Security Policy — WiseData Business

2025-12-16
WiseData Business
Tax ID (CNPJ): 53.182.850/0001-14

WiseData Business values information security and encourages responsible disclosure of vulnerabilities identified in its systems. This policy sets out the guidelines for security researchers, partners, and third parties who wish to report potential security flaws in an ethical and responsible manner.

1. Scope

This policy applies to all public systems, applications, APIs, portals, and infrastructure operated by WiseData Business, including, but not limited to:

  • Balancinho
  • WiseData Agency
  • WiseData Tools
  • Emissor NFS-e Goiânia
  • WiseData Agro
  • WiseData Partner Portal
  • WiseData Administration
  • APIs, subdomains, frontends (SPA) and associated backends

Any public system or subdomain under WiseData Business control is automatically included in this scope, unless explicitly stated otherwise.

2. Official reporting channel

Every vulnerability must be reported exclusively through the official channel below:

E-mail: security@wisedatabusiness.com

Reports should include, whenever possible:

  • Clear description of the vulnerability
  • Affected system or URL
  • Steps to reproduce (proof of concept)
  • Potential impact
  • Technical evidence (without sensitive data)

3. Permitted testing

WiseData Business authorizes good-faith security testing, provided the limits of this policy are fully respected.

The following are permitted:

  • Low-impact manual or automated testing
  • Verification of common vulnerabilities, including:
  • Low-intensity rate limit testing
  • Tests performed exclusively on accounts owned and controlled by the researcher
  • Proof of concept demonstrations that do not involve data exfiltration, persistence, or continuous exploitation
  • OWASP Top 10
  • SQL Injection
  • XSS
  • CSRF
  • IDOR
  • Broken Access Control
  • Authentication and Authorization flaws
  • CORS misconfiguration
  • Open Redirect
  • Mass Assignment

📌 Fundamental rule:
Identify, prove, and stop testing immediately.

4. Expressly prohibited testing

The items below are not authorized under any circumstances, regardless of intent:

  • Denial-of-service attacks (DoS / DDoS / stress testing)
  • Aggressive or automated scans that affect stability
  • Real brute force attempts (login, tokens, API keys, OTP, etc.)
  • Accessing, viewing, modifying, or deleting other users' data
  • Any form of real financial exploitation:
  • Social engineering, phishing, or credential harvesting
  • Uploading or executing malware, ransomware, or destructive code
  • Exploiting internal infrastructure (databases, queues, caches, containers, orchestration)
  • Persistence attempts, backdoors, or continuous escalation
  • Physical attacks or attacks against third-party partners
  • Public disclosure of the vulnerability prior to remediation

Any activity outside these limits will be treated as misuse or attack attempt, subject to applicable legal measures.

  • Generating charges
  • PIX transfers
  • Payments, refunds, or simulations resulting in real transactions

5. Responsible Disclosure

WiseData Business adopts the principle of responsible disclosure and expects researchers to:

  • Not exploit the vulnerability beyond what is needed to prove it
  • Not share information with third parties
  • Not publish details without prior authorization
  • Wait for remediation before any public disclosure

The company commits to:

  • Acknowledge receipt of the report
  • Assess the vulnerability within a reasonable timeframe
  • Handle the incident according to its criticality

6. Safe Harbor (conditional legal protection)

Researchers who:

will not be subject to legal action by WiseData Business for security research activities carried out within these limits.

  • Act in good faith
  • Fully respect this policy
  • Do not cause operational, financial, or legal harm
  • Report the flaw responsibly

This protection does not apply to prohibited, negligent, or malicious activities.

7. Rewards

WiseData Business does not currently maintain a public bug bounty program and does not guarantee any form of financial reward for vulnerability reports.

Relevant and well-documented reports may, at the company's sole discretion, be acknowledged institutionally.

8. Updates to this policy

This policy may be changed at any time, without prior notice.

The most current version will always be available at the official address provided in the security.txt files of WiseData systems.

9. Final considerations

The security of WiseData systems is a priority. Responsible collaboration from researchers helps build a safer, more reliable, and more resilient ecosystem for all users and partners.