Responsible Disclosure
Thank you for helping keep Eyou customers safe. This policy describes how to report vulnerabilities, what we promise in return, and the program scope.
Found a vulnerability?
Send your finding by email with subject prefix [SECURITY]. Initial response within 5 business days. Confirmed criticals in 24h.
Include in your message
The more detail, the faster we reproduce and fix.
What we promise
Initial response
Acknowledgment within 5 business days after report.
Criticals
Critical vulnerabilities confirmed and prioritized within 24h.
Status updates
Written update every 7 days until resolution.
Legal action
Zero legal action against good-faith researchers.
What is covered
Official list of assets we accept reports for. Outside this list we forward to the vendor or reject.
In scope
- eyou.com.br · www.eyou.com.br Public marketing site
- authy.eyou.com.br Customer portal
- sms.eyou.com.br Customer SMS panel
Out of scope
- Embedded third-party services Mercado Pago, reCAPTCHA, OCI managed — report directly to the vendor
- Social engineering Against Eyou employees, third parties or customers — always out
- Volumetric DDoS / DoS Do not test; we have managed OCI mitigation
- Software 30+ days unpatched Already known to us; not a new report
What is NOT a vulnerability for us
Reports matching these patterns are closed without detailed investigation.
Missing security header without demonstrable exploit
Self-XSS requiring victim to paste code in their own console
Reports based only on scanner output without manual validation
Open redirects without real security impact
CSV injection in exports the user themselves generated
Missing SPF/DKIM on domains that do not send email
Hall of Acknowledgments
Researchers who reported valid vulnerabilities, with their consent.
No public acknowledgments yet
Be the first name listed here.
Machine-readable file RFC 9116: /.well-known/security.txt.
Cash bug bounty not yet available — program under evaluation for 2026 H2.