Itaú Unibanco Vulnerability Disclosure Program
Program Overview
Itaú Unibanco is committed to security, data protection, and information security. This Vulnerability Disclosure Program invites security researchers to responsibly disclose potential vulnerabilities in our systems and applications.
Last updated on October 26, 2024.
Responsible Disclosure Guidelines
Security researchers may disclose potential vulnerabilities in our systems/applications by following these guidelines:
General Requirements
- Do not perform any activity that could cause harm to Itaú, our clients, or our employees
- Do not perform any activity that could stop and/or impact Itaú's applications, services, or assets
- Do not perform any activity that violates any Federal, State, or Municipal Law, as well as guidelines, ordinances, or other manifestations of Regulatory Authorities
- Do not use automatic scanning tools
- Do not act in bad faith by attempting data hijacking or ransom requests
- Do not perform brute force attacks, service disruption, or account compromise
- Do not store, share, compromise, or destroy any data from Itaú Unibanco or any of its clients. If any personally identifiable information is found, immediately stop activities, delete the data from your system, and contact Itaú Unibanco at [email protected]
- Do not initiate any undue financial transactions
- Do not request any type of compensation for the discovery of the potential vulnerability
Reporting Requirements
- Provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the problem, the triage team may not be able to proceed with the submission
- Submit one vulnerability per report, unless you need to chain vulnerabilities to demonstrate impact
- When duplicates occur, only the first received report is triaged (provided it can be fully reproduced)
- Multiple vulnerabilities caused by an underlying problem will be treated as one valid report
- Include the X-VDP-H1 header with your HackerOne username in all requests to our applications: X-VDP-H1: username
Confidentiality
By submitting a report, you agree NOT to publicly disclose (and/or discuss) your findings or the content of your submission to third parties in any way without the EXPRESS CONSENT of Itaú Unibanco.
Scope
Testing is authorized only on targets listed in the scope section. Any Itaú domain/property/subdomain/app not listed is explicitly out of scope.
Important: These domains may employ redirects to other domains not in scope. Please ensure your testing is executed only on targets listed as in scope on this page.
Out of Scope
The following vulnerabilities are considered out of scope:
- Physical testing
- Social engineering (cookie theft attempts, fake login pages)
- Phishing
- Denial of service attacks
- Resource exhaustion attacks
- Absence/bypass of payload encryption
- Descriptive error messages (stack traces, application or server errors)
- HTTP 404 or other non-200 HTTP codes/pages
- Banner disclosure on common/public services
- Public file or directory disclosure (robots.txt, etc.)
- Screenshots (foreground or background)
- Clickjacking and issues exploitable only through clickjacking
- CSRF on forms available to anonymous users
- Cross-Site Request Forgery on logout (logout CSRF)
- Browser or application autocomplete/password save functionality
- Missing secure and HTTPOnly cookie flags
- Missing security speedbumps on site exit
- CAPTCHA bypass/weak CAPTCHA
- Username enumeration via login error messages
- Username enumeration via "forgot password" error messages
- Brute force of login or forgot password pages without account lockout
- HTTP OPTIONS/TRACE methods enabled
- SSL attacks (BEAST, BREACH, renegotiation)
- SSL forward secrecy not enabled
- Insecure SSL cipher suites
- Missing X-Content-Type-Options anti-MIME-sniffing header
- Mobile app resilience issues (anti-root, pinning bypass, anti-tampering, emulator detection, anti-debugging, mutual TLS)
- Missing HTTP security headers
- Missing best practices (CSP, tabnabbing, SPF/DKIM/DMARC records) unless significant impact can be demonstrated
- Open redirect unless significant impact can be demonstrated
- Issues requiring unlikely user interaction
Other Out of Scope
This channel should not be used for:
- Comments on Itaú Unibanco's services
- Comments or questions about service accessibility
- Fraud or suspected fraud reports
- ATM issues (unless security-related)
- Virus/malware reports
- Leaked credentials or card numbers
Fraud and Phishing Reports should be made through:
- Fake SMS, pages, and emails: [email protected]
- Leaked credentials or cards: [email protected]
- Other fraud and scams: [email protected]
Submission Process
Vulnerability disclosure must be made exclusively through HackerOne. Itaú commits to the following response times:
| Response Type | Timeline |
|---|
| First Response | 2 business days |
| Triage Time | 2 business days |
| Resolution Time | Depends on severity and complexity |
Information to Include
To validate and implement improvements quickly, provide maximum detail:
- A description of the vulnerability, including exploitability and impact
- Steps necessary to exploit the vulnerability, including:
- Affected URL(s)/application(s)
- Required preconditions (logged in, not logged in, etc.)
- How to demonstrate the problem
- IPs used when the vulnerability was discovered
- If post-authentication, the user ID used when the vulnerability was discovered
- Proof of concept
- Names of any files submitted to our systems
Failing to include complete information may delay or prevent validation and remediation. Low relevance and/or informational responses will have their priority removed. Keep all logs, as we may request them.
Rewards
Itaú Unibanco does not have a public bug bounty program and does not provide monetary compensation or any other type of reward for vulnerabilities submitted through this channel.
Safe Harbor and Legal Protection
By responsibly disclosing vulnerabilities according to these guidelines, and provided no incompatibility is found between your actions and applicable local laws, Itaú Unibanco agrees not to take legal action or other measures against the researcher, in accordance with HackerOne's Safe Harbor policy. If a third party initiates legal action against you related to activities conducted in accordance with this policy, we will take measures to make known that your actions were conducted in compliance with this policy.
If irregularities are identified, Itaú Unibanco may pursue applicable measures. Itaú Unibanco may take legal action in case of non-compliance with these guidelines.
This program adheres to Gold Standard Safe Harbor. Additional information: https://hackerone.com/security/safe_harbor
Privacy
Your contact information will be used only to keep you informed about the vulnerability disclosure process and will not be shared with third parties without your explicit permission.
To protect your privacy, we will not:
- Share your personally identifiable information (PII) with third parties
- Share your research without permission
However, this does not apply if we are required by law to disclose information or if we transfer the investigation to a third party. In these cases, we make all efforts to keep this information confidential and feel responsible for it.
Effective from December 10, 2021.
We may change the Responsible Vulnerability Disclosure rules from time to time, or we may cancel our program at any time.
