (less than 30 days sinces patch release)
  • CVEs without exploitable vulnerabilities and PoC
  • Open ports or services without exploitable vulnerabilities and PoC
  • Social engineering of staff or contractors
  • Presence of autocomplete attribute on web forms
  • Self-XSS or XSS that cannot be used to impact other users
  • Any hypothetical flaw or best practices without exploitable vulnerabilities and PoC
  • SSL/TLS issues (e.g. expired certificates, best practices)
  • Unexploitable vulnerabilities (e.g. Self-XSS, XSS or Open Redirect through HTTP headers...)
  • Reports with attack scenarios requiring MITM or physical access to victim's device
  • Missing security-related HTTP headers which do not lead directly to an exploitable vulnerability and PoC
  • Low severity Cross-Site Request Forgery (CSRF) (e.g. Unauthenticated / Logout / Login / Products cart updates...)
  • Invalid or missing email security records (e.g. SPF, DKIM, DMARC)
  • Session management issues (e.g. lack of expiration, no logout on password change, concurrent sessions)
  • Disclosure of information without exploitable vulnerabilities and PoC (e.g. stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets, EXIF Metadata, Origin IP)
  • HTTP Strict Transport Security Header (HSTS)
  • Subdomain takeover without a full exploitable vulnerability and PoC or not applicable to the scope
  • Blind SSRF without exploitable vulnerabilities and PoC (e.g. DNS & HTTP pingback, Wordpress XMLRPC)
  • Lack or bypass of rate-limiting, brute-forcing or captcha issues
  • User enumeration (e.g. email, alias, GUID, phone number, common CMS endpoints)
  • Weak password policies (e.g. length, complexity, reuse)
  • Ability to spam users (email / SMS / direct messages flooding)
  • Password reset token sent via HTTP referer to external services (e.g. analytics / ads platforms)
  • Stolen secrets, credentials or information gathered from a third-party asset that we have no control over
  • Exposed secrets, credentials or information on an asset under our control that are not applicable to the program’s scope
  • Pre-account takeover (e.g. account creation via oAuth)
  • GraphQL Introspection is enabled
  • Vulnerabilities requiring physical access to a user’s smartphone
  • Exploits that are only possible on Android version 8 and below
  • Exploits that are only possible on IOS version 14 and below
  • Exploits that are only possible on a jailbroken device
  • Exploiting a generic Android or iOS vulnerability.
  • Lack of binary protection / jailbreak and root detection / anti-debugging controls
  • Crashing your own application
  • Non important secrets (such as 3rd party secrets)
  • SSL cypher suites
  • Vulnerable version of libraries (for example ‘jquery’) without demonstrable attack vector SSL Pinning

Reports of leaks and exposed credentials

In the context of this program, we do not intend to encourage, accept or reward reports of leaks that are not applicable to our program’s scope and policy. To summarize our policy, you may refer to the below table:

Type of leak
Source of leak is in-scope
Source of leak belongs to the Organization and is out-of-scope
Source of leak does not belong to the Organization and is out-of-scope
Impact is in-scope (e.g. valid credentials on an in-scope asset)
checked Eligible
checked Eligible
checked Not eligible
Impact is out-of-scope (e.g. valid credentials for an out-of-scope asset)
checked Eligible
checked Not eligible
checked Not eligible

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

To submit a vulnerability report, you need to login with your hunter account.