Vulnerability Handling Guidelines

The security team called SEGI9 at senhasegura looks for and proactively responds to security vulnerabilities reported in senhasegura products and their components.

This team works with members of the security community, security companies, external security audits, and external customer and end-user security teams.

senhasegura is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity, and mitigation.

Reporting a Potential Security Vulnerability

If you have discovered any potential security vulnerability in a senhasegura product, don't hesitate to contact the SEGi9 team at [email protected]. It is essential to include the following details:

• The products and versions affected
• Date of the last update
• A detailed description of the vulnerability
• Information on how to exploit the reported issue.

Vulnerability information is extremely sensitive. We strongly recommend that you encrypt all security vulnerability reports using the CVE senhasegura PGP key below:

CVE senhasegura PGP key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCfsnxfQiPZxBRHfG55UTX0vY/omPIojBVWQ0C2o0bXDXzUjOj6/8A3sZMRNOIDSTwCmWZxERQ5nmc7cWOF3/i+Pv5fdz8I20a+Mxhs+XoE2SHdOnF5IsRAFrdKObnA/THRZOdHT4aUzsekoDynKlUAmws2Rz3Fz8xx6El4+DJclGPkqd0N/5uTj9DpBt5ywJQS8YBF0Fgp2iCSHJPPymrZC5ZkBHO+WkdJGBjfDFKVdEfeSxiSU/11KQfcpyaMbSqhVb6jOcmb0ENBaKzilObzaRPKrorsw2yTscTebEcmUqqbWRXfEfkWzWEMOZwg/ytC46n6TN+imrWy7XlscOwmlS7CWdLft48TCGX/6zuMNPp/IDAssQa5NOA0i8z9cDKJAyaWoCO9PXHmwSWfeRxcnpuRiw8FE7JVsbMugDN3DMqsyXgT/6/apvais611YZ86ZSDz+na7WYwGWhiKkS8/DvapTnReuPZxTFYts65sGkyLcbWhY7wv7OJBC+raHeEvyac9SdS8uumv7dHyoA6DaQp+JwDhMNXZrcsneRolQ+rjRCpiqrpEB40wyaRrPvC6gADQ1ShL+LGs4jedxhEengOQoMBrwR5HFtJDGriuU7NAtKu2iUsb19psweMmZDBYNfU5uSNf+kpY5Og84v5wLxOc+E2pHo7nwxmZR2UzOQ== [email protected]

Publication of Security Information

The senhasegura publishes one type of security information at the senhasegura Product Security Center.

Security Advisories

Provide information about security vulnerabilities identified with senhasegura products, including fixes, workarounds, or other actions.

Vulnerability Handling Process

Security vulnerabilities in senhasegura products are actively managed through a well-defined process. The time to respond varies based on the scope of the issue. The process consists of 4 key steps reporting, evaluation, solution, and communication. Each step is described below:

Reporting

The process begins when the SEGi9 team becomes aware of a potential security vulnerability in senhasegura products. The reporter receives an acknowledgment and updates throughout the handling process.

Evaluation

The SEGi9 team confirms the potential vulnerability, assesses the risk, determines the impact, and assigns a priority. A special technical squad is created to analyze and fix the issue if the vulnerability is fully or partially confirmed on the stable version. This squad is multipurpose with developers, security analysts, product analysts, and quality analysts.

Solution

After the issue is fixed, the security patch will be inserted into the unstable version and handed over to the quality team to test and approve the modification.

In cases where a vulnerability is being actively exploited with high risk, senhasegura will deliver a patch directly to all versions of senhasegura.

Communication

The senhasegura publishes a security advisory for severe issues. Less severe cases are communicated through other methods. Advisories are posted at the senhasegura Product Security Center and released simultaneously to all customers.

Bug Bounty Program

Our Bug Bounty Program is designed to encourage security researchers, ethical hackers, and technology experts worldwide to collaborate in continuously improving the security of our products and services. We value the security of our users and believe the global community plays a crucial role in identifying vulnerabilities that could compromise the integrity of our systems.

We invite you, as a researcher, to help us find security vulnerabilities in our websites, applications, and security solutions. In return, we offer financial rewards based on the severity and impact of the reported vulnerability.

How it works

1. Potential Vulnerability: Submit a potential vulnerability following the guidelines in “Reporting a Potential Security Vulnerability”.
2. Analysis by Our Security Team: Our security team will carefully analyze each submission. If the issue is validated and considered outside of internal knowledge, it will qualify for a reward.
3. Rewards Based on Severity: The reporter will be rewarded according to the severity classification of the discovered vulnerability.

Classification and Rewards

Low Severity

• Description: Vulnerabilities with limited impact, affecting only a few users or requiring specific conditions to be exploited. These flaws typically do not directly compromise security but may pose minor risks or inconveniences for users.
• Reward: U$ 250,00

Medium Severity

• Description: These vulnerabilities can be exploited under certain conditions and impact confidentiality, integrity, or availability more significantly but do not lead to full compromise of the system or critical data.
• Reward: U$ 500,00

High Severity

• Description: These vulnerabilities represent a critical risk to the system and its users, as they can result in complete control over systems, theft of sensitive data, or severe service disruption.
• Reward: U$ 1.000,00

Terms and Conditions

• Participants must comply with local and international laws.
• The use of exploitation techniques that disrupt services or harm users is prohibited.
• Any action violating our terms of use may disqualify the participant from the program.

We are committed to working together with the security community to ensure our solutions provide the highest level of protection for our clients and users worldwide. Together, we can build a safer digital environment.