Nuuvem's Security Commitment

At Nuuvem, security is the cornerstone of our commitment to customers and partners. We understand that trust is the most valuable currency in the digital world. Therefore, we take a proactive and meticulous approach to security, implementing the best market practices in all aspects of our business.

From the initial development of our systems to the continuous maintenance of our infrastructure, each step is guided by rigorous security protocols. Our developers are trained in the latest techniques of secure coding, and our systems are built to be resilient against the latest threats. We employ continuous security testing and code reviews to ensure that vulnerabilities are identified and quickly corrected.

Hosting of our systems is done in environments that meet the highest security standards, ensuring the integrity and availability of our customers' data. Our infrastructure is designed to be robust and secure, with redundancies and layered protections to defend against a variety of attack vectors.

However, we know that security is a continuous process and that constant innovation is necessary to maintain defense against malicious agents. That is why we are proud to present our Bug Bounty Program, an extension of our commitment to security, where we invite researchers and experts to collaborate with us in identifying and resolving potential vulnerabilities.

Together, we will continue to cultivate an environment where our customers can buy and play with peace of mind, knowing that their security is our top priority.

Nuuvem Bug Bounty Program

We know that, despite our continuous efforts to ensure the integrity of our systems, no security is infallible. That's why we are launching our Bug Bounty Program - an initiative aimed at further strengthening our digital security through collaboration with the security research and programming community.

We are excited to invite researchers and programmers to participate in our Bug Bounty Program, designed to identify and fix vulnerabilities that may affect the security and privacy of our users.

How It Works

Our program rewards researchers and programmers who identify and responsibly report vulnerabilities in our systems. If you find a security flaw in our systems, we want to hear about it so that we can act quickly to fix the problem.

By submitting your information about the security flaw and the suggested fix, you are agreeing to grant Nuuvem the right to use the information and the fix. The financial consideration derived from this right to use is the reward that will be paid to you in accordance with this policy.

Eligible Systems

It is important to highlight that the Nuuvem Bug Bounty Program focuses exclusively on systems internally developed by the company. In the case of Nuuvem systems available via the Internet, they will be available on the following domains:

  • nuuvem.com
  • nuuvem.com.br
  • nuuvem.co
  • nuuvem.host
  • nuuvem.dev
  • nuuvem.net
  • nuuvem.games
  • nuuvem.io
  • n-arcade.io

Rewards may only be offered for vulnerabilities identified in these systems. However, we value the security of all systems operated by us, including those of third parties or open source. We appreciate the community for reporting any found flaws and commit to forwarding this information to relevant parties so that the necessary measures can be taken. Collaboration from everyone is essential to maintain a secure digital environment.

Vulnerabilities in software of electronic games marketed through Nuuvem platforms are not part of the scope of the Bug Bounty Program. These vulnerabilities involve software that is owned by Publishers and for this reason, they are not included in this rewards program.

Security flaws reported by different individuals will entitle the person who first informed Nuuvem about the security flaw to the reward.

Rewards

We understand that discovering vulnerabilities requires a specialized set of skills and a significant investment of time and effort. That's why we offer a rewards system with different levels, based on the severity and impact of the reported vulnerability.

After the validation of the vulnerability by our security team, we will determine the reward value based on criteria such as impact, ease of exploitation, and the quality and detail of the report provided.

The reward levels are as follows:

1. Critical: Vulnerabilities allowing remote code execution, access to sensitive system data, or directly affecting the integrity and availability of our services.
   - Reward: $1500 - $5000 USD

2. High: Issues significantly affecting the security of our systems but not classified as critical, such as local privilege escalation or security flaws in authentication processes.
   - Reward: $600 - $1499 USD

3. Medium: Vulnerabilities requiring user interaction to be exploited or having a moderate impact on the confidentiality, integrity, or availability of our services.
   - Reward: $300 - $599 USD

4. Low: Issues with limited impact and less severity, such as information leaks affecting a small number of users or issues requiring complex interactions to be exploited.
   - Reward: $100 - $299 USD

5. Informative: Reports providing useful information but not representing a direct vulnerability or an immediate security threat. These findings are valuable for future improvements.
   - Reward: Recognition or non-monetary rewards (e.g. acknowledgments, company memorabilia, etc.)

It is important to emphasize that the values above are gross amounts. This means that, before the payment is made to the recipient, discounts related to fees and/or taxes may be applied as required by the current legislation or the policies of the paying institution. Therefore, the net amount received may be less than the gross amount originally disclosed, as it will be adjusted to reflect these mandatory deductions. It is recommended that recipients find out about the possible applicable withholdings to have an accurate expectation of the amount they will actually receive.

Please also note that not all reported vulnerabilities will be eligible for a monetary reward. The eligibility and the level of the reward are determined by our security team based on the severity, impact, and originality of the report. Previously known vulnerabilities, duplicates, or those that do not have a significant impact may not receive a monetary reward, but we still value and appreciate all submitted reports.

Regardless of what we explain in the Payment Options for Rewards section below (and the options for receiving the rewards that we mention), we will explain the criteria for payment in dollars, reais, or in the local currency of the country where the beneficiary resides.

Amounts expressed in dollars will be paid to beneficiaries residing in Brazil through their conversion to the Real, according to the exchange rate in force on the date of payment.

Amounts will be paid in dollars for benefits located in the United States or in countries that accept the US dollar as a payment currency.
For beneficiaries located abroad, in countries where the US dollar is not an accepted currency, Nuuvem will make a dollar transfer to the beneficiary, with the conversion and receipt in the local currency as permitted in the beneficiary's country and the practice of the chosen financial institution.

Important Note: The final decision on the vulnerability classification and the reward granted is at the sole discretion of Nuuvem. We reserve the right to decide whether a report qualifies for a reward and, if so, what level of reward is appropriate.

Payment Options for Rewards

To ensure that the reward process is as efficient and gratifying as possible, we have established flexible payment methods for those who successfully report vulnerabilities.

Rewards for accepted vulnerability reports are paid as follows:

1. International Bank Transfer: For those who prefer a direct transaction, we offer payments via international bank transfer. This option allows the reward to be deposited directly into the researcher's bank account, regardless of their location in the world.

Important Note: This type of payment is subject to our ability to operate within the tax, legal, and operational parameters established by each country or region. Although in general, we may be able to serve the vast majority of countries and territories, there are cases in which restrictions may prevent us from making such transfers. If you have any questions about the possibility of receiving payments in your place of residence, please contact us to verify feasibility.

2. PayPal: Recognizing the convenience and scope of PayPal, we also provide the option to receive payments through this service. It is a secure and reliable alternative for international money transfers.

Important Note: Similar to bank transfers, this type of payment is also subject to our tax, legal, and operational ability and also to PayPal usage limits. Again, if in doubt, please contact us.

In addition to these monetary options, we offer an attractive alternative for those who are enthusiasts of our e-commerce:

3. Credits or Discount Coupons: If the researcher so chooses, they may choose to receive the reward amount in credits or discount coupons to be used for purchases in our store. As an additional bonus, we will increase the value of the reward by 50% when this is chosen as the form of payment. For example, if the cash reward is $1000 USD, the researcher may choose to receive $1500 USD in credits or discount coupons.

These reward options are designed to accommodate the personal preferences of contributors to our Bug Bounty Program, and we hope they will encourage even greater participation in the ongoing improvement of Nuuvem's security.

Requirements for Reward Payment

In order for us to process the reward payment, it is essential that the recipient of the reward provides their personal information necessary to meet the regulatory tax requirements of the countries where we operate. Data such as full name, address, tax identification number, and bank details are some examples of information that may be required to complete the transaction. We emphasize that it is not possible to make payments anonymously, as we need to ensure transparency and compliance with relevant regulations. The security and privacy of the provided data will be strictly preserved in accordance with applicable data protection laws. If you have any questions about the process or what data is required, please do not hesitate to contact us.

Acceptable Use

By participating in our program, you agree to:

  • Not compromise the privacy of our customers or the data of our systems.
  • Not interrupt or degrade our services.
  • Not commercially exploit or benefit from the vulnerabilities found.
  • Not exploit the vulnerabilities found beyond what is strictly necessary for the research work and responsible disclosure.
  • Maintain the vulnerabilities confidential until they are resolved. Do not publicly expose the vulnerability before giving us a reasonable time to resolve it.
  • Follow applicable laws and ethical best practices during your research.

How to Report Vulnerabilities

To report a vulnerability, please send an email to security@nuuvem.com with the following information:

  • Detailed description of the vulnerability found, including its location and how it can be exploited.
  • Reproducible steps demonstrating the vulnerability (proofs of concept, screenshots, and videos are welcome).
  • Your contact and return information, including name, affiliation (if applicable), and country.
  • Any other relevant information that may help us better understand the scope of the problem.

If you find multiple vulnerabilities, please send a separate email for each vulnerability found. Each vulnerability submitted will be independently evaluated, and potentially each one may be rewarded as well.

Responsible Disclosure Policy

We ask that all researchers follow our responsible disclosure policy, which means:

  • Not sharing information about the vulnerability with third parties until it is resolved.
  • Give Nuuvem a reasonable time to fix the vulnerability before discussing it publicly, typically 90 days after the report.

Acknowledgments

We appreciate your contribution to Nuuvem's security and look forward to working together to create a safer digital environment for everyone.

Contact

For non-vulnerability reporting related inquiries, please contact us via email at support@nuuvem.com.

Legal Notice

Nuuvem reserves the right to modify the terms of this program or terminate it at any time. Program participants must act in good faith and will not be subject to legal action if they follow the rules established here, but Nuuvem strongly opposes any action that may result in harm to our users, operations, or reputation.