Bug Bounty and Responsible Disclosure Program
Our members' security comes first. The MeuPatrocínio bug bounty program invites security researchers from Brazil and around the world to test our systems and report vulnerabilities responsibly.
Valid reports get a fast response and rewards of up to R$ 5,000 (BRL), based on the severity of the flaw.
How to report a vulnerability
Email security@meupatrocinio.com with one report per vulnerability. The more complete the report, the faster the triage. Include:
- Description of the flaw: vulnerability type and where it occurs (URL, endpoint or screen).
- Steps to reproduce: a clear proof of concept (PoC), with requests, payloads or screenshots.
- Impact: what an attacker could do by exploiting the flaw.
Program scope
In scope
www.meupatrocinio.com(marketing site)app.meupatrocinio.com(platform)- Official MeuPatrocínio apps for iOS and Android
- Payment flows, transactional emails and third-party integrations, when the flaw is on our side (MeuPatrocínio configuration, code or flow)
Out of scope
- The vendors' own infrastructure (payment processor, support desk, CDN, email provider). Flaws in those systems should be reported to the vendor
- Any other infrastructure not owned by MeuPatrocínio
- Flaws in third-party software without proven exploitation in our environment
Program rules
For your testing to be considered authorized, follow these rules:
- Only use accounts you created yourself. Never access, modify or download other users' data.
- No denial of service (DoS/DDoS) or tests that degrade the platform.
- Social engineering, phishing and physical attacks against employees or members are forbidden.
- Avoid aggressive automated scanners. Prefer targeted, low-volume testing.
- Do not demand payment to hand over details of the flaw. Extortion disqualifies the report and voids the protection of this policy.
Out-of-scope vulnerabilities
The items below usually do not qualify for a reward, unless they come with proof of real-world impact:
- Self-XSS
- Clickjacking on pages without sensitive actions
- Missing security headers (CSP, HSTS) without an exploitation PoC
- Software version or banner disclosure
- SPF, DKIM and DMARC configuration
- Missing rate limiting without demonstration of relevant abuse
- Generic best-practice findings without a concrete attack scenario
Rewards
Rewards follow the table below. Severity is classified by our security team, using CVSS as a reference. The final amount within each range depends on real impact and report quality.
| Severity | Examples | Reward |
|---|---|---|
| Critical | Remote code execution, access to other members' data, authentication bypass | R$ 2,500 to R$ 5,000 |
| High | SQL injection, stored XSS in a sensitive area, IDOR exposing personal data | R$ 1,000 to R$ 2,500 |
| Medium | CSRF with real impact, reflected XSS, sensitive information leaks | R$ 300 to R$ 1,000 |
| Low | Low-impact flaws with a demonstrated attack scenario | Up to R$ 300 |
When the same flaw is reported by more than one person, the reward goes to the first valid report.
Responsible disclosure and good faith
MeuPatrocínio will not take legal action against researchers who act in good faith, respect the scope and rules on this page and give us reasonable time to fix the issue before any disclosure.
We handle personal data under Brazil's data protection law (LGPD) and the Marco Civil da Internet. If you come across any user data during testing, stop immediately and let us know in your report.
Our commitment to you
- First response: within 3 business days.
- Triage and validation: within 7 business days.
- Follow-up: you receive updates until the fix ships and the reward is decided.
Frequently asked questions
How does the MeuPatrocínio bug bounty program work?
You test the systems listed in the scope, following the rules on this page. When you find a vulnerability, send your report to security@meupatrocinio.com. Our team validates the issue, fixes it and pays the reward according to the severity table, which goes up to R$ 5,000.
Do I need authorization to test the platform?
No. This page is your authorization, as long as you only test in-scope assets, use accounts you created yourself and respect the program rules. Testing outside these conditions is not authorized.
What should I do if I find other users' data?
Stop testing immediately. Do not save, copy or share the data. Describe what happened in your report so our team can investigate. We handle personal data under Brazilian data protection law (LGPD) and expect the same care from researchers.
Can I disclose the vulnerability publicly?
Only after the fix is confirmed and our team authorizes it in writing. Coordinated disclosure protects the platform's members while the issue is being resolved.