avatar
Bug bounty
Public
Submit report

VFS Global Bug Bounty Program

VFS GLOBAL SERVICES PVT. LTD.

Reward

Bounty
$50
Low
$50
Medium
$300
High
$800
Critical
$1,500

Program

Avg reward
-
Max reward
-
Scopes
29
Supported languages
English

Hacktivity

Reports
1160
1st response
< 1 day
Reports last 24h
1
Reports last week
13
Reports this month
28

VFS Global

VFS Global is the world's largest visa outsourcing and technology services specialist for governments and diplomatic missions worldwide. The company manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments. This enables them to focus entirely on the critical task of assessment.

Program Rules

At VFS Global, we recognize the important role that security researchers play in helping to keep VFS Global sites and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

  • Denial of service (DoS) attacks on VFS Global applications, servers, networks or infrastructure are strictly forbidden.
  • Avoid tests that could cause degradation or interruption of our services.
  • Do not use automated scanners or tools that generate large amount of network traffic.
  • Only perform tests against your own accounts to protect our users' privacy.
  • Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
  • Do not copy any files from our applications/servers and disclose them.
  • No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Guidelines

We would be focusing on vulnerabilities of practical impacts that we would rate as CRITICAL (max $1500):

  • Leak / Dump of visa applicant PII data.
  • Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information (one user able to see data of another user) depending on the extent of data leaked.
  • Scripts that can automate the completion of the user registration flow are of interest to us. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be blocked, and real users are denied of making an appointment.
  • Researchers are encouraged to identify issues in our applications which will allow them to tamper / change the applicant name while rescheduling an appointment. For e.x an appointment has been booked in one person’s name but during rescheduling, the name is changed to some other person’s name. Such issues identified would be eligible for a bounty amount of USD 2000.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of VFS Global, however only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability (see below).
  • The report must contain the following elements:
    • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and VFS Global, and remediation advice on fixing the vulnerability
    • Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
    • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
  • You must not break any of the testing policy rules listed above
  • You must not be a former or current employee of VFS Global or one of its contractors.
  • Refrain from uploading any POC videos through youtube and provide a secure download link for us to access/download it instead. Failure to comply to this may result in ineligibility for a reward.

Reward amounts are based on:

  • Reward grid of the report's scope
  • CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Additional reward guideline

We are interested in vulnerabilities of practical impacts.
The below scenario could make your report qualified for a higher Critical reward (up to $1500):

  • Leak / Dump of visa applicant PII data.
  • Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information (one user able to see data of another user) depending on the extent of data leaked.
  • Scripts that can automate the completion of the user registration flow are of interest to us. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be blocked, and real users are denied of making an appointment.
  • Researchers are encouraged to identify issues in our applications which will allow them to tamper / change the applicant name while rescheduling an appointment. For e.x an appointment has been booked in one person’s name but during rescheduling, the name is changed to some other person’s name. Such issues identified would be eligible for a bounty amount of USD 1,000+.

For other findings such as payment tampering / bypass, login bypass / access control issues, where there is no or less significant impact to VFS as compared to above, then the bounty amount will be up to 700 USD.

VFS retains the sole authority to determine and reward accordingly to our analysis.

Notes on Vulnerabilities

  • Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information will usually be rewarded as High/Critical depending on the extent of data leaked.

    • Note: In findings where the researcher claims he/she can get access to another applicant data, only findings where the researcher has no knowledge of the other applicant related information and was able to successfully to get access to the same by any other means (for e.x. brute force / parameter tampering / data manipulation, etc.) will be considered as valid.
    • If the researcher creates 2 applicants and from one applicant login, he/she was able to get access to another applicant data (since he/she was aware of the same) will not be counted as a valid finding.

  • Scripts that can automate the completion of the user registration flow are of interest to us, and will be rewarded as High/Critical. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be consumed, and real users are denied of making an appointment.

  • The triage team will use the "OneFixOneReward" process: if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the others weakness, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. In any case, all reports will be reviewed edge by edge.`

Reward Grid(s)

Default

Rating CVSS score Bounty
None 0.0 No bounty
Low 0.1 - 3.9 $50
Medium 4.0 - 6.9 $100 - 300
High 7.0 - 8.9 $400 – 800
Critical 9.0 - 10.0 $1000 - 1500

Reward

Asset value CVSS
Low
 CVSS
Medium
 CVSS
High
 CVSS
Critical
Low
$50$300$800$1,500

Scopes

ScopeTypeAsset value
*.vfsglobal.(com|co.uk|ca) web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
*.vfsevisa.com web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
onevasco.com web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.vascoworldwide.net web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.vfsvisaonline.com web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.dvpc.net web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.vfsvisaservicesrussia.com web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.directverify.in web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
www.docswallet.com web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
biometservices.com web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
agents.tasheer.com web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/GlobalAdmin/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/Global-Admin/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://rusadminappt.vfsglobal.com/Global-Admin/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/AustraliaApptAdmin/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/GAR1Ph1ApptAdmin/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://onlinena.vfsglobal.dz/AppointmentAdmin/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://gaadmin.vfsglobal.com/DHAAppointmentAdmin web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://equatorialguinea-evisa.com web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://online.srilankaevisa.lk/lka/en/login web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://online.mustaqel.qa/qat/en/login web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://appointment.vfsglobal.com.dz/forms/FRDZ/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://vfs.mioot.com/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://vfseu.mioot.com/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://www.vfsvisaservice.com/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://indonesiavoa.vfsevisa.id/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://www.vfsglobalservices-germany.com/Global-Appointment/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://www.vfsvisaservice.com/IHC-SouthKorea-Appointment web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500
https://vc.tasheer.com/ web-application
Low
Low
$50
Medium
$300
High
$800
Critical
$1,500

Out of scopes

  • All other VFS assets that are not listed above as in scope are automatically out of scope
  • https://india-usa.vfsglobal.com
  • https://vire.vfsglobal.com
  • vfsglobal.com.ru
  • myeasydocs.co.il
  • nssr-7.vfsglobal.com
  • https://uat-lift.vfsglobal.com/_angular/main.8dbd1aa97c38b188.js?v=6.0.29
  • https://liftassets.vfsglobal.com/_nuxt/46217fc777819548fddb.js
  • https://ukvitest.vfsglobal.com/_angular/main.3ca04c44a2718f71.js?v=1.0.22
  • https://online.vfsevisa.com/main-es2015.521ef2e1d9f68fd1bb90.js
  • https://online.vfsevisa.com/main-es5.521ef2e1d9f68fd1bb90.js?v=3.1.6
  • https://portal.vfsevisa.com/main-es2015.987b1b526aa8041bfdee.js
  • https://portal.vfsevisa.com/main-es5.987b1b526aa8041bfdee.js?v=3.1.6
  • https://uat-lift.vfsglobal.com/_angular/main.c05c54e8703c3a9f.js?v=6.0.36
  • https://online.vfsevisa.com/main-es2015.6d514e86ec7c6492aafc.js?v=3.1.2
  • https://portal.vfsevisa.com/main-es2015.7857657af609ca5e4bc5.js?v=3.1.4
  • https://egonline.vfsevisa.com/main-es2015.c7bb991442356b23f23e.js?v=3.1.3

Vulnerability types

Qualifying vulnerabilities

  • Scripts that can automate the completion of the user registration flow
  • Cross-Origin Resource Sharing (CORS)/Cross-site Request Forgery (CSRF) with real security impact
  • Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA)
  • Business logic vulnerability with real security impact
  • Authentication bypass & broken authentication
  • Horizontal and vertical privilege escalation
  • Code injections (HTML, JS, SQL, PHP, ...)
  • Insecure Direct Object References (IDOR)
  • Remote Code Execution (RCE)
  • Cross-Site Scripting (XSS)

Non-qualifying vulnerabilities

  • Incomplete reports missing one or more of the following elements: clear textual description of the vulnerability, proof of exploitation, complete steps with the neccesary information to reproduce the exploit
  • Reports describing hypothetical attack scenarios that are not demonstrable
  • Reports with attack scenarios requiring physical access to victim and/or victim's device, or social engineering attempts
  • Security best practices without demonstrated security impact
  • Recently disclosed 0-day vulnerabilities
  • Disclosure of information without security impact (Stack traces, path disclosure, directory listings, software versions, IP disclosure, 3rd party secrets etc.)
  • Vulnerabilities affecting outdated browsers - only exploits working on latest browser versions of Safari, FireFox, Chrome, Edge, IE will be accepted
  • Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
  • Missing security-related HTTP headers which do not lead directly to a vulnerability
  • Vulnerable/outdated software/libraries without demonstrated security impact
  • Vulnerabilities involving stolen credentials or physical access to a device
  • Account oracles: possibility to enumerate phone number, email, GUID etc
  • Logout and other instances of low-severity Cross-Site Request Forgery
  • XSS in POST requests (eg XSS in HTTP Host Header)
  • Presence of autocomplete attribute on web forms
  • Lack of rate-limiting or Captcha
  • Denial of Service (DoS) attacks
  • Crashing your own application
  • Clickjacking/UI redressing
  • Mixed content warnings
  • SSL/TLS best practices
  • Missing cookie flags
  • Protocol mismatch
  • Self XSS

Hunters collaboration

When submitting new report, you can add up to 5 collaborators, and define the reward split ratio.

For more information, see help center.
Note: For reports that have already been rewarded, it is not possible to redistribute the rewards.

Submit report
program thumbnail
 VFS Global Bug Bounty Program
Submit report