VALR’s business has been built with a focus on what is best for our customers. In this regard, VALR is committed to the highest ethical and security standards in order to deliver value to our customers. VALR, therefore, takes the security of our systems, products and services very seriously and we aim to keep our website, mobile application and related software systems safe for everyone to use.
We genuinely value the assistance of security researchers and the security community as a whole in assisting us to improve the security of our systems, products and services.
If you discover a security vulnerability in any of our systems, products and services, we encourage you to contact us and disclose the vulnerability to us in accordance with this Responsible Disclosure Policy (“Policy”). Upon receiving security vulnerability reports in accordance with this Policy, VALR commits to:
- Acknowledge receipt of your vulnerability report in a timely manner and respond accordingly;
- Confirm the validity of your report;
- Address and fix the vulnerability as soon as reasonably possible in line with our commitment to the privacy, safety and security of our customers; and
- Notify you when the vulnerability is fixed.
If you wish to report an issue that falls outside of the scope of this Policy, (such as suspected fraudulent activity or suspect that your account or login details may have been compromised), please contact our support team here (https://support.valr.com/). Your issue will be investigated immediately.
Reporting a Security Vulnerability
If you suspect that you have found a security vulnerability in our website, applications, systems, products or services, please contact us immediately via email at firstname.lastname@example.org.
When reporting a security vulnerability, please ensure that you follow the requirements below in order for the report to be adequately considered:
- Include as much information as possible in your report, as we require a way to reproduce the security vulnerability in order to validate and fix it. “Proof-of-Concept” programs, tools, or test accounts that you’ve created are welcome.
- Include the following information:
- The URL where the vulnerability occurs;
- If applicable, the parameter where the vulnerability occurs;
- The type of the vulnerability;
- A step-by-step instruction on how to reproduce the vulnerability;
- A demonstration of the vulnerability, by screenshots or video; and
- If applicable, an attack scenario (an example attack scenario may help demonstrate the risk and get the issue resolved faster).
VALR is particularly interested in the following vulnerabilities:
- Injection vulnerabilities;
- Broken Authentication and Session Management;
- Cross Site Scripting (XSS);
- Remote Code Execution;
- Insecure Direct Object Reference;
- Sensitive Data Exposure;
- Security Misconfiguration;
- Missing Function Level Access Control;
- Directory/Path transversal; and
- Exposed credentials.
By submitting a vulnerability report to VALR:
- You acknowledge that you have read and agreed to the terms and conditions set out in this Policy;
- You hereby grant VALR an irrevocable and transferable right, to use, reproduce, copy, modify and otherwise dispose of the report, the content therein and the information related to the security vulnerabilities, as VALR sees fit; and
- You hereby waive any claims of any nature, including implied or express contractual or quasi-contractual rights, arising out of any disclosure within the vulnerability report.
Undertakings and Restrictions
VALR welcomes “white hat” security researchers and appreciates proactive research and responsible disclosures in line with this Policy.
Please note, however, that VALR does not permit you to do or attempt to do any of the following:
- Access, modify or destroy a VALR customer’s account or data;
- Account enumeration using brute-force attacks;
- Interrupt or degrade our Service;
- Execute a “Denial of Service” attack;
- Post, transmit, upload, link to, send or store any malicious software;
- Send any unsolicited or unauthorised mail or messages;
- Violate any applicable law;
- Use social engineering techniques; or
- Perform any testing that would result in any of the above.
Further, you hereby agree to:
- Subject to any applicable legislation, to not disclose any security vulnerabilities or sensitive information / data to any third parties without the prior written consent of VALR; and
- That you shall not use any information or content of the vulnerability report for any marketing or financing purpose or as a reference in any personal or professional presentation, documentation or other material, or in any way utilise any VALR related name, logotype or trademark.
Contravening this Policy may result in (i) VALR suspending or terminating your access to VALR’s website, applications, systems, products or services, (ii) contacting the relevant authorities and/or (iii) pursuing any other remedies available to VALR by law.
You hereby fully indemnify VALR, its subsidiaries and affiliates, its directors, officers, employees and agents against any and all claims, damages, liabilities, losses and expenses which arise out of or relate to:
- Any breach of this Policy by yourself;
- Any breach or violation of applicable laws including applicable data protection laws; and
- Any breach of confidentiality and attempt to contact VALR’s customers, users or third parties to inform the existence of the vulnerability.
VALR would like to publicly convey our gratitude to persons responsibly submitting security vulnerability reports and assisting VALR in fixing and maintaining its security systems.