1. Introduction

Bug Hunt Plataforma de Recompensa T.I. S.A. ("BugHunt") owns a Bug Bounty platform ("Platform"), which enables intermediation between clients, institutions holding cyber systems ("Clients") and cyber experts ( "Experts"). The Platform allows Clients to make a reward proposal (hereinafter referred to as "Programs") to be paid to duly registered and approved Experts who seek, report and/or correct vulnerabilities in such systems.

It is important to emphasize that BugHunt does not have any influence on the rules of the Programs, as these are the sole and exclusive responsibility of the Customers. In this context, BugHunt acts as an intermediary between Experts and Customers, functioning as an ecosystem where these two actors can act.

In any case, in order to build a reliable reputation and a suitable environment for the activities of Clients and Experts, BugHunt understands that it is necessary to define and disclose clear ethical principles and conduct in accordance with applicable legislation, the be followed by all Specialists and Clients who, in any way, participate or integrate the Platform.

With this in mind, BugHunt developed this Code of Conduct ("Code"), which brings together the main behavioral guidelines that Customers and, mainly, Experts must demonstrate to conduct activities on the Platform, as well as the relationships and interactions between them and BugHunt.

More than a standard, this Code presents the conduct, commitment and best practices adopted by BugHunt to guarantee a harmonious coexistence within the community of Experts on the Platform.

This Code must be read and interpreted in conjunction with BugHunt's other internal policies (together, "BugHunt Policies"), accessible through the electronic address https://www.bughunt.com.br/.

In addition, a Program may include additional rules of Specialist involvement or conduct, as well as applicable sanctions. Therefore, Specialists must also adhere to the Program's policies before joining it.

2. Membership

By participating or joining the Platform, Experts agree with all provisions contained in this Code and the BugHunt Policies, further agreeing to follow them fully, under penalty of exclusion from the Platform, without prejudice to the adoption of measures that BugHunt deems applicable.

3. Values

Values ​​are fundamentals, rules and basic concepts that need to be present in the essence of anyone who wishes to maintain a relationship with BugHunt and, consequently, act on the Platform.

The standards of conduct to be observed by Experts and Clients are as follows:

• a. Performance based on credibility, confidentiality, respect, ethics, impartiality, honesty and professionalism;
• b. Defense of equal opportunity and a work environment free from any type of discrimination and harassment;
• c. Adherence to applicable legislation; and
• d. Constructive, transparent and open dialogue.

4. Rules of Conduct for Experts

It is essential that the attitudes and behaviors developed on the Platform are consistent with the standards defined in this Code, so that Specialists are not negligent or complicit in reprehensible and unethical attitudes. To this end, Specialists must observe the following conduct:

• a. Act with honor and character, observing the highest standards of integrity and fair dealing, repudiating any form of corruption;
• b. Present professional conduct with competence and diligence;
• c. Cooperate and develop good relationships with Customers, partners, suppliers, regulatory bodies and society in general;
• d. Pay attention to the Clients’ objectives;
• e. Maintain professional secrecy;
• f. Refrain from public comments about Customers; and
• g. Observe the rules and policies of the Programs.

The following are considered unacceptable conduct, among others:

• a. Hide errors, erase or tamper with documents, records or even create false records to mislead other people into incorrect understandings;
• b. Use your position, function or information to influence decisions that may favor your own interests or those of third parties;
• c. Carrying out illegal or corruptive acts of any nature;
• d. Publicly speak out on behalf of BugHunt or Customers, without prior authorization;
• e. Make a derogatory statement that affects BugHunt's reputation;
• f. Represent or speak on behalf of BugHunt on the internet, unless expressly authorized;
• g. Using the BugHunt or Customer logo without authorization;
• h. Express opinions, imply or imply that you express BugHunt's official positions;
• i. Practice, induce or incite discrimination or prejudice based on race, color, ethnicity, religion or national origin;
• j. Disclose or share images, videos or internal information from BugHunt and/or Customers that have not been disclosed on official channels;
• k. Make, on the internet (and elsewhere), offensive, defamatory, slanderous and prejudiced comments towards any Customer or BugHunt; and
• l. Publish information about Customers, partners and suppliers, in any medium.

5. Fences

Without prejudice to the other prohibitions provided for in this BugHunt Code and Policies, Specialists may not perform the following acts:

• a. Insecure Tests

  Experts must not carry out unsafe tests without prior authorization. This includes (but is not limited to): exploiting a vulnerability beyond what is necessary to show the impact (i.e. accessing excessive amounts of internal customer information, dumping a database, etc.), gaining access to and using accounts or credentials tests not approved by Program policy, altering production or database information or causing a denial of service, or otherwise impacting the stability of Customer's systems outside of said Program's testing policies.

b. Social Engineering

Experts must not perform social engineering testing without prior authorization, social engineer another party through the impersonation of a BugHunt employee, another Expert, or a member of the Program or security team.

c. Use of illegal or counterfeit software

Experts are solely responsible for the tools they use, which must be legal and acquired legally. If it is brought to BugHunt's attention that illegal or counterfeit software has been used, BugHunt will be required to take appropriate action, including possible sanctions under this Code.

d. Extortion

Attempts to obtain rewards, money or services through acts of threat or coercion are prohibited.

e. Circumventing a ban

Experts will not be able to circumvent a Program or Platform ban by creating new accounts. Doing so will result in an immediate and permanent ban from the Platform.

f. Use of unofficial communication channels

Only the use of approved communication channels is permitted to discuss vulnerabilities detected by Experts, in this case the Platform. Unless the Program has intentionally provided an alternative contact method in its Program policy, contacting security teams “out of band” about reports submitted on the BugHunt platform is a violation of this Code.

6. Disclosure Guidelines

For the purposes of this Code, the following are characterized as confidential ("Confidential Information"): any documents, emails, methodologies, techniques or procedures, commercial secrets, software, systems, know-how, technologies, as well as information (written or verbal) and data relating to BugHunt, Customers and their Programs.

Except with prior authorization, the Specialists are obliged to maintain the strictest confidentiality of the Confidential Information that they may have access to as a result of their relationship with BugHunt and the Clients.

Confidential Information provided or received may give rise to legal and regulatory obligations of non-disclosure and use only for the purpose for which it was provided.

7. Sanctions

A Specialist who fails to comply with this Code will be subject to suspension or exclusion from the Platform, without prejudice to applicable legal measures (civil and criminal).

A Specialist who deliberately fails to report violations of this Code or omits relevant information will also be subject to the disciplinary measures mentioned above.