Security and Vivaldi

At Vivaldi, we strive to ensure that you are protected as much as possible, so that you can enjoy the freedom of browsing in confidence.

Vivaldi Security Group

The Vivaldi Security Group is a team that works to ensure the security of the products and services offered by Vivaldi. The team deals with incoming security reports, communicates with researchers, and also does proactive security research when new features and services are being developed, or whenever new security risks are identified. Each time a new technology is being considered or implemented, the Security Group will investigate the technology to check for potential weaknesses, to see if any protections are required before it can be implemented.

If new issues are discovered after the initial release, fixes are prepared for the issues, and released to protect users. We aim to release security fixes as soon as possible after issues have been discovered.

 

How to report security issues to us

If you have discovered an exploitable security vulnerability in any of our products or services, please contact us confidentially by filing a bug report. We will investigate the problem, and let you know the results of our investigation. If the issue is found to be exploitable, we will keep you in touch with our plans to release any fixes for that issue. Please ensure that you supply a valid email address with your report, so that we can discuss the issue with you or request further details as needed.

When an issue report is received, it is treated with the highest priority, and we aim to contact you at the earliest possible opportunity. Note that responses may take longer at weekends or during national holidays, or at particularly busy times.

 

Responsible disclosure

When a researcher or research team discovers an issue in our products or services, we ask them not to disclose this to others (except in the case of using an information security communication agency to provide translations), but instead to disclose it confidentially to us. We ask to be given the time necessary so that the issue can be investigated, a fix can be prepared, and the fix can be delivered to our users in a stable software release, in order to protect users from abuse. After we (and any other affected vendors) have released a stable fix to users, the researcher may then announce their research and discovery, if they wish. This is known as responsible disclosure.

We aim to fix reported issues in a timely manner. The exact amount of time needed may vary depending on the cause and complexity of the issue, and whether other vendors are also affected. We will keep you in touch with our progress, and let you know our plans as soon as we can. A disclosure date will be agreed on a case-by-case basis.

Vivaldi Technologies is registered in Norway, and Norwegian law follows EU GDPR regulations, which relates to private data on our servers. In cases where private data on our servers is compromised, we may be required by those regulations to disclose some details of a breach before we have been able to prepare and release a fix. In these cases, we ask that researchers continue to keep the details confidential until the fix has been prepared and released.

 

How we credit security researchers

We offer researchers written credit in our Hall Of Fame in exchange for responsibly disclosing issues in our software to us. Researchers are normally offered credit by name, using the name of the researcher that discovers and reports the issue to us, optionally also with the research team name if there is one. If the issue affects a product that is delivered to users, the changelog will normally also mention the issue, and credit the researcher in the same way.

If multiple researchers all independently discover the same issue and responsibly disclose it to us before it has been fixed, then we would normally only be able to credit the first researcher. However, we may credit each researcher in cases where they have made significant individual effort that warrants a separate reward. If we suspect that independent researchers have revealed the details of the issue to each other so that they each may try to gain credit, then we will normally not credit any researcher, since this would not be responsible disclosure.

 

When other vendors have similar issues

If we discover that products made by other vendors also have similar issues, we may suggest that the researcher contacts those other vendors, or we may contact the other vendors on their behalf if they have not already been contacted. Vendors will normally coordinate the release of their fixes when this happens.

If an issue affects multiple vendors independently, we will normally wait for all vendors to have delivered their own stable fixes before announcing our own fix and crediting the researcher. Web browser vendors typically operate in this way to ensure that the users of all products are protected before disclosure.

 

Open source projects

Several of our browser products use parts of open source projects like Chromium. If an issue affects that open source project, it may also affects Vivaldi. In these cases, we encourage researchers to report it to the open source project directly, so that it can be fixed by members of that project, and the researcher can be correctly credited. External projects like Chromium can offer researcher credit for issues that are discovered in that project. We can only offer researcher credit for issues that are discovered in software that we produce ourselves. If you are unsure whether an issue affects parts of the software produced by us or an external project, or whether our software has an unrelated but similar issue to the external project, please report it to us, so that we can investigate.

Issues in an open source project will be dealt with by that project according to their own policies, and you should contact them for further details if needed. Any fixes will be inherited by our products when they are released by the open source project.