Visa Vulnerability Disclosure Program

Cybersecurity is critical to Visa and we want to facilitate the exchange of information about potential vulnerabilities, establish rules for vulnerability testing, and provide a Safe Harbor for individuals who follow these rules.

Introduction

At Visa, cybersecurity is core to our values. We want to hear from you if you have information related to potential security vulnerabilities in Visa’s products, services, websites, or applications. We have established this Vulnerability Disclosure Program to facilitate our exchange of information about potential vulnerabilities, establish rules for vulnerability testing, and provide a Safe Harbor for individuals who follow these rules.

Expectations

When you report vulnerabilities to us, you can expect us to:

  • Extend a Safe Harbor to you for vulnerability reports submitted in accordance with our Program Rules
  • Work with you to understand and validate your report, including a timely initial response to the submission
  • Work to remediate discovered vulnerabilities in a reasonable manner

Program rules

Please note that this Program should not be construed as encouragement or permission to hack, penetrate, or otherwise attempt to gain unauthorized access to Visa applications, systems, or data. To avoid any confusion between good-faith reporting and a malicious attack, we ask that you:

  • Report any suspected or confirmed vulnerability you’ve discovered promptly
  • Do not violate the privacy of others, disrupt our systems, destroy data, and/or harm the user experience
  • Do not conduct social engineering (e.g. phishing, vishing, smishing)
  • If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as Personal Information, credit card data, or proprietary information) – you are not authorized to access any Visa data
  • Provide us with a reasonable amount of time to remediate vulnerabilities;
  • Keep the details of any discovered vulnerabilities confidential
  • Do not initiate any unauthorized financial transaction
  • Only interact with accounts you own or with explicit permission from the account holder
  • Do not violate any national, state, or local laws or regulations

Safe harbor

Testing activities conducted in accordance with this Program are protected by a Safe Harbor, meaning that we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted in accordance with our Rules, we will take steps to make it known that your actions were conducted in compliance with Visa’s Vulnerability Disclosure Program.

In operating this Program, Visa does not waive any rights that it may have by not exercising (or delaying the exercise of) such rights. Additionally, should you violate the Rules, Visa retains all rights and other remedies available to it at law or in equity, including the rights to seek injunctive, specific performance or other equitable relief.

Thank you for helping us keep Visa customers and data safe. Please submit a report to us before engaging in conduct that may be inconsistent with our Rules.
 

Report a vulnerability

Visa uses HackerOne to triage and validate responsibly disclosed vulnerability reports. Please submit your report.