A Devotion to Security - Responsible Disclosure & Veriff

What is responsible disclosure, why is it crucial to Veriff, and why should you care - well, that's what we're here to tell you.

Trust is key

In our effort to verify the identities of the world’s honest people, we fight fraud and cyber threats alike. Living in today’s digital society, it’s more important than ever to ensure data privacy. For us that means keeping our users’ data safe - a responsibility we don’t take lightly. It is an utmost priority that we secure our product and the data it processes because cases of data breaches and/or leaks have life-altering consequences. We strive to build trusting relationships with customers and users who know we safely handle the data they hold dear. How can we promote trust on the internet if we don’t run a trustworthy service? 

Security-wise, our mindset follows the saying “two heads are better than one”. As more researchers test our product, the stronger it becomes. We hope to bring together creative and curious minds to inspect our systems for any underlying weaknesses. That’s where you come in: we encourage you to search for, and report, vulnerabilities under our responsible disclosure program.

Putting the ‘R’ in responsible

If you’re not security-savvy, “responsible disclosure” might sound like legal jargon. Here’s a quick rundown of what responsible disclosure means. Anyone who discovers a vulnerability has the option to either fully disclose their finding to the public or solely send it to the vendor (in this case, us). Private disclosure gives us time to patch a vulnerability before its mentioned publicly. Disclosing vulnerabilities privately is ethically responsible - hence ‘responsible’ disclosure - because a publicly known vulnerability leaves our service open to any ensuing attacks.

Service with a smile

It’s understandably frustrating for researchers to reach out to companies with their findings, just to be told that their finding isn’t important enough to fix, or to be completely ignored. That’s not how disclosures should be handled, as it’s not productive for either party. If you ever submit a vulnerability report to us, rest assured that you will not receive a bland, automated response. One of our team members will look into your findings and will respond as soon as they can. 

We make a commitment to review every submitted report, no matter the vulnerability disclosed. Our security gurus will follow the steps you provide to repeat your results (the more detailed you are, the better). Once we can confirm the vulnerability exists, we’ll let you know and ask you to give us time to patch it. We will keep contact with you until your submission is resolved. After we fix the bug, you’re free to publish your findings and you’ll be enshrined in our Hall of Fame.

Fighting the good fight

A massive thank you to those who have already reported vulnerabilities to us. We appreciate the time and effort you've taken. As a researcher, you put yourself at risk when submitting a vulnerability, but we believe you’re doing the right thing. We would like to give you the credit you deserve for your hard work and dedication to fixing security issues, and thus, making the internet a safer place.

If we expect to keep up with the ever-changing threat landscape, we have to keep learning and improving. We learn not only from our own experiences and mistakes, but we learn from others. As members of the security community, we promote security research and the resulting transfer of knowledge. Responsible disclosure offers great value for all involved. Vendors receive an extra layer of security while reporters are given the opportunity to explore and potentially earn some nice rewards.

A call to arms

Our current Responsible Disclosure policy is the beginning of what will become our future bug bounty program. Go ahead and have a read to know what’s in the scope, and let us know what you find. Happy hacking!