EBANX Compliance and Legal Hub

EBANX Terms & Conditions

Responsible Security Vulnerability Disclosure Policy

Updated on October 18th, 2022.

Information security is taken very seriously at EBANX, which is why we are committed to adhering to the industry's best practices and regularly undergoing the scrutiny of both internal and external audits to ensure we are capable of protecting ourselves, our merchants, partners, and customers from any associated risk.

EBANX also acknowledges the positive impact that responsible security research can have on our services and the important role that the external security community plays in it. That's why we count on an external bug bounty program. Hackaflag is an external program that allows researchers to report security flaws in EBANX and in the companies in its economic group systems.

Each vulnerability reported to the Cyber Security Team will be analyzed for validity and complexity, and issued a score that reflects on a bounty.

If, despite our best efforts, you believe to have found a security issue within our APIs, systems, plugins, SDKs, platforms and/or applications, please subscribe to hackaflag.com.br and provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC), and any other information you deem necessary to reproduce or to access the impact of the vulnerability.

In addition, we explicitly ask researchers to refrain from:

  • Anything that could possibly degrade the availability of our services (e.g. denial of service attacks);
  • Spamming;
  • Impersonation and other social engineering attacks (including phishing) to our employees, merchants, partners and/or customers;
  • Physical security attacks;
  • Data privacy violations;
  • Modification of any data;
  • Publicly disclosing an issue before we get a chance to address it within a reasonable amount of time;
  • Any lateral movement and post-exploitation past the initial exploitation


Please subscribe to hackaflag and send your report. By following the guidelines above, we commit to not taking legal action against you or seeking the involvement of law enforcement.