VFS Global

VFS Global is the world's largest visa outsourcing and technology services specialist for governments and diplomatic missions worldwide. The company manages the administrative and non-judgmental tasks related to visa, passport and consular services for its client governments. This enables them to focus entirely on the critical task of assessment.

Program Rules

At VFS Global, we recognize the important role that security researchers play in helping to keep VFS Global sites and our customers secure.

By participating in this program you acknowledge that you have read and agreed to the Program Rules, which is defined as this entire document.

Testing Policy and Responsible Disclosure

Please adhere to the following rules while performing research on this program:

• Denial of service (DoS) attacks on VFS Global applications, servers, networks or infrastructure are strictly forbidden.
• Avoid tests that could cause degradation or interruption of our services.
• Do not use automated scanners or tools that generate large amount of network traffic.
• Only perform tests against your own accounts to protect our users' privacy.
• Do not leak, manipulate, or destroy any user data or files in any of our applications/servers.
• Do not copy any files from our applications/servers and disclose them.
• No vulnerability disclosure, full, partial or otherwise, is allowed.

Reward Guidelines

We would be focusing on vulnerabilities of practical impacts that we would rate as CRITICAL (max $1500):

• Leak / Dump of visa applicant PII data.
• Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information (one user able to see data of another user) depending on the extent of data leaked.
• Scripts that can automate the completion of the user registration flow are of interest to us. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be blocked, and real users are denied of making an appointment.
• Researchers are encouraged to identify issues in our applications which will allow them to tamper / change the applicant name while rescheduling an appointment. For e.x an appointment has been booked in one person’s name but during rescheduling, the name is changed to some other person’s name. Such issues identified would be eligible for a bounty amount of USD 2000.

Reward Eligibility and Amount

We are happy to thank everyone who submits valid reports which help us improve the security of VFS Global, however only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability (see below).
• The report must contain the following elements:
  • Clear textual description of the vulnerability, how it can be exploited, the security impact it has on the application, its users and VFS Global, and remediation advice on fixing the vulnerability
  • Proof of exploitation: screenshots and/or videos demonstrating the exploit was performed, and showing the final impact
  • Provide complete steps with the necessary information to reproduce the exploit, including (if necessary) code snippets, payloads, commands etc
• You must not break any of the testing policy rules listed above
• You must not be a former or current employee of VFS Global or one of its contractors.
• Refrain from uploading any POC videos through youtube and provide a secure download link for us to access/download it instead. Failure to comply to this may result in ineligibility for a reward.

Reward amounts are based on:

• Reward grid of the report's scope
• CVSS scoring and actual business impact of the vulnerability upon performing risk analysis

Notes on Vulnerabilities

• Insecure Direct Object References (IDOR) issues resulting in significant leak of sensitive user information will usually be rewarded as High/Critical depending on the extent of data leaked.

  • Note: In findings where the researcher claims he/she can get access to another applicant data, only findings where the researcher has no knowledge of the other applicant related information and was able to successfully to get access to the same by any other means (for e.x. brute force / parameter tampering / data manipulation, etc.) will be considered as valid.
  • If the researcher creates 2 applicants and from one applicant login, he/she was able to get access to another applicant data (since he/she was aware of the same) will not be counted as a valid finding.

• Scripts that can automate the completion of the user registration flow are of interest to us, and will be rewarded as High/Critical. To clarify, the user registration flow includes booking a time slot for visa appointment, such that all the available time slots can be consumed, and real users are denied of making an appointment.

• The triage team will use the "OneFixOneReward" process: if two or more endpoints/forms use the same code base and a single fix can be deployed to fix all the others weakness, only one endpoint will be considered as eligible for a reward and other reports will be closed as Informative. In any case, all reports will be reviewed edge by edge.`

Reward Grid(s)

Default