#Brand Promise
Inter & Co. VDP looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.
#Scope
This policy applies to any digital assets, owned, operated, or maintained by Inter & Co. VDP, including public facing websites.
#Out of Scope
- Any activity that could lead to the disruption of our service (DoS, DDoS).
- Social engineering of our employees or contractors, unless explicitly authorized.
- Attacks against our physical facilities, unless explicitly authorized.
- Attacks requiring physical access to a user's device, unless the device is in-scope and explicitly hardened against physical access.
- Attacks requiring disabling Man In The Middle (MITM) protections.
- Attacks only affecting obsolete browsers or operating systems.
- Missing best practices (SSL/TLS configuration, Content Security Policies, cookie flags, tabnabbing, autocomplete attribute, email SPF/DKIM/DMARC records), unless a significant impact can be demonstrated.
- Clickjacking or Cross-Site Request Forgery (CSRF) on unauthenticated pages / forms with no sensitive actions.
- Open redirects, unless a significant impact can be demonstrated.
- Self-exploitation (self XSS, self denial-of-service, etc.), unless a method to attack a different user can be demonstrated.
- Content spoofing, text injection and CSV injection, unless a significant impact can be demonstrated.
- Software version disclosure / Banner identification issues / Descriptive error messages or stack traces.
- Issues that require unlikely user interaction by the victim.
#Disclosure Policies
- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- Follow HackerOne's disclosure guidelines.
#Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Thank you for helping keep Inter & Co. VDP and our users safe!
