Superlógica responsible disclosure policy

Helping keep Superlógica safe and secure

The software security research community makes the web a better and safer place. We support your bug-hunting efforts with a responsible bug disclosure policy.

To report a vulnerability, please email us at security@superlogica.com.

Qualifying Vulnerabilities

To be eligible, you must demonstrate a security compromise using a reproducible exploit, including the following:

  • Cross-site scripting exploits
  • Cross-site request forgery exploits
  • Authentication or authorization flaws
  • Server-side code execution bugs
  • Injection flaws
  • Significant security misconfigurations

This program covers domains actively used in delivering the core Superlógica service to customers. Eligible domains are:

  • *.arboimoveis.com.br
  • *.basesoft.com.br
  • *.gruvi.app
  • *.pjbank.com.br
  • *.superlogica.com
  • superlogica.net

For sub-domains which are managed by other service providers, please report issues to their respective security teams.

Exclusions

The following are not eligible:

  • Self-XSS
  • Login/Logout CSRF
  • CSRF configuration issue without exploitable proof of concept
  • Missing security headers which do not directly lead to a vulnerability
  • Vulnerabilities in third-party components, depending on severity and exploitability
  • Rate Limit on emails sent during sign-up, sign-in, and change email confirmations
  • Previous email login links not invalidated in the event multiple login links are requested
  • EXIF not stripped from uploads, unless discoverable outside of the workspace
  • Denial of Service (DOS) and rate limiting issues
  • Bugs requiring exceedingly unlikely user interaction
  • Social engineering attacks
  • Flaws affecting the users of out-of-date browsers and plugins
  • Enumeration or information disclosure of non-sensitive information
  • Enumeration of information within the context of a single workspace
  • Lack of input validation without exploitable proof of concept
  • Email bombing and flooding

Some reported issues may not qualify if they do not present a considerable risk to the business.

Rules for You

  • Don’t make the bug public before it has been fixed.
  • Don’t attempt to gain access to another user’s account or data. Use your own test accounts for cross-account testing.
  • Don’t perform any attack that could harm the reliability/integrity of our services or data. DDoS/spam attacks are not allowed.
  • Do not impact other users with your testing, this includes testing for vulnerabilities in accounts you do not own. We may suspend your Superlógica account and ban your IP address if you do so.
  • Don’t use scanners or automated tools to find vulnerabilities. They’re noisy and we may suspend your Superlógica account and ban your IP address.
  • No non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.

Rules for Us

  • We will respond as quickly as possible to your submission.
  • We will keep you updated as we work to fix the bug you submitted.
  • We will not take legal action against you if you play by the rules and act in good faith.

Rewards

We aren't able to offer bounty rewards at this time, but deeply appreciate your contributions.

Thanks for helping us make Superlógica more secure.