This Disclosure Policy is an integral part of the General Terms and Conditions and will be understood for all purposes as an annex. It applies to all users of CyScope through the website and its services.

By registering on the website, the User agrees to comply with all applicable national and international laws, statutes, ordinances and regulations regarding the use of the platform and authorizes CyScope to investigate complaints or violations, to take the necessary measures indicated in the General Terms and Conditions and in the Annex of ranking and sanctions and to inform the legal entities in case of detecting any illegal activity.

Both the contents and the elements that compose the Website (including, without limitation, trademarks, logos, trade names, texts, images, graphics, designs, databases, software, flowcharts, presentations, “look-feel and -presentations” , audio and video), are protected by rights of the intellectual and industrial property owned by CyScope.


The User is totally prohibited from any type of exploitation, commercial use, alteration, reproduction, redistribution, assignment to third parties, total or partial public communication, of the Website and / or its Contents, without the prior and express written authorization of CyScope or the respective rights holders. The user status of the website does not grant property rights of any kind in the website.

The clauses of General terms and conditions, as well as their respective annexes, do not generate and cannot be interpreted as an exclusive relationship between CyScope and the User of the platform.


The parties declare that there is no agency or partnership between them by virtue of this Contract.

The acceptance of the General terms and conditions, as well as their respective annexes, does not generate any employment relationship, nor a bond of subordination or dependency, so that CyScope can not be considered as an employer and hackers are not dependent workers.


CyScope does not contract any obligation for the payment of remuneration, wages, salaries, allowances, bonuses, social security and / or health contributions, compensation or other labor, assistance, social security and risk prevention obligations other than the consideration for the management in charge. The payment of the reward is the only responsibility assumed by CyScope in addition to providing the digital space to detect vulnerabilities in systems. As a consequence of the foregoing CyScope does not assume any responsibility for any accident, illness or impediment that the User may suffer in compliance with the vulnerability detection commissioned.


If the Hacker performs dual paid activity, they are responsible for managing labor compliance with their employer and their obligations through CyScope.

To report a vulnerability, the Hacker, validly registered, must complete the vulnerability report available on the CyScope platform, associated with the security program in which they are participating. Vulnerabilities that have not been reported in the CyScope platform will not be accepted or rewarded.


To be valid, the report must meet the following requirements:

  • Be aligned with the rules of the program specified by the Company.
  • Be within the scope of work defined by the Company.
  • Include a clear, detailed, concise and illustrated description of the vulnerability, the affected system, its impact, level of risk, parameters and a relevant proof of concept. Proofs of concept can be through screenshots or videos. In the case of a video, its size should not exceed 50 MB.
  • Include clear and detailed information such as the different steps to follow to reproduce the exploitation of the vulnerability.


If the program administrator team requires additional information regarding a report, it will contact the hacker through the official communication channels of CyScope, that is, via email or through the program’s chat. The hacker will be able to comment on their report using the same official channels.


If the additional information required by the program management team is not provided within a maximum period of 10 days, the report will be closed and considered invalid.


Incomplete reports do not comply with the disclosure policy of CyScope and will not be accepted by the program administrator team, notwithstanding the foregoing, they are not exempted from compliance with the confidentiality obligations and others established in the General terms and conditions and other Annexes.


Reported vulnerabilities, which are outside the scope of the program, will not be analyzed or rewarded.

The hacker declares to have read, understood and accept that performing any actions on the following list is NOT allowed:

  • Performing tests on the Company’s system in an uncontrolled manner, affecting the availability, confidentiality and integrity of the Company’s data.
  • Providing information related to the program and the results obtained to third parties that are not directly involved in the program or its management (Program company or team administrator of CyScope).
  • Disclosing a vulnerability without the written authorization of the Company and of CyScope.
  • Disclosing a vulnerability to third parties, by any means, even when it has been validated and mitigated by the Company.
  • Make changes in the evaluated system and share access to the system with third parties.
  • Performing brute force, social engineering, physical intrusion and spam attacks.
  • Integrating the use of malware in the tests.
  • Uploading vulnerabilities or content related to the Company to any third-party service (for example, Github, YouTube etc.).
  • Harming the Company through unscheduled or agreed activities.
  • Exploit access to systems, accounts, users or user data obtained by the hacker. In this case, the Hacker must stop their tests and prepare a report to notify the Company. The hacker will not be able to investigate further using this weakness.
  • Using informal and inappropriate language when writing the vulnerability report.
  • Violating the confidentiality rules.
  • Performing DoS or DDoS attacks without having received prior written authorization from CyScope and the Company. If the hacker suspects that an asset is vulnerable to an application layer DoS, they should contact the administrator team at CyScope to ask the Company for permission before testing.
  • Error pages 500, 404, etc.
  • Clickjacking.
  • UUID enumeration.
  • CSV injection.
  • Cross Site Request Forgery (CSRF) with limited impact.
  • Reports of SSL / TLS scans.
  • Speculative reports with theoretical impact without proof of concept.
  • Reports of automated scans without manual validation.
  • Extraction of the system version.
  • Debug errors or system path disclosure (Path disclosure).
  • Social engineering tests.
  • Absence of security headers.
  • DoS and stress tests in general that impact the performance of the application / Server.

CyScope reserves the right to change, add or remove parts of the Disclosure Policy, at any time, by making the update date public on the Website. It is the User’s responsibility to periodically review the Disclosure Policy when using the website and its services. The User acknowledges and accepts that it is their responsibility to review this privacy policy periodically and become aware of the modifications.

The User, declares to have read, understood and accept all the conditions established in the General Terms and Conditions and in the Disclosure Policy, prior to their registration as a User of CyScope.

Your continued use of the Site after the posting of changes to this policy will consider your acceptance of those changes.

If you have any questions about this Disclosure Policy, site practices, or your dealings with this site, please contact the CySCope administrator team: [email protected]