Vulnerability Disclosure Program


Recognizing the importance of the contribution of the information security research community to enhance and foster the exponential growth of its products and systems with maturity, Zup has a communication channel where external researchers worldwide can submit reports highlighting any vulnerabilities found in our systems, environments, products, and services.

If YOU are a security researcher and have found vulnerability(ies), Zup wants to hear from you. Contact us through the link

But beware! Zup takes information security and data handling from our services, products, and clients very seriously. Therefore, by contacting Zup to report any vulnerability you believe you have found, YOU acknowledge that you have read and agreed to all the terms described here.


Vulnerability Disclosure

Version 1.0 (12/23/2022)

Terms and Conditions for Responsible Disclosure of Vulnerabilities by Zup


For the preparation of the vulnerability report, YOU:

1.1. Assume the responsibility to act in good faith and ethically towards the global information security community and Zup. Therefore, YOU affirm that you conduct your flaw/vulnerability research and report it responsibly, maintaining absolute confidentiality regarding any information you have about Zup, its products, clients, services, and the discovered vulnerability. This is why you agree to the confidentiality and personal data processing agreement described in clauses 1.14 and 2 of this term.

1.2. Acknowledge that the preparation and submission of the report occurred voluntarily and was not requested, induced, or contracted in any way by ZUP.

1.3. Attest that, for preparing the report and/or identifying the vulnerability, you did not violate any applicable laws, including local laws of the country, region, and state where you reside.

1.4. Did not use any mechanisms and/or methodologies below and/or presented a report with:

  • vulnerabilities requiring social engineering or phishing;
  • denial-of-service attacks (DDOS);
  • copied, decompiled, reverse-engineered, disassembled, attempted to derive the source code, decrypted, modified, and/or created derivative works of such software;
  • hypothetical issues that do not have practical effects;
  • security vulnerabilities in third-party applications and third-party sites integrated with Zup, except the integration itself;
  • output from a scanner or reports generated by a scanner;
  • problems found through automated and unvalidated tests;
  • issues publicly disclosed in internet software within 30 days of its disclosure;
  • injections into the host header without a specific and demonstrable effect;
  • self-XSS, including any payload inserted by the victim;
  • login or logout CSRF.

1.5. You commit not to interrupt Zup’s services, software, and environments for your research. In the event of such a violation, YOU must immediately cease your research and promptly notify Zup with sufficient information for system correction and normalization. Also, indemnify Zup for losses and damages that may occur due to the mentioned violation and/or interruption.

1.6. By submitting the report, YOU grant Zup and its affiliates a non-exclusive, irrevocable, perpetual, royalty-free, sublicensable, intellectual property license for the report and the information contained therein, allowing Zup to, at its sole discretion: (i) use, revise, evaluate, test, and otherwise analyze the report, vulnerabilities, and information described in it and other documents sent; (ii) reproduce, modify, distribute, display publicly, create derivative works of, make, use, sell, offer for sale, and import the report, as well as any related materials/documents/information sent by YOU, for any purpose; and (iii) present the report and all content and documents in connection with it for marketing, promotion of programs (including internal and external sales meetings, conference presentations, exhibitions, and screenshots of the report in press releases) in all media (known at the time or developed later), as well as:

  • 1.6.1. Agree to sign any documentation that may be necessary for Zup, its affiliates, or third parties appointed by it to confirm the rights granted above;
  • 1.6.2. Understand and acknowledge that Zup may have developed or commissioned similar or identical materials to your report, and YOU waive any judicial or extrajudicial claims resulting from these similarities;
  • 1.6.3. Understand that there are no guaranteed remunerations or credits for the use of the report;
  • 1.6.4. Declare and warrant that the report is the result of your own work and research, that you have not used information belonging to third parties or entities, and that you have the legal right to submit it to Zup;
  • 1.6.5. Declare that you are aware that you should not send any documents, information, and reports that you do not wish to license to Zup under the terms described in item 1.6;

    Note: In the context of this Agreement, the report is understood as the notification of the vulnerability and any evidence attached to the process.


1.7. Commit not to interrupt, compromise, or damage data or properties belonging to third parties. This includes attacking any devices or accounts that are not yours (or those for which you have explicit and written permission from their owners).

1.8. Acknowledge that Zup may, at its sole discretion, grant a reward for submitting the report through the company’s internal assessment and on its terms. This may involve public recognition of your contribution unless you explicitly and previously ask us not to include/disclose your name.

  • 1.8.1. If Zup chooses to send you a reward, YOU are aware that this was done out of sheer generosity and, under no circumstances, guarantees YOU the right to demand new rewards for other reports sent;
  • 1.8.2. If the reward received is a cash portion, YOU are responsible for paying all applicable taxes and levies;
  • 1.8.3. In all cases, after Zup grants the reward, YOU give the broadest, shallowest, general, and irrevocable release to claim nothing more for any reason.

1.9. Acknowledge that information about flaws and/or vulnerabilities reported to Zup will be treated/repaired at its sole discretion, and the lack of treatment will not exempt YOU from the obligations assumed in this Agreement, as well as will not result in a new reward if Zup has granted one.

1.10. Acknowledge that there is no form of association, franchise, consortium, joint venture, employment relationship, corporate or solidarity link between YOU and Zup, other than those expressly stated in this document.

1.11. No provision contained in this Agreement guarantees or aims to grant any rights or licenses, implicitly or explicitly, over any trademarks, trade names, designations, symbols, logos, drawings, any other distinctive signs identifying goods or services of ZUP, patents, patentable rights, or copyrights of ZUP, nor any rights over the Confidential Information revealed or developed through it.

1.12. All materials and documents containing the ZUP logo or its identification need prior and express written authorization from ZUP before being disclosed/reproduced, including those that imply the disclosure of the object of this Agreement.

1.13. You are 18 (eighteen) years old or older when submitting the report and accepting this Agreement.

1.14. By registering on the site to submit your report, YOU will send personal data to Zup, and from now on, YOU authorize Zup to collect, maintain, use, process, and share your data, including, among others, names, emails, addresses, accounts, and other information, in accordance with Zup’s Privacy and Personal Data Treatment Policy.

1.15. If one or more provisions of this Agreement are considered invalid, illegal, or unenforceable by any competent authority, the validity, legality, and enforceability of the other provisions of this Agreement will not be affected or impaired for any reason. To the extent permitted by law, the parties agree that the competent authority should reduce the scope of any illegal, invalid, or unenforceable provision to make it reasonable and binding under the applicable circumstances.

1.16. This Agreement and its obligations are established in an unconditional, irrevocable, and unalterable manner, binding the respective parties, their heirs, and successors for any reason. Moreover, it is certain that any change to this Agreement will only be valid if made in writing and signed by the parties.


2.1. Due to access to Zup’s programs, projects, products, services, and/or environments, YOU acknowledge that you may have had contact with confidential information, which includes any information, know-how, and data (whether provisional or definitive), whether legal, technical, commercial, or personal in nature, or of various kinds, including, but not limited to trade secrets; information related to customers and suppliers; current, expired, and/or negotiating contracts; existing or future products; information related to technology; strategy and/or business plans; patents; patent applications; source code; processes; promotional or marketing activities; economic, financial, and accounting information; developed information containing part of another Confidential Information; and related to any other Zup business that, in general, is not known to the public.

2.2. YOU undertake to keep confidential all files, information, data that, directly or indirectly, come to your knowledge due to this Agreement, the preparation of the presented report and/or access to Zup’s environments, software, products, and programs, or through ZUP, whether verbally, in writing, electronically, or by any other means of transmission, from now on collectively referred to as “CONFIDENTIAL INFORMATION,” and cannot share them with third parties and/or disclose them through any communication channel, media, social networks, interviews, among others.

2.3. YOU acknowledge that you cannot share with any third parties the vulnerabilities found, nor can you reproduce, commercialize, disclose by any means copies of the report, and you also cannot disclose externally, without prior written authorization from Zup, whether in interviews, lectures, social networks, resumes, or any other means, the information about Zup obtained/accessed/discovered due to your research and/or preparation of the report, as well as by accessing Zup’s environment/software/programs and/or projects, undertaking to take all appropriate measures to keep confidential and not reveal, in whole or in part, data, information, or documents related to ZUP, responding for the violation of confidentiality or for use for a purpose other than that provided for in the Agreement.

2.4. At the express request of ZUP, all CONFIDENTIAL INFORMATION, as well as the copies generated by YOU, must be returned to ZUP within 48 (forty-eight) hours from the request, or, if instructed in this regard, YOU undertake to destroy entirely the Confidential Information in your possession within the same retroactive period.

2.5. YOU assume the obligation that if required to disclose the Confidential Information by legal order of a competent authority, YOU must immediately notify Zup so that it can take the necessary steps to prevent disclosure. If Zup is unsuccessful in this regard, YOU undertake only to disclose the confidential information strictly requested.

2.6. For the purposes of this Agreement, “Personal Data” means all information accessed or received in any tangible or intangible form concerning, or that personally identifies or makes individuals identifiable. When executing this Agreement, as well as researching/accessing Zup’s environments and programs, involving the collection, access, receipt, processing, transmission, treatment, and/or international transfer of personal data, YOU undertake to:

  • (A) Comply with data privacy laws regarding the processing of personal data covered by this Agreement to the extent applicable;
  • (B) Commit that the data generated in the execution of the activities of this Agreement must remain in Brazilian territory or in locations that have a General Data Protection Law similar to Brazil’s Law No. 13,709;
  • (C) Treat personal data to which you have access exclusively for communicating to Zup about the vulnerability/technical flaw found, without the possibility of using this data for a different purpose;
  • (D) Not disclose to third parties the personal data to which you have had access, except with the prior and express authorization of Zup;
  • (E) Keep absolutely confidential all personal data and information entrusted to you or that you have had access to;
  • (F) Not disclose any kind of security incident, including involving personal data, related to the subject of this Agreement, without express authorization from Zup.
  • (G) Not retain any Personal Data provided by Zup for a period longer than necessary for the execution of the objectives of this Agreement and/or for compliance with your obligations, or as necessary or permitted by applicable law. YOU undertake to securely delete/destroy (confirmed in writing), or return to Zup (when requested), all documents containing personal data that you have had access to during the execution of the objectives of this Agreement, as well as any copies thereof, whether in documentary or magnetic form, unless their maintenance is required or ensured by current legislation.

2.7. YOU may not transfer, in whole or in part, the Personal Data to which you have access to any third parties, even in aggregated and/or anonymous form.


3.1. It is hereby established that in any discussion and/or controversy arising or in connection with this Agreement, the Parties will endeavor to negotiate a friendly settlement. Suppose the negotiation attempt is unsuccessful, in whole or in part. In that case, the Parties elect the jurisdiction of the Judicial District of São Paulo/SP to resolve any remaining disputes, waiving any other jurisdiction, however privileged. It is also established that this Agreement will be governed and interpreted according to applicable Brazilian laws, excluding any others.


4.1. In any dispute, discussion, controversy, or judicial and/or extrajudicial demand arising or in connection with this Agreement, YOU agree that Zup’s total liability will be limited to direct damages proven to have been caused by negligence, up to the full value of U$100.00. Zup, under no circumstances, will be liable for indirect, consequential, special, incidental, moral, punitive, loss of profits, and/or consequential damages.

This website uses cookies to ensure you get the best experience on our website. Learn more.