Found something? Open the channel.
We are pentesters. We respect those who find flaws in our own surface. Secure channel, real response SLA and public recognition for researchers who act within scope.
contato@basilisk.com.br
PGP fingerprint: A4B2 9E3C 7F10 D8E4 4F55 · 6C1A 98D2 0B73 EE21 3AAF
How it works
auditable SLAEncrypted submission
Use the published PGP key or the encrypted form at /contato. Include step-by-step repro, evidence and observed impact.
Confirmation in 48 business hours
We confirm receipt with internal report ID. You are notified when technical triage starts.
Triage and fix
Severity is classified via CVSS. Critical get emergency fix within 72h; high within 2 weeks; medium within 30 days.
Recognition
With your consent, we publish your credit in the public hall. We don't pay financial bounty — but we can offer swag and formal technical reference.
Scope
- ▸basilisk.com.br and public subdomains
- ▸Contact forms and documented public API
- ▸Technical vulnerabilities: RCE, SQLi, XSS, SSRF, IDOR, auth flaws, logic flaws
- ✕Client assets and infrastructure (contact the client directly)
- ✕Denial of service attacks (DoS/DDoS)
- ✕Social engineering against employees, partners or clients
- ✕Physical security of offices
- ✕Attacks on third-party services
- ✕Self-XSS, impactless clickjacking, missing headers without vector
Rules for researchers
- 01Investigate only what is necessary to demonstrate the flaw. Don't access, modify or exfiltrate data beyond the proof.
- 02Don't degrade service and don't perform tests that generate abnormal load.
- 03Don't publicly disclose before the fix is in production and the embargo is released by mutual agreement.
- 04If you find third-party sensitive data, stop immediately and report.
- 05Researchers acting in good faith within these rules will not be subject to legal action by Basilisk.
Researchers who helped us
We publish with consent. New credits are added after the fix is in production.