LOGIN REGISTER

> bounty_matrix

Reward Structure

Rewards are determined based on technical severity, real-world impact, exploitability and report quality. CVSS may be used as reference, but final decision is made by ESC Security Team.

Severity Examples Reward (BRL)
Critical
  • • Remote Code Execution (RCE)
  • • Authentication Bypass completo
  • • Comprometimento total de tenant
  • • Exfiltração massiva de dados sensíveis
  • • Privilege escalation para admin/root
 R$ 5.000 – R$ 20.000
High
  • • SQL Injection
  • • SSRF com impacto interno
  • • XXE com leitura de arquivos sensíveis
  • • Escalação horizontal relevante
  • • IDOR com acesso a dados privados
 R$ 2.000 – R$ 6.000
Medium
  • • Stored XSS
  • • CSRF em funções sensíveis
  • • Business logic flaw explorável
  • • Rate limit bypass relevante
 R$ 800 – R$ 2.000
Low
  • • Reflected XSS
  • • Information disclosure menor
  • • Misconfiguration explorável
 R$ 300 – R$ 800
Informational
  • • Best practices não seguidas
  • • Headers de segurança ausentes
  • • Divulgação de versão sem impacto
 Hall of Fame

> reward_multipliers

  • + First valid report (+ up to 50%)
  • + Vulnerability chaining
  • + High impact across tenants
  • + Exceptional documentation (clear PoC)
  • + Low attack complexity

> disqualifiers

  • - Duplicate report
  • - Out of scope asset
  • - Policy violation
  • - No reproducible PoC
  • - Automated scan without validation

> payout_process

Payment occurs after validation and remediation confirmation. Standard processing time: up to 30 business days.

Supported methods:

  • • PIX
  • • Bank transfer (TED)
  • • PayPal (international)

All payouts are subject to Brazilian tax regulations. ESC reserves the right to adjust reward values based on risk exposure.