Skip to main content

Vulnerability disclosure programme

Vulnerability disclosure programme

Effective date: October 2024

At Vistra (also referred to as “we” or “us”), the security of our clients, partners, and systems is paramount. Our vision is to make operating anywhere in the world feel borderless and frictionless and we are committed to safeguarding our digital environment and taking a proactive approach to security. Our Vulnerability Disclosure Programme (“VDP”) invites security researchers and the wider community to help us identify vulnerabilities responsibly and ensure our systems remain robust and secure.

Our commitment to security

Vistra strives to maintain the highest standards of security and confidentiality in its systems and while we continuously monitor and improve these, we understand that security vulnerabilities may arise. We encourage ethical researchers to identify and report potential security issues in respect of any of our systems to us, following a responsible disclosure process as detailed below.

Reporting a vulnerability

If you have discovered a security vulnerability in any of our systems that could impact the confidentiality, integrity or availability of our systems, data or services, please submit a report to us as soon as possible in accordance with the below: 

Submit through the proper channels: Email your findings to us in the English language via the following email address: [email protected].

Provide detailed information: Include a clear description of the vulnerability identified, steps to reproduce, and any supporting evidence, such as screenshots or logs.

Act in good faith: Ensure you do not access, modify, or destroy data during your research. Any attempt to disrupt our services, compromise our data integrity or unlawfully access our or our client’s confidential data beyond entry, breaches our internal policies, may breach applicable laws and/or regulations, and will not be tolerated.

Maintain confidentiality: Please refrain from publicly disclosing any vulnerability identified without our prior written approval.

Compliance and consent: By submitting your report to us, you confirm and acknowledge that you have read, understand, and agree to the terms of this programme for the conduct of security research and disclosure of vulnerabilities or indicators of vulnerabilities related to our systems, and consent to having the contents of any associated communication and follow-up communications stored on Vistra’s information systems. 

Intellectual property: The intellectual property rights in Vistra’s systems vest in, and are owned by, us (and/or our applicable licencor(s)). Please note that infringement of these intellectual property rights is a violation of applicable laws and hence not allowed. Vistra owns all intellectual property rights in any ideas, concepts, feedback and/or suggestions (collectively “Feedback”) provided by you to us. To the extent this is not legally possible, by submitting your report to us, you grant us a worldwide, royalty-free, non-exclusive, transferable, perpetual, unrestricted and irrevocable right to use such Feedback for any purpose, including but not limited to, incorporation of feedback into our systems and/or other offerings without compensation or attribution to you.

What to expect

Once your submission is received by us, we will, at our sole discretion:

  • Acknowledge receipt of your report as soon as practicable.
  • Investigate and validate the issue promptly.
  • Keep you informed of the progress and estimated resolution time.
  • Work with you to determine an appropriate public disclosure timeline, if applicable and appropriate.

Scope of programme

We are committed to transparency and appreciate your efforts to help keeping our systems secure. However, the following areas are strictly out of scope for, and prohibited:

  • Denial of Service (DoS) attacks or any vulnerabilities that may cause disruption to any of our services to our clients.
  • Social engineering attempts against any of our employees, contractors or customers.

Issues related to out-of-date software or browsers are also not part of this programme. 

Please note that all valid submitted reports will be assessed by us. Low-risk vulnerabilities may not be prioritised as we will focus on system vulnerabilities that we, at our sole discretion, deem to have the potential to significantly impact our infrastructure, applications or data. 

Recognition

In recognition of your contribution to our system security, we may, at our sole discretion, in compliance with applicable laws and regulations, and subject to i) you having submitted your findings on a named basis, ii) you having given us your prior permission and, iii) the severity of the vulnerability identified, offer public acknowledgment and/or remuneration of your efforts. Please note that any such public acknowledgment and/or remuneration may require you to first enter into a separate written agreement with us including, inter alia, appropriate security and confidentiality obligations.

At Vistra, we believe in collaboration, and ethical researchers are vital to our success in maintaining a secure environment for all.

Legal safe harbour

We value your research and are committed to protecting those who report vulnerabilities to us responsibly and ethically. So long as your actions align with the terms of this programme and applicable laws and regulations, and do not violate our privacy policy, we will not pursue legal action against you for submitting any security findings in respect of our systems to us. 

Modification or cancellation

Please note that we may modify, update and/or cancel (collectively, “changes”) all or any part of the VDP at any point of time without notification and at our sole discretion, and it is your responsibility to check these terms from time to time to determine if any changes were made.

Questions or suggestions

We also invite you to contact us at [email protected] with any questions or suggestions for improving our programme.