We take the security of ETP Express seriously. If you discover a security vulnerability, please report it to us responsibly.

Email: security@confenge.com.br

Please include:

• Description: Clear description of the vulnerability
• Steps to Reproduce: Detailed step-by-step instructions to reproduce the issue
• Proof of Concept: PoC code, screenshots, or HTTP requests demonstrating the vulnerability
• Impact Assessment: Your evaluation of the potential impact (data exposure, privilege escalation, etc.)
• Affected Components: Which parts of the system are affected (frontend, backend, API, database)
• Your Contact Information: For acknowledgment and follow-up questions

**Summary:**
[Brief one-line description]

**Vulnerability Type:**
[e.g., SQL Injection, XSS, CSRF, Authentication Bypass]

**Affected Component:**
[e.g., /api/etps/:id endpoint, Login form, etc.]

**Steps to Reproduce:**

1. [Step 1]
2. [Step 2]
3. [Step 3]

**Proof of Concept:**
[Code snippet, HTTP request, or screenshot]

**Impact:**
[What can an attacker achieve? Data breach, account takeover, DoS?]

**Suggested Fix:**
[Optional: Your recommendation for remediation]

**Your Name/Handle:**
[For acknowledgment in Hall of Fame]

We are committed to responding to security reports promptly:

CVSS Calculator: https://www.first.org/cvss/calculator/3.1

We support responsible security research and will not pursue legal action against researchers who:

✅ Test vulnerabilities on your own test accounts or with explicit permission ✅ Report vulnerabilities through the designated channel (security@confenge.com.br) ✅ Provide reasonable time for us to fix the issue before public disclosure ✅ Make a good faith effort to avoid privacy violations, data destruction, and service disruption

❌ Access or modify other users' data without explicit authorization ❌ Perform Denial of Service (DoS) or Distributed DoS (DDoS) attacks ❌ Execute social engineering attacks (phishing, pretexting) against employees or users ❌ Violate any laws or breach any agreements ❌ Publicly disclose the vulnerability before we have issued a fix

If you follow the guidelines above, we commit to:

• Not pursue or support any legal action related to your research
• Work with you to understand and validate the issue
• Acknowledge your contribution publicly (with your permission)
• Keep you informed of our progress toward a fix

We provide security patches for the following versions:

• Production Version: We maintain security patches for the current major version (1.x) deployed on Railway
• End of Life: Versions older than the current major version will not receive security patches
• Update Recommendation: We strongly recommend all users update to the latest version within 30 days of release
• Critical Patches: For CRITICAL vulnerabilities, we may backport patches to the previous minor version (e.g., 1.1.x → 1.0.x) at our discretion

We publicly acknowledge security researchers who help us improve ETP Express security:

Awaiting first security report! Be the first to contribute.

1. Report a valid security vulnerability via security@confenge.com.br
2. Follow responsible disclosure guidelines (Safe Harbor section)
3. Provide your preferred name/handle for acknowledgment
4. We will add your name here after the vulnerability is fixed and disclosed

Note: Hall of Fame listing is at our discretion and depends on the severity and impact of the reported vulnerability. Duplicate reports may not be listed.

• OWASP Top 10 (2023): https://owasp.org/Top10/
• LGPD Compliance: See docs/LGPD_*.md for our Brazilian data protection compliance
• Security Awareness Guide: See docs/SECURITY_AWARENESS_GUIDE.md (internal)
• Vulnerability Triage Process: See docs/SECURITY_TRIAGE_PROCESS.md (internal)

• Security Email: security@confenge.com.br
• General Support: Via GitHub Issues (for non-security bugs)
• GitHub Security Advisories: https://github.com/tjsasakifln/etp-express/security/advisories

Last Updated: 2025-11-26 Policy Version: 1.0.0

Thank you for helping keep ETP Express and our users safe!