[{"id":3773836,"new_policy":"# Table of Contents\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Tier 3 — Non-Applicative Vulnerabilities](#user-content-tier-3-non-applicative-vulnerabilities)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Challenge \n\n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\nAll bounties for High and Critical reports are calculated using **CVSS 3.1**.\n\n- For high and critical reports the bounty is determined by this formula:\n\n**(((CVSS Score × Tier) × Severity) + Loyalty Bonus) = Bounty total**\n\n| Example | Calculation |\n|--- | --- |\n| CVSS 8,6 (High), Tier 1 \u0026 5 years hacker | ((8,6 × 100) × 10) = $8,600 base + $860 Antique bonus (10%) = **$9,460** |\n| CVSS 8,6 (High), Tier 2 \u0026 5 years hacker | ((8,6 × 50) × 10) = $4,300 base + $430 Antique bonus (10%) = **$4,730** |\n\nThis is calculated with constants that are:\n\n| Description | Constant |\n|--- | --- |\n| TIER 1 | 100 |\n| TIER 2 | 50 |\n| HIGH/CRITICAL | 10 |\n\n- For lows and mids reports the bounty is fixed as specified in the bounty table.\n- The bounty table ranges represent the maximum cap for the base bounty. Bonuses and the Fix Bypass addition are calculated on top of and may exceed the published bounty table ranges.\n- Low vulnerabilities will only be paid if CVSS score \u003e= 2.0.\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit.\n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty, gamification and bonus\n\n-------------------------------\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie | If this is your first valid report on our program, you get a bonus | 25% on the total bounty |\n | Antique | An extra percentage bonus over the bounty for consecutive years reporting on the program | 2 years = 4% / 3 years = 6% / 4 years = 8% / 5 years and more = 10% |\n | Fix Bypass | If you report a valid bypass over a previously fixed vulnerability | +10% added to the total bounty |\n\nBonus Restrictions:\n- The Antique bonus applies to **consecutive** years only.\n- Bonuses are retroactive to the current year.\n- The Newbie bonus can only be claimed in 1 report per year.\n- The **Newbie and Antique bonuses are mutually exclusive** — only one applies per report.\n- The **Fix Bypass addition is independent** and stacks on top of the base bounty, regardless of whether a Newbie or Antique bonus also applies.\n- Bonuses are only paid on reports in \"triage\" or \"resolved\" status.\n- The **Antique (Loyalty) bonus applies to Tier 3 reports** and multiplies the fixed bounty amount. The Newbie bonus and Fix Bypass addition do not apply to Tier 3 reports.\n\n# Tier 3 Non Applicative Vulnerabilities\n\n-------------------------------\nThis section covers security findings resolved through configuration changes, access revocation,\nor asset remediation — not through a code pull request. Tier 3 was introduced to provide a clear\nbounty path for exposure scenarios that fall outside Tier 1 / Tier 2 but carry demonstrable\nbusiness risk.\n\n## What qualifies as Tier 3\n\nA report is eligible for Tier 3 when **all** of the following conditions are met:\n\n1. **The finding is non-applicative.** The exposure is caused by a misconfiguration, an access\n   control gap, or an asset management failure — not by a vulnerability in application code.\n   Typical examples: leaked credentials or API tokens in a public repository, internal documents\n   exposed on a public drive or paste site, misconfigured cloud storage buckets or dashboards\n   with PII.\n\n2. **The asset is demonstrably linked to MercadoLibre.** The exposed material must be verifiably\n   owned, managed, or created by current MercadoLibre employees acting within the scope of their\n   role or hosted in official MercadoLibre scopes. This includes:\n   - Official `@mercadolibre` / `@mercadolivre` accounts on any platform.\n   - Assets found in MercadoLibre scopes.\n   - Personal GitHub, Google Drive, or similar accounts of current employees, provided the\n     reporter can demonstrate a direct link to their MercadoLibre role (e.g., corporate email\n     in commit history, internal system references, cross-links to MELISOURCE).\n\n3. **The fix is a configuration or access change**, not a code patch.\n\n4. **No exploitation beyond confirmation.** The reporter must not have accessed, exfiltrated, or\n   used the exposed data beyond confirming its existence. Demonstrating credential validity via\n   a single, non-destructive API call is acceptable; going further is not.\n\n## Severity criteria\n\nTier 3 reports are **not scored with CVSS.** Severity is assessed by the MercadoLibre team\nbased on the CIA impact (Confidentiality / Integrity / Availability) of the exposed asset and\nthe sensitivity of the data involved.\n\n| Tier 3 Severity | Bounty (USD) |\n|---|---|\n| **Critical** | $1,000 |\n| **High** | $750 |\n| **Medium** | $200 |\n| **Low** | $75 |\n\n## One bounty per source\n\nTier 3 pays **one bounty per source location**, regardless of the number of credentials or\nrecords found within it. The bounty severity is determined by the MercadoLibre team based on\nthe highest-impact item present in that source.\n\n## Reporting guidelines\n\nTo help us triage your Tier 3 report efficiently, please include:\n\n- **Source location:** URL or path of the exposed asset (e.g., GitHub repo, Google Drive link,\n  cloud storage URL).\n- **Ownership evidence:** explain how the asset is linked to MercadoLibre (commit author email,\n  internal system references, etc.).\n- **Credential/document validity:** confirm whether the secret was active at time of discovery.\n  A single non-destructive validation call is sufficient — do not go further.\n\n# Response Times\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\nIf you have any questions can contact us on our [discord](https://discord.gg/eTAJbRxqa2)\n\n# Testing \n\n-------------------------------\n- **Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n\n**On-demand Test Users**: If standard test users are insufficient for specific flows or complex scenarios, you may request specialized test accounts through [discord](https://discord.gg/eTAJbRxqa2) or [email](mailto:bugbounty@mercadolibre.com).\n\nPlease note that for any vulnerability reported using these accounts, the Privileges Required (PR) metric in the CVSS calculator will consistently be rated as **HIGH**, as these users are provisioned specifically for security research.\n\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n\n- Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n- Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n- Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre's customers or data. This includes avoiding any disruption to Mercado Libre's products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n\n- **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n- **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n- **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n- **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n- **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n- **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n- **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n- **Account Compromise**: Attempting to gain access to another user's account or data by compromising a MercadoLibre customer or employee account is forbidden.\n- **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n- **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n- **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n- **Employee Participation**: Internal employees are prohibited from participating in this program.\n- **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n- **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n**a. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST:**\n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n- Supply chain attacks involving a malicious package that is verifiably published in a public registry and demonstrably affects MercadoLibre's build or runtime environment are in-scope and must include a working PoC.\n\n**b. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre:**\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n**c. Considerations for Mobile Applications:**\n\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deep links directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n**d. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content.\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n**e. Other Considerations:**\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n- Any **.cn** domain, such as **\\*.mercadolibre.cn**, is excluded from the scope.\n\n**Mercadolibre reserves the right to modify this program at any time.**\n\n**Mercadolibre reserves the right to evaluate the scope tiers at any time.**\n\n**MercadoLibre reserves the right to escalate a Tier 3 finding to Tier 2 or Tier 1 based on the assessed business impact of the vulnerability.**\n\n# Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2026-05-07T17:36:03.432Z"},{"id":3772431,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- For high and criticals reports the bounty is determined by this formula:\n**(((CVSS Score × Tier) × Severity) + Loyalty Bonus) = Bounty total**\n\n| Example | Calculation |\n|--- | --- |\n| CVSS 8,6 (High), Tier 1 \u0026 5 years hacker  | (((8,6ˣ100)ˣ10)ˣ(0.1)) = $8600 + $860 = $9460| \n| CVSS 8,6 (High), Tier 2 \u0026 5 years hacker  | (((8,6ˣ50)ˣ10)ˣ(0.1)) = $4300 + $430 = $4730| \n\nThis is calculated with constants that are: \n\n| Description | Constant |\n|--- | --- |\n|TIER 1|100| \n|TIER 2 |50|\n|HIGH/CRITICAL|10|\n\n- For lows and mids reports its fixed at specified in the bounty table \n- If a fix-bypass are demonstrated a 10% bonus are available\n- Low vulnerabilities will only be paid if cvss score \u003e= 2.0 \n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty, gamification and bonus\n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |25% plus on the total bounty |\n|Antique| an extra percentage bonus over the bounty for consecutive years reporting on the program | 2 years = 4% / 3 years = 6% / 4 years = 8% / 5 years and more =10% |\n| Fix Bypass Policy| If you report a valid bypass over a previous fixed vulnerability| 10% plus of the bounty as incentive|\n\n\nBonus Restrictions: \n- The antique bonus its years consecutively\n- Bonuses are retroactive to the current year \n- The newbie bonus can only be claimed in 1 report per year.\n- Only 1 bonus applies for each report.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\nIf you have any questions can contact us on our [discord](https://discord.gg/eTAJbRxqa2)\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n**On-demand Test Users**: If standard test users are insufficient for specific flows or complex scenarios, you may request specialized test accounts through [discord](https://discord.gg/eTAJbRxqa2) or [email](mailto:bugbounty@mercadolibre.com). \nPlease note that for any vulnerability reported using these accounts, the Privileges Required (PR) metric in the CVSS calculator will consistently be rated as **HIGH**, as these users are provisioned specifically for security research.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Only will be accepted from @mercadolibre and @mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $1,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deep links directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n- Only will be accepted from mercadolibre and mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n-  Reports leaked documents from Public Sources will be classified according to their severity,with the highest level being High, which carries a maximum bounty of $1,000.\n\n\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n- Any **.cn** domain, such as ** *.mercadolibre.cn**, is excluded from the scope.\n\n** Mercadolibre reserves the right to modify this program at any time. **\n** Mercadolibre reserves the right to evaluate the scope tiers at any time. **\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n\n\n\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2026-04-09T17:00:46.519Z"},{"id":3770794,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- For high and criticals reports the bounty is determined by this formula:\n**(((CVSS Score × Tier) × Severity) + Loyalty Bonus) = Bounty total**\n\n| Example | Calculation |\n|--- | --- |\n| CVSS 8,6 (High), Tier 1 \u0026 5 years hacker  | (((8,6ˣ100)ˣ10)ˣ(0.1)) = $8600 + $860 = $9460| \n| CVSS 8,6 (High), Tier 2 \u0026 5 years hacker  | (((8,6ˣ50)ˣ10)ˣ(0.1)) = $4300 + $430 = $4730| \n\nThis is calculated with constants that are: \n\n| Description | Constant |\n|--- | --- |\n|TIER 1|100| \n|TIER 2 |50|\n|HIGH/CRITICAL|10|\n\n- For lows and mids reports its fixed at specified in the bounty table \n- If a fix-bypass are demonstrated a 10% bonus are available\n- Low vulnerabilities will only be paid if cvss score \u003e= 2.0 \n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty, gamification and bonus\n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |25% plus on the total bounty |\n|Antique| an extra percentage bonus over the bounty for consecutive years reporting on the program | 2 years = 4% / 3 years = 6% / 4 years = 8% / 5 years and more =10% |\n| Fix Bypass Policy| If you report a valid bypass over a previous fixed vulnerability| 10% plus of the bounty as incentive|\n\n\nBonus Restrictions: \n- The antique bonus its years consecutively\n- Bonuses are retroactive to the current year \n- The newbie bonus can only be claimed in 1 report per year.\n- Only 1 bonus applies for each report.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\nIf you have any questions can contact us on our [discord](https://discord.gg/eTAJbRxqa2)\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n**On-demand Test Users**: If standard test users are insufficient for specific flows or complex scenarios, you may request specialized test accounts through [discord](https://discord.gg/eTAJbRxqa2) or [email](mailto:bugbounty@mercadolibre.com). \nPlease note that for any vulnerability reported using these accounts, the Privileges Required (PR) metric in the CVSS calculator will consistently be rated as **HIGH**, as these users are provisioned specifically for security research.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Only will be accepted from @mercadolibre and @mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $1,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deep links directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n- Only will be accepted from mercadolibre and mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n-  Reports leaked documents from Public Sources will be classified according to their severity,with the highest level being High, which carries a maximum bounty of $1,000.\n\n\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n** Mercadolibre reserves the right to modify this program at any time. **\n** Mercadolibre reserves the right to evaluate the scope tiers at any time. **\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n\n\n\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2026-03-10T12:51:06.366Z"},{"id":3770793,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- For high and criticals reports the bounty is determined by this formula:\n**(((CVSS Score × Tier) × Severity) + Loyalty Bonus) = Bounty total**\n\n| Example | Calculation |\n|--- | --- |\n| CVSS 8,6 (High), Tier 1 \u0026 5 years hacker  | (((8,6ˣ100)ˣ10)ˣ(0.1)) = $8600 + $860 = $9460| \n| CVSS 8,6 (High), Tier 2 \u0026 5 years hacker  | (((8,6ˣ50)ˣ10)ˣ(0.1)) = $4300 + $430 = $4730| \n\nThis is calculated with constants that are: \n\n| Description | Constant |\n|--- | --- |\n|TIER 1|100| \n|TIER 2 |50|\n|HIGH/CRITICAL|10|\n\n- For lows and mids reports its fixed at specified in the bounty table \n- If a fix-bypass are demonstrated a 10% bonus are available\n- Low vulnerabilities will only be paid if cvss score \u003e= 2.0 \n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty, gamification and bonus\n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |25% plus on the total bounty |\n|Antique| an extra percentage bonus over the bounty for consecutive years reporting on the program | 2 years = 4% / 3 years = 6% / 4 years = 8% / 5 years and more =10% |\n| Fix Bypass Policy| If you report a valid bypass over a previous fixed vulnerability| 10% plus of the bounty as incentive|\n\n\nBonus Restrictions: \n- The antique bonus its years consecutively\n- Bonuses are retroactive to the current year \n- The newbie bonus can only be claimed in 1 report per year.\n- Only 1 bonus applies for each report.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\nIf you have any questions can contact us on our [discord](https://discord.gg/eTAJbRxqa2)\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Only will be accepted from @mercadolibre and @mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $1,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deep links directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n- Only will be accepted from mercadolibre and mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n-  Reports leaked documents from Public Sources will be classified according to their severity,with the highest level being High, which carries a maximum bounty of $1,000.\n\n\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n** Mercadolibre reserves the right to modify this program at any time. **\n** Mercadolibre reserves the right to evaluate the scope tiers at any time. **\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n\n\n\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2026-03-10T12:50:52.666Z"},{"id":3770758,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- For high and criticals reports the bounty is determined by this formula:\n**(((CVSS Score × Tier) × Severity) + Loyalty Bonus) = Bounty total**\n\n| Example | Calculation |\n|--- | --- |\n| CVSS 8,6 (High), Tier 1 \u0026 5 years hacker  | (((8,6ˣ100)ˣ10)ˣ(0.1)) = $8600 + $860 = $9460| \n| CVSS 8,6 (High), Tier 2 \u0026 5 years hacker  | (((8,6ˣ50)ˣ10)ˣ(0.1)) = $4300 + $430 = $4730| \n\nThis is calculated with constants that are: \n\n| Description | Constant |\n|--- | --- |\n|TIER 1|100| \n| TIER 1 |50|\n|HIGH/CRITICAL|10|\n\n- For lows and mids reports its fixed at specified in the bounty table \n- If a fix-bypass are demonstrated a 10% bonus are available\n- Low vulnerabilities will only be paid if cvss score \u003e= 2.0 \n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty, gamification and bonus\n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |25% plus on the total bounty |\n|Antique| an extra percentage bonus over the bounty for consecutive years reporting on the program | 2 years = 4% / 3 years = 6% / 4 years = 8% / 5 years and more =10% |\n| Fix Bypass Policy| If you report a valid bypass over a previous fixed vulnerability| 10% plus of the bounty as incentive|\n\n\nBonus Restrictions: \n- The antique bonus its years consecutively\n- Bonuses are retroactive to the current year \n- The newbie bonus can only be claimed in 1 report per year.\n- Only 1 bonus applies for each report.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\nIf you have any questions can contact us on our [discord](https://discord.gg/eTAJbRxqa2)\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Only will be accepted from @mercadolibre and @mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $1,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deep links directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n- Only will be accepted from mercadolibre and mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n-  Reports leaked documents from Public Sources will be classified according to their severity,with the highest level being High, which carries a maximum bounty of $1,000.\n\n\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n** Mercadolibre reserves the right to modify this program at any time. **\n** Mercadolibre reserves the right to evaluate the scope tiers at any time. **\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n\n\n\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2026-03-09T18:34:37.633Z"},{"id":3769353,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- For high and criticals reports the bounty is determined by this formula:\n**(((CVSS Score × Tier) × Severity) + Loyalty Bonus) = Bounty total**\n\n| Example | Calculation |\n|--- | --- |\n| CVSS 8,6 (High), Tier 1 \u0026 5 years hacker  | (((8,6ˣ100)ˣ10)ˣ(0.1)) = $8600 + $860 = $9460| \n| CVSS 8,6 (High), Tier 2 \u0026 5 years hacker  | (((8,6ˣ50)ˣ10)ˣ(0.1)) = $4300 + $430 = $4730| \n\nThis is calculated with constants that are: \n\n| Description | Constant |\n|--- | --- |\n|TIER 1|100| \n| TIER 1 |50|\n|HIGH/CRITICAL|10|\n\n- For lows and mids reports its fixed at specified in the bounty table \n- If a fix-bypass are demonstrated a 10% bonus are available\n- Low vulnerabilities will only be paid if cvss score \u003e= 2.0 \n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty, gamification and bonus\n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |25% plus on the total bounty |\n|Antique| an extra percentage bonus over the bounty for consecutive years reporting on the program | 2 years = 4% / 3 years = 6% / 4 years = 8% / 5 years and more =10% |\n| Fix Bypass Policy| If you report a valid bypass over a previous fixed vulnerability| 10% plus of the bounty as incentive|\n\n\nBonus Restrictions: \n- The antique bonus its years consecutively\n- Bonuses are retroactive to the current year \n- The newbie bonus can only be claimed in 1 report per year.\n- Only 1 bonus applies for each report.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\nIf you have any questions can contact us on our [discord](https://discord.gg/eTAJbRxqa2)\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Only will be accepted from @mercadolibre and @mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $1,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deep links directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n- Only will be accepted from @mercadolibre and @mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n-  Reports leaked documents from Public Sources will be classified according to their severity,with the highest level being High, which carries a maximum bounty of $1,000.\n\n\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n** Mercadolibre reserves the right to modify this program at any time. **\n** Mercadolibre reserves the right to evaluate the scope tiers at any time. **\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n\n\n\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2026-02-06T19:56:13.979Z"},{"id":3769349,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- For high and criticals reports the bounty is determined by this formula:\n**(((CVSS Score × Tier) × Severity) + Loyalty Bonus) = Bounty total**\n\n| Example | Calculation |\n|--- | --- |\n| CVSS 8,6 (High), Tier 1 \u0026 5 years hacker  | (((8,6*100)*10)*(0.1)) = $8600 + $860 = $9460| \n| CVSS 8,6 (High), Tier 2 \u0026 5 years hacker  | (((8,6*50)*10)*(0.1)) = $4300 + $430 = $4730| \n\nThis is calculated with constants that are: \n\n| Description | Constant |\n|--- | --- |\n|TIER 1|100| \n| TIER 1 |50|\n|HIGH/CRITICAL|10|\n\n- For lows and mids reports its fixed at specified in the bounty table \n- If a fix-bypass are demonstrated a 10% bonus are available\n- Low vulnerabilities will only be paid if cvss score \u003e= 2.0 \n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty, gamification and bonus\n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |25% plus on the total bounty |\n|Antique| an extra percentage bonus over the bounty for consecutive years reporting on the program | 2 years = 4% / 3 years = 6% / 4 years = 8% / 5 years and more =10% |\n| Fix Bypass Policy| If you report a valid bypass over a previous fixed vulnerability| 10% plus of the bounty as incentive|\n\n\nBonus Restrictions: \n- The antique bonus its years consecutively\n- Bonuses are retroactive to the current year \n- The newbie bonus can only be claimed in 1 report per year.\n- Only 1 bonus applies for each report.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\nIf you have any questions can contact us on our [discord](https://discord.gg/eTAJbRxqa2)\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Only will be accepted from @mercadolibre and @mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $1,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deep links directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n- Only will be accepted from @mercadolibre and @mercadolivre accounts and it is mandatory to provide the source of the information and will be paid for source not for credential.\n-  Reports leaked documents from Public Sources will be classified according to their severity,with the highest level being High, which carries a maximum bounty of $1,000.\n\n\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n** Mercadolibre reserves the right to modify this program at any time. **\n** Mercadolibre reserves the right to evaluate the scope tiers at any time. **\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n\n\n\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2026-02-06T19:29:02.861Z"},{"id":3767982,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F5188088 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- The only valid credentials are those belonging to Mercado Libre domains, so we do not accept end-user credentials.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2026-01-05T13:39:51.782Z"},{"id":3767450,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4969568 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- The only valid credentials are those belonging to Mercado Libre domains, so we do not accept end-user credentials.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-12-16T17:14:04.466Z"},{"id":3767328,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4969568 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- The only valid credentials are those belonging to Mercado Libre domains, so we do not accept end-user credentials.\n- Credentials with access to active sensitive data or production infrastructure.\n- Credentials must give access to sensitive information or PII.\n- If they are managed by third parties, the acceptance criteria are the same.\n- Credentials must be from a production environment.\n- Tests must comply with HackerOne standards.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Considerations on Issues Related to Leaked Documents from Public Sources:**\n- Confidential content.\n- PII information.\n- Files Anyone with the link containing sensitive information.\n- It must be demonstrated that the information belongs to MercadoLibre.\n\n** f. Considerations on Issues Related to Subdomain Takeover:**\n- It must be possible to insert content\n- Demonstrate control with a verification page, DNS evidence (CNAME/A), provider, and claim steps; HTTP/HTTPS response captures.\n- Do not steal cookies or interact with users; no phishing.\n\n** g. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-12-12T12:43:24.216Z"},{"id":3765551,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4969568 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-11-05T13:41:14.983Z"},{"id":3762158,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4736976 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-09-01T12:51:07.578Z"},{"id":3760142,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4622573 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-07-29T12:28:08.171Z"},{"id":3759038,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4533995 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Melidolar\",\"details\":\"All vulnerabilities related to the \\\"Melidolar\\\" feature.\"}","{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-07-14T17:57:57.112Z"},{"id":3758551,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4533995 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-07-07T12:55:43.588Z"},{"id":3758550,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4533990 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-07-07T12:53:53.127Z"},{"id":3758114,"new_policy":"# Table of Contents\n\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4395541 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-06-25T19:46:03.221Z"},{"id":3757998,"new_policy":"# Table of Contents\n\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Promotion\n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- |\n| EMON | WEB | ALL SITES | Test users and production accounts | F4410400 |\n| EMOFF | WEB | ALL SITES | Test users and production accounts | F4410399 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4395541 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-06-24T13:28:39.221Z"},{"id":3757524,"new_policy":"# Table of Contents\n\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion for MHE Brasil\n\nFind all of the information for the promotions here: F4452800\n\n# Current Active Promotion\n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- |\n| EMON | WEB | ALL SITES | Test users and production accounts | F4410400 |\n| EMOFF | WEB | ALL SITES | Test users and production accounts | F4410399 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4395541 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-06-14T14:06:04.830Z"},{"id":3756801,"new_policy":"# Table of Contents\n\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion\n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- |\n| EMON | WEB | ALL SITES | Test users and production accounts | F4410400 |\n| EMOFF | WEB | ALL SITES | Test users and production accounts | F4410399 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4395541 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-06-03T16:53:05.241Z"},{"id":3756798,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion\n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- |\n| EMON | WEB | ALL SITES | Test users and production accounts | F4410400 |\n| EMOFF | WEB | ALL SITES | Test users and production accounts | F4410399 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4395541 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-06-03T16:40:54.946Z"},{"id":3756797,"new_policy":"# Table of Contents\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4395541 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-06-03T16:20:20.593Z"},{"id":3756544,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- | \n| Gating - Pharma | WEB | MLM,MLA,MCO | Test users and production accounts | F4316852 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4395541 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-05-29T15:08:36.306Z"},{"id":3755417,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- | \n| Gating - Pharma | WEB | MLM,MLA,MCO | Test users and production accounts | F4316852 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4286650 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Reward |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-05-12T18:19:48.282Z"},{"id":3755401,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- | \n| Gating - Pharma | WEB | MLM,MLA,MCO | Test users and production accounts | F4316852 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4286650 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a reward on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6). For this rewards, you will be payed on your firts valid report of the year.\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-05-12T17:01:07.248Z"},{"id":3755400,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- | \n| Gating - Pharma | WEB | MLM,MLA,MCO | Test users and production accounts | F4316852 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4286650 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a multiplier on your report | 1 year: US$500, 2 years: US$1000, 3 years: US$1500, 4 years or more: US$2000| \n\nFor more information, please access the following document:\n\nF4340757\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-05-12T16:58:18.947Z"},{"id":3754799,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- | \n| Gating - Pharma | WEB | MLM,MLA,MCO | Test users and production accounts | F4316852 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4286650 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a multiplier on your report | 2 years: 1.5x, 3 years: 2x, 4 years: 2.5x| \n\nFor more information, please access the following document:\n\nF4286644\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-05-05T14:35:06.488Z"},{"id":3754390,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Loyalty And Gamification](#user-content-loyalty-and-gamification)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation  |\n| --- | --- | --- | --- | --- | \n| PhotoStudio 2.0 | WEB | ALL SITES | Test users and production accounts | F4218708 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | **NEW** CSP BYPASS | F4286645 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Loyalty And Gamification\n\nIn Mercadolibre we want you to have a great experience in our program, because of this we have a loyalty program that you gain points for every valid vulnerability in our program.\n\nWith these points you get a level in our program which have really fabolous rewards for you to claim. \n\nPlease visit the following PDF F4286661 for reading the terms and conditions of our loyalty program, also you will find a detailed section of the rewards for each tier. \n\nPlease visit the following PDF F4286650 to know each level of hacker.\n\nIf you want to claim your reward, please fill in the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n\nLoyalty Restrictions:\n- Loyalty bonuses are not retroactive\n- Only 1 prize can be claimed per Q\n- Mercadolibre reserves the right to modify this program at any time.\n\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n| **NEW** Antique |  For every year of you participating on our program and making valid reports, you get a multiplier on your report | 2 years: 1.5x, 3 years: 2x, 4 years: 2.5x| \n\nFor more information, please access the following document:\n\nF4286644\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- Only 1 Bonus apply for each report.\n- To claim the bonus, the bug hunter must request it through the following [form](https://forms.gle/8NjdUYTkzCU1bQwc6)\n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-04-25T14:31:18.957Z"},{"id":3753192,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| PhotoStudio 2.0 | WEB | ALL SITES | Test users and production accounts | F4218708 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bug hunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-04-04T21:30:00.172Z"},{"id":3752744,"new_policy":"# Table of Contents\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your first valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bug hunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-03-31T21:44:28.976Z"},{"id":3752213,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Promotion MHE\n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| MPLAY ANDROID TV | Android TV | ALL SITES | Test users and production accounts | F4172952 |\n| UNDER AGE VALIDATION | Web, Mobile | MLA, MLB | Only production accounts | F4172956 |\n| PARENTAL CONTROL | Web, Mobile | MLA | Only production accounts | F4172953 |\n| QRC TRANSPORT  | Mobile | MLA | Only production accounts | F4172955 |\n| CROSS-SITE QR PAYMENTS | Mobile | MLA, MLU | Only production accounts | F4172964 |\n| PIX LATAM | Points, Mobile | MLA, MLB | Only production accounts | F4172954 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA BYPASS | F4018599 | \n | REAUTH 2FA BYPASS  | F4173015 |\n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your firts valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bughunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-03-22T13:53:42.374Z"},{"id":3752212,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Promotion MHE\n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| MPLAY ANDROID TV | Android TV | ALL SITES | Test users and production accounts | F4172952 |\n| UNDER AGE VALIDATION | Web, Mobile | MLA, MLB | Only production accounts | F4172956 |\n| PARENTAL CONTROL | Web, Mobile | MLA | Only production accounts | F4172953 |\n| QRC TRANSPORT  | Mobile | MLA | Only production accounts | F4172955 |\n| CROSS-SITE QR PAYMENTS | Mobile | MLA, MLU | Only production accounts | F4172964 |\n| PIX LATAM | Points, Mobile | MLA, MLB | Only production accounts | F4172954 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your firts valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bughunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-03-22T13:33:03.744Z"},{"id":3752211,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Promotion MHE\n\n-------------------------------\n| Feature | Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| MPLAY ANDROID TV | Android TV | ALL SITES | Test users and production accounts |  |\n| UNDER AGE VALIDATION | Web, Mobile | MLA, MLB | Only production accounts |  |\n| PARENTAL CONTROL | Web, Mobile | MLA | Only production accounts |  |\n| QRC TRANSPORT  | Mobile | MLA | Only production accounts |  |\n| CROSS-SITE QR PAYMENTS | Mobile | MLA, MLU | Only production accounts |  |\n| PIX LATAM | Points, Mobile | MLA, MLB | Only production accounts |  |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your firts valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bughunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-03-22T13:11:48.733Z"},{"id":3752210,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Promotion\n\n-------------------------------\n\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your firts valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bughunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-03-22T12:23:19.237Z"},{"id":3751369,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n\n# Current Active Promotion\n\n-------------------------------\n | Feature |  Type | Sites | Users | Documentation |\n |--- | --- | --- | --- | --- | ---|\n | Facturación | Web | MLB | Test users provided and production accounts | F4127630 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your firts valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bughunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-03-10T00:45:00.768Z"},{"id":3751233,"new_policy":"# Table of Contents\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your firts valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bughunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-03-05T13:54:30.442Z"},{"id":3750980,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Active Bonus](#user-content-active-bonus)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion\n\n-------------------------------\n | Feature |  Type | Sites | Users | Documentation |\n |--- | --- | --- | --- | --- | ---|\n | Centralización ESC | Mobile | MLB, MLM | Test and production | F4022986 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Active Bonus\n\n-------------------------------\nWe currently have the following active bonuses: \n\n | Bonus Name | Description | Multiplier |\n |--- | --- | --- |\n | Returning | If you made a valid report during last year and make a new valid report this year you get a bonus  | Q1: 100%, Q2: 75%, Q3: 50%, Q4: 50%|\n | Newbie |  If is your firts valid report on our program, you get a bonus |1.5x | \n\nFor more information, please access the following document:\n\nF4097073\n\nBonus Restrictions: \n- Bonuses are retroactive to the current year \n- Bonuses can only be claimed in 1 report per year.\n- To claim the bonus, the bughunter must request it through a comment in the report. \n- Bonuses are only paid on reports in “triage” or “resolved” status.\n\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-02-27T13:38:51.051Z"},{"id":3749470,"new_policy":"# Table of Contents\n- [Current Active Promotion](#user-content-current-active-promotion)\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion\n\n-------------------------------\n | Feature |  Type | Sites | Users | Documentation |\n |--- | --- | --- | --- | --- | ---|\n | Centralización ESC | Mobile | MLB, MLM | Test and production | F4022986 |\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-02-04T20:25:20.548Z"},{"id":3749359,"new_policy":"# Table of Contents\n- [Current Active Challenge](#user-content-current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-02-03T20:14:35.497Z"},{"id":3749352,"new_policy":"# Table of Contents\n- [Current Active Challenge](#current-active-challenge)\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Challenge \n \n-------------------------------\n | Name | Documentation |\n |--- | --- |\n | ATO 2FA Bypass | F4018599 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-02-03T18:57:17.442Z"},{"id":3748435,"new_policy":"# Table of Contents\n- [Current Active Promotion](#current-active-promotion)\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n \n-------------------------------\n | Feature |  Type | Sites | Users | Documentation |\n |--- | --- | --- | --- | --- | ---|\n | GTM - MShops | Web | ALL SITES | Test and production | F3933604 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-01-20T19:31:39.501Z"},{"id":3748425,"new_policy":"# Table of Contents\n- [Current Active Promotion](#current-active-promotion)\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n \n-------------------------------\n | Feature |  Type | Sites | Users | Documentation |\n |--- | --- | --- | --- | --- | ---|\n | GMT - MShops | Web | ALL SITES | Test and production | F3933604 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $50 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-01-20T15:24:45.976Z"},{"id":3747965,"new_policy":"# Table of Contents\n- [Current Active Promotion](#current-active-promotion)\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n \n-------------------------------\n | Feature |  Type | Sites | Users | Documentation |\n |--- | --- | --- | --- | --- | ---|\n | GMT - MShops | Web | ALL SITES | Test and production | F3933604 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"KYC\",\"details\":\"Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\"}","{\"category\":\"GraphQL\",\"details\":\"Any GraphQL vulnerability with DoS impact.\"}","{\"category\":\"Collaborators\",\"details\":\"All vulnerabilities related to the Collaborators feature.\"}"],"timestamp":"2025-01-13T19:25:38.525Z"},{"id":3747780,"new_policy":"# Table of Contents\n- [Current Active Promotion](#current-active-promotion)\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Out-of-Scope Issues](#user-content-out-of-scope-issues)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n \n-------------------------------\n | Feature |  Type | Sites | Users | Documentation |\n |--- | --- | --- | --- | --- | ---|\n | GMT - MShops | Web | ALL SITES | Test and production | F3933604 | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Out-of-Scope Issues\n\n-------------------------------\nIssues that should not be tested or reported, in addition to the [Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings), include:\n\n- All vulnerabilities related to the Collaborators feature.\n- Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact.\n- OAuth-related vulnerabilities.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-01-10T13:53:52.500Z"},{"id":3747779,"new_policy":"# Table of Contents\n- [Current Active Promotion](#current-active-promotion)\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Out-of-Scope Issues](#user-content-out-of-scope-issues)\n- [Considerations](#user-content-considerations)\n\n# Current Active Promotion \n \n-------------------------------\n | Feature |  Type | Sites | Users | Documentation |\n |--- | --- | --- | --- | --- | ---|\n | GMT - MShops | Web | ALL SITES | Test and production | | \n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Out-of-Scope Issues\n\n-------------------------------\nIssues that should not be tested or reported, in addition to the [Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings), include:\n\n- All vulnerabilities related to the Collaborators feature.\n- Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact.\n- OAuth-related vulnerabilities.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-01-10T13:52:56.759Z"},{"id":3747663,"new_policy":"# Table of Contents\n- [Rewards](#user-content-rewards)\n- [Response Times](#user-content-response-times)\n- [Testing](#user-content-testing)\n- [Eligibility and Responsible Disclosure](#user-content-eligibility-and-responsible-disclosure)\n- [Restrictions](#user-content-restrictions)\n- [Out-of-Scope Issues](#user-content-out-of-scope-issues)\n- [Considerations](#user-content-considerations)\n\n\n# Rewards \n\n-------------------------------\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n# Response Times\n\n-------------------------------\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n# Testing \n\n-------------------------------\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n# Eligibility and Responsible Disclosure \n\n-------------------------------\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n# Restrictions \n\n-------------------------------\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n# Out-of-Scope Issues\n\n-------------------------------\nIssues that should not be tested or reported, in addition to the [Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings), include:\n\n- All vulnerabilities related to the Collaborators feature.\n- Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact.\n- OAuth-related vulnerabilities.\n\n# Considerations\n\n-------------------------------\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-01-08T19:02:32.610Z"},{"id":3747305,"new_policy":"#Policy\n\n##Table of Contents\n1. Rewards\n2. Response Times\n3. Testing\n4. Eligibility and Responsible Disclosure\n5. Restrictions\n6. Out-of-Scope Issues\n7. Considerations\n\n\n** 1. Rewards **\n\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n** 2. Response Times **\n\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n** 3. Testing **\n\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n** 4. Eligibility and Responsible Disclosure **\n\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n** 5. Restrictions **\n\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n**6. Out-of-Scope Issues**\n\nIssues that should not be tested or reported, in addition to the [Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings), include:\n\n- All vulnerabilities related to the Collaborators feature.\n- Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact.\n- OAuth-related vulnerabilities.\n\n** 7. Considerations **\n\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-01-01T17:18:02.486Z"},{"id":3747202,"new_policy":"#Policy\n\n##Table of Contents\n1. Current Active Promotions and Challenges\n2. Rewards\n3. Response Times\n4. Testing\n7. Eligibility and Responsible Disclosure\n6. Restrictions\n7. Out-of-Scope Issues\n8. Considerations\n\n** 1. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n\n** 2. Rewards **\n\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n** 3. Response Times **\n\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n** 4. Testing **\n\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n** 6. Restrictions **\n\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n**7. Out-of-Scope Issues**\n\nIssues that should not be tested or reported, in addition to the [Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings), include:\n\n- All vulnerabilities related to the Collaborators feature.\n- Any report where non-monetary actions can be performed without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact.\n- OAuth-related vulnerabilities.\n\n** 8. Considerations **\n\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n- Dependency confusion vectors are out-of-scope.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n- Use of out-of-date third-party libraries without proof of exploitability is out-of-scope.\n- Vulnerabilities in third-party scripts used on Mercado Libre's websites are out-of-scope.\n\n** d. Considerations for Mobile Applications: **\nThe following issues specific to mobile applications should not be tested or reported:\n- Certificate pinning and SSL/TLS best practices for native apps.\n- Obfuscated code in native apps.\n- Use of SafetyNet attestation API or similar tools to protect against anti-dynamic instrumentation, debugging, emulation, tampering, or root detection in native apps.\n- Exported components with no real security impact on native apps.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplinks directly from the app without breaking its flow. Therefore, any external website opened in the in-app browser is treated as an untrusted domain.\n\n** e. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-27T15:54:28.738Z"},{"id":3747171,"new_policy":"#Policy\n\n##Table of Contents\n1. Current Active Promotions and Challenges\n2. Rewards\n3. Response Times\n4. Testing\n7. Eligibility and Responsible Disclosure\n6. Restrictions\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n\n** 1. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n\n** 2. Rewards **\n\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\n- Bounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. \n- Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n- Bounties are set according to our current payout table.\n- The value of bounties awarded for previous vulnerabilities does not set a precedent for future cases.\n\n** 3. Response Times **\n\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n** 4. Testing **\n\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n** 6. Restrictions **\n\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\n** a. Considerations on Issues Related to Credentials from Public Sources:**\n- A working proof of concept (PoC) demonstrating the impact is essential, at a minimum showing that the credential is functional.\n- As specified in the safe harbor/Data Privacy policy, dumping sensitive information is not allowed.\n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\n** b. Considerations on Issues Related to Vulnerabilities Found in Code Review Exercises or SAST: ** \n- Please avoid uploading automatic scanning tool results.\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to exploitable dependencies, CVEs, 0-days, and working exploits must be demonstrable through the internet with a proper PoC.\n\n** c. Considerations on Issues Related to Vulnerabilities Found in Third-Party Applications Used by Mercado Libre: **\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on Mercado Libre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\n** d. Other Considerations: **\n- Cross-site scripting vulnerabilities without a Content Security Policy (CSP) bypass will be assessed with a lower or no severity level compared to those with a bypass.\n- We reserve the right to establish the severity of vulnerabilities based on their direct impact on MercadoLibre; therefore, the severity may increase or decrease depending on the case.\n- Mercado Libre team may also determine if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report submitted by a collaborator.\n- Reports that contain inappropriate or disrespectful language towards any of the triagers of HackerOne or Mercado Libre staff will be closed as N/A. Repeated offenses may result in a ban from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-26T20:59:11.495Z"},{"id":3747167,"new_policy":"#Policy\n\n##Table of Contents\n1. Current Active Promotions and Challenges\n2. Rewards\n3. Response Times\n4. Testing\n7. Eligibility and Responsible Disclosure\n6. Restrictions\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n\n** 1. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n\n** 2. Rewards **\n\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\nBounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n\n** 3. Response Times **\n\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n** 4. Testing **\n\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo promote coordinated disclosure, Mercado Libre does not intend to take legal action or initiate law enforcement investigations against security researchers who adhere to the following guidelines:\n - Researchers must report discovered security issues to Mercado Libre without making any information or details public until a mutual agreement is reached or with explicit authorization from MercadoLibre.\n - Researchers should allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability. Mercado Libre commits to following the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines), ensuring open communication, providing an initial response to the researcher within 30 days, and mutually agreeing on a disclosure timeline.\n - Researchers should make all reasonable efforts in good faith to avoid destroying, stealing, modifying, damaging, or otherwise jeopardizing the personal data or privacy of Mercado Libre’s customers or data. This includes avoiding any disruption to Mercado Libre’s products and services.\n\n** 6. Restrictions **\n\nThe following actions are expressly prohibited and are not covered under the Coordinated Disclosure Policy:\n -  **Automated Scanning**: Massive automated scans are not permitted. Creative testing is encouraged instead.\n -  **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n -  **Service Degradation**: Significantly degrading our service may lead to a ban from the program.\n -  **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n -  **Physical Attacks**: Physical attacks against MercadoLibre employees, offices, or data centers are prohibited.\n -  **Social Engineering**: Engaging in social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing, is not allowed.\n -  **Spam**: Pursuing vulnerabilities that involve sending unsolicited bulk messages (spam) is prohibited.\n -  **Account Compromise**: Attempting to gain access to another user’s account or data by compromising a MercadoLibre customer or employee account is forbidden.\n -  **Malware**: Knowingly posting, transmitting, uploading, linking to, or sending malware to Mercado Libre or its employees is prohibited.\n -  **Mass Account Creation**: Mass account creation for testing against Mercado Libre applications and services is not allowed.\n -  **Brute Force Testing**: \"Brute force\" testing to determine rate limiting for APIs or other functionalities is prohibited.\n -  **Employee Participation**: Internal employees are prohibited from participating in this program.\n -  **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n -  **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with Mercado Libre, is strictly prohibited.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-26T20:34:54.891Z"},{"id":3747166,"new_policy":"#Policy\n\n##Table of Contents\n1. Current Active Promotions and Challenges\n2. Rewards\n3. Response Times\n4. Testing\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n\n** 1. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n\n** 2. Rewards **\n\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\nBounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n\n** 3. Response Times **\n\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n\n** 4. Testing **\n\n- ** Users:** You can claim test users for our in-scope assets or [create users to launch testing probes](https://developers.mercadolibre.com.ar/en_us/start-testing). Please check the restrictions section.\n- **Test cards:** You can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n** 5. Restrictions **\n\n- **Automated Scanning**: Massive automated scans are not permitted. Please engage in creative testing instead.\n- **Test Users**: Improper or out-of-scope use of test users may result in a ban from the program.\n- **Service Degradation**: Significantly degrading our service risks a ban from the program.\n- **No DoS Attacks**: Denial-of-Service (DoS) activities are prohibited by our cloud providers.\n- **Employee Participation**: Internal employees are not allowed to participate in this program.\n- **Former Employees**: Former employees may participate only after a one-year waiting period from their termination date.\n- **Provider Participation**: Participation from our providers, including individuals or entities directly affiliated with our organization, is strictly prohibited.\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-26T19:28:43.217Z"},{"id":3747165,"new_policy":"#Policy\n\n##Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Non-Qualifying Vulnerabilities\n7. Considerations\n8. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\nBounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n** 3. Response Times **\n\nMercado Libre is committed to making a best effort to meet the following response times for hackers participating in our program:\n\n- **Time to First Response** (from report submission): 2 business days\n- **Time to Triage** (from report submission): 5 business days\n- **Time to Bounty** (from triage): 10 business days\n\nWe will keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 7. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Test cards\nYou can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-26T18:58:49.112Z"},{"id":3747164,"new_policy":"#Policy\n\n##Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Non-Qualifying Vulnerabilities\n7. Considerations\n8. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre offers rewards to eligible reporters for qualifying vulnerabilities, with a minimum reward of $100 USD. The bounty table specifies minimum rewards based on the assessed CVSS score for in-scope properties. We reserve the right to adjust rewards based on specific impact.\n\nBounty decisions are made by an internal team who consider several factors, including CVSS scores, involvement of customer data, severity of the vulnerability, compliance with the [HackerOne standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards), and the affected business unit. Reports that demonstrate a high level of technical skill and clarity may also be considered when determining the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 7. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Test cards\nYou can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-26T18:44:54.126Z"},{"id":3746789,"new_policy":"#Policy\n\n##Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Non-Qualifying Vulnerabilities\n7. Considerations\n8. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 7. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Test cards\nYou can use test cards of local payment methods and simulate different payment responses, without the need to use a real card. Depending on your country, use one of the credit or debit cards we [provide](https://www.mercadopago.com.ar/developers/en/docs/checkout-api/additional-content/your-integrations/test/cards).\n\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-17T20:48:17.130Z"},{"id":3746787,"new_policy":"#Policy\n\n##Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Non-Qualifying Vulnerabilities\n7. Considerations\n8. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 7. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n\n#Thank you for helping to keep Mercado Libre and our customers safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-17T20:13:28.991Z"},{"id":3746783,"new_policy":"#Policy\n\n##Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Non-Qualifying Vulnerabilities\n7. Considerations\n8. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 7. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-17T19:41:37.819Z"},{"id":3746782,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Non-Qualifying Vulnerabilities\n7. Considerations\n8. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 7. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Mercado Libre is committed to safeguarding our customers and their data. We believe that coordinated disclosure by security researchers and collaboration with the security community are essential for achieving our security objectives.\n\nIf you identify a security vulnerability in one of our websites, we encourage you to report it to us. We appreciate your help in enhancing our security measures.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-17T19:35:21.746Z"},{"id":3746775,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Non-Qualifying Vulnerabilities\n7. Considerations\n8. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 7. Considerations **\n\na. Considerations on issues related to credentials on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. \n- Reports of leaked credentials will be classified according to their severity, with the highest level being High, which carries a maximum bounty of $3,000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2024-12-17T18:52:43.609Z"},{"id":3745477,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Non-Qualifying Vulnerabilities\n7. Considerations\n8. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n| PNF | Web | MLC, MLB | Test users provided in documentation | F3801333 |\n| Mplay Live | Web | MLA | Test users provided in documentation | F3801334 |\n| Linking of Physical Cards  | Web | MLA, MLB, MLM, MLC  | Only production | F3801335 |\n| Crypto | Mobile | MLB, MLC, MLM | Only production | F3801336 |\n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n- Hackers should submit the leaked credentials to the program and should NOT test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality intend to prove escalate severity.\n- The leak credentials reports will be evaluate the criticity, with the maximum limit being high. Which will have a maximum payment of $1000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-29T20:53:50.116Z"},{"id":3745103,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| A 2X bonus in a critical vulnerability each quarter |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n- The maximum amount of 2X bonus is four per year.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n- Hackers should submit the leaked credentials to the program and should NOT test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality intend to prove escalate severity.\n- The leak credentials reports will be evaluate the criticity, with the maximum limit being high. Which will have a maximum payment of $1000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-22T15:27:02.954Z"},{"id":3745102,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\nPromotions\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| Eshop | Web | ALL SITES | Test and production | F3739478 | \n| Checkout Buying Flow | Web, Mobile | MLA, MLB, MLC, MLM | Test and production | F3739472 | \n| Wishlist \u0026 Gift Registries | Web, Mobile | ALL SITES | Test and production | F3739481 | \n| Omnichannel Publish \u0026 Edit | Web | ALL SITES | Test and production | F3739480 | \n| CDP Omnichannel | Web, Mobile | ALL SITES | Test and production | F3739476 | \n\nChallenges\n\n| Feature |  Type | Sites | Users | Documentation |\n|--- | --- | --- | --- | --- | ---|\n| 2FA - ReAuth Capability | Web, Mobile | ALL SITES | Only production | F3739483 |\n| Blurred Face | Web, Mobile | ALL SITES | Only production | F3748231 |\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| A 2X bonus in a critical vulnerability each quarter |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n- The maximum amount of 2X bonus is four per year.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 10 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n- Hackers should submit the leaked credentials to the program and should NOT test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality intend to prove escalate severity.\n- The leak credentials reports will be evaluate the criticity, with the maximum limit being high. Which will have a maximum payment of $1000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-22T15:25:52.479Z"},{"id":3744140,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n| Type | Name | Documentation | \n| --- | --- | --- |  \n| Promotion | Eshop | F3739478 | \n| Promotion | Checkout Buying Flow | F3739472 | \n| Promotion | Wishlist \u0026 Gift Registries | F3739481 | \n| Promotion | Omnichannel Publish \u0026 Edit | F3739480 | \n| Promotion | CDP Omnichannel | F3739476 | \n| Challenge | 2FA - ReAuth Capability | F3739483 |\n| Challenge | Blurred Face | F3748231 |\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| A 2X bonus in a critical vulnerability each quarter |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n- The maximum amount of 2X bonus is four per year.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n- Hackers should submit the leaked credentials to the program and should NOT test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality intend to prove escalate severity.\n- The leak credentials reports will be evaluate the criticity, with the maximum limit being high. Which will have a maximum payment of $1000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-09T17:34:35.196Z"},{"id":3743839,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n| Type | Name | Documentation | \n| --- | --- | --- |  \n| Promotion | Eshop | F3739478 | \n| Promotion | Checkout Buying Flow | F3739472 | \n| Promotion | Wishlist \u0026 Gift Registries | F3739481 | \n| Promotion | Omnichannel Publish \u0026 Edit | F3739480 | \n| Promotion | CDP Omnichannel | F3739476 | \n| Challenge | 2FA - ReAuth Capability | F3739483 | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| A 2X bonus in a critical vulnerability each quarter |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n- The maximum amount of 2X bonus is four per year.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n- Hackers should submit the leaked credentials to the program and should NOT test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality intend to prove escalate severity.\n- The leak credentials reports will be evaluate the criticity, with the maximum limit being high. Which will have a maximum payment of $1000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-11-06T16:30:51.442Z"},{"id":3741232,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n- Currently there are no active promotions\n- Currently inactive: Account TakeOver - 2FA Bypass\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| A 2X bonus in a critical vulnerability each quarter |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n- The maximum amount of 2X bonus is four per year.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n- Hackers should submit the leaked credentials to the program and should NOT test their validity beyond authenticating and then immediately deauthenticating - without exercising any functionality intend to prove escalate severity.\n- The leak credentials reports will be evaluate the criticity, with the maximum limit being high. Which will have a maximum payment of $1000.\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-04T21:17:30.252Z"},{"id":3735221,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n- Currently there are no active promotions\n- Currently inactive: Account TakeOver - 2FA Bypass\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| A 2X bonus in a critical vulnerability each quarter |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n- The maximum amount of 2X bonus is four per year.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-08-06T15:41:13.341Z"},{"id":3728995,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n- Currently there are no active promotions\n- Currently inactive: Account TakeOver - 2FA Bypass\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Non-Qualifying Vulnerabilities**\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the identity validation process (KYC).\n- Any GraphQL vulnerability with DoS impact\n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-07T16:39:05.315Z"},{"id":3728907,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n- Currently there are no active promotions\n- Currently inactive: Account TakeOver - 2FA Bypass\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n- Any report where non-monetary actions can be performed even without going through the data validation process (KYC).\n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-06T23:44:56.729Z"},{"id":3728353,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n- Currently there are no active promotions\n- Currently inactive: Account TakeOver - 2FA Bypass\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-06-01T03:29:52.953Z"},{"id":3727330,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n| Type | Name | Documentation | \n| --- | --- | --- | \n| Promotion |  Seller Central  |  F3242802  | \n| Promotion |  MShops - Site Builder  |  F3242806  | \n| Promotion |  MShops - Guest Checkout Flow  |  F3242807  | \n| Promotion |  Zero Dollar Auth  |  F3242808  | \n| Promotion |  Mechanical Verification  |  F3242810  | \n| Promotion |  Samsung \u0026 Google Pay  |  F3242814  | \n| Promotion |  Merchant  |  F3242815  | \n| Promotion |  Optin - Seller's Onboarding  |  F3242822  | \n\nCurrently inactive: Account TakeOver - 2FA Bypass\n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-23T20:19:45.408Z"},{"id":3726400,"new_policy":"#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n| Type | Name | Documentation | \n| --- | --- | --- | \n| Challenge  | Account TakeOver - 2FA Bypass | F3030657 | \n| Promotion |  Seller Central  |  F3242802  | \n| Promotion |  MShops - Site Builder  |  F3242806  | \n| Promotion |  MShops - Guest Checkout Flow  |  F3242807  | \n| Promotion |  Zero Dollar Auth  |  F3242808  | \n| Promotion |  Mechanical Verification  |  F3242810  | \n| Promotion |  Samsung \u0026 Google Pay  |  F3242814  | \n| Promotion |  Merchant  |  F3242815  | \n| Promotion |  Optin - Seller's Onboarding  |  F3242822  | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-16T16:50:00.797Z"},{"id":3725474,"new_policy":"Note: The new bounty table does not apply to reports submitted prior to the update.\n\n**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | Low  | Medium | High          | Critical      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\nCrypto Scope:\n- www.mercadopago.com.mx/crypto/*\n- www.mercadopago.cl/crypto/*\n- www.mercadopago.com.br/crypto/*\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n| Type | Name | Documentation | \n| --- | --- | --- | \n| Challenge  | Account TakeOver - 2FA Bypass | F3030657 | \n| Promotion |  Seller Central  |  F3242802  | \n| Promotion |  MShops - Site Builder  |  F3242806  | \n| Promotion |  MShops - Guest Checkout Flow  |  F3242807  | \n| Promotion |  Zero Dollar Auth  |  F3242808  | \n| Promotion |  Mechanical Verification  |  F3242810  | \n| Promotion |  Samsung \u0026 Google Pay  |  F3242814  | \n| Promotion |  Merchant  |  F3242815  | \n| Promotion |  Optin - Seller's Onboarding  |  F3242822  | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-09T18:52:11.727Z"},{"id":3724874,"new_policy":"Note: The new bounty table does not apply to reports submitted prior to the update.\n\n**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | Low  | Medium | High          | Critical      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\nCrypto Scope:\n- www.mercadopago.com.mx/crypto/*\n- www.mercadopago.cl/crypto/*\n- www.mercadopago.com.br/crypto/*\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n| Type | Name | Documentation | \n| --- | --- | --- | \n| Challenge  | Account TakeOver - 2FA Bypass | F3030657 | \n| Promotion |  Seller Central  |  F3242802  | \n| Promotion |  MShops - Site Builder  |  F3242806  | \n| Promotion |  MShops - Guest Checkout Flow  |  F3242807  | \n| Promotion |  Zero Dollar Auth  |  F3242808  | \n| Promotion |  Mechanical Verification  |  F3242810  | \n| Promotion |  Samsung \u0026 Google Pay  |  F3242814  | \n| Promotion |  Merchant  |  F3242815  | \n| Promotion |  Optin - Seller's Onboarding  |  F3242815  | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-05-03T16:01:30.699Z"},{"id":3724168,"new_policy":"Note: The new bounty table does not apply to reports submitted prior to the update.\n\n**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | Low  | Medium | High          | Critical      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\nCrypto Scope:\n- www.mercadopago.com.mx/crypto/*\n- www.mercadopago.cl/crypto/*\n- www.mercadopago.com.br/crypto/*\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\nConditions\n- Reports made in collaboration will not be considered for claiming the 2X Bonus.\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-25T17:39:30.940Z"},{"id":3723598,"new_policy":"Note: The new bounty table does not apply to reports submitted prior to the update.\n\n**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | Low  | Medium | High          | Critical      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\nCrypto Scope:\n- www.mercadopago.com.mx/crypto/*\n- www.mercadopago.cl/crypto/*\n- www.mercadopago.com.br/crypto/*\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\n\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $100 USD. The bounty table for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can earn you an additional reward.\n\nBounty rewards will be decided based on internal team assessment, with CVSS (when applicable) taken into consideration for the final decision. Factors such as the involvement of customer data, the severity of the vulnerability, compliance with the guidelines set in the [H1 standard](https://docs.hackerone.com/en/articles/8369826-detailed-platform-standards) and the affected business unit may also be considered when deciding the final bounty range.\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-16T19:42:57.378Z"},{"id":3723326,"new_policy":"Note: The new bounty table does not apply to reports submitted prior to the update.\n\n**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | Low  | Medium | High          | Critical      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\nCrypto Scope:\n- www.mercadopago.com.mx/crypto/*\n- www.mercadopago.cl/crypto/*\n- www.mercadopago.com.br/crypto/*\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n- In reports where the hacker uses inappropriate or disrespectful language towards any of the triagers of H1 or MELI Staff, they will be closed as N/A. If the behavior is repeated, the user could be banned from the program.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-11T19:51:43.545Z"},{"id":3722920,"new_policy":"Note: The new bounty table does not apply to reports submitted prior to the update.\n\n**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | Low  | Medium | High          | Critical      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\nCrypto Scope:\n- www.mercadopago.com.mx/crypto/*\n- www.mercadopago.cl/crypto/*\n- www.mercadopago.com.br/crypto/*\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-05T16:14:57.369Z"},{"id":3722915,"new_policy":"Note: The new bounty table does not apply to reports submitted prior to the update.\n\n**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | Low  | Medium | High          | Critical      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-05T15:48:37.122Z"},{"id":3722908,"new_policy":"**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | Low  | Medium | High          | Critical      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-05T14:52:08.995Z"},{"id":3722907,"new_policy":"**For vulnerabilities in our CRYPTO scope, we have this special table:**\n\n|    | LOW  | MEDIUM | HIGH          | CRITICAL      |\n|----|------|--------|---------------|---------------|\n|    | $100 | $300   | $2000 - $6000 | $6000 - $10000|\n\n#Policy\n\nMercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Loyalty Program\n4. Response Times\n5. Restrictions\n6. Eligibility and Responsible Disclosure\n7. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n8. Considerations\n9. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n**3. Loyalty Program**\n\n| TIER           | Requirements                                        |\n|----------------|-----------------------------------------------------|\n| TIER 1 - SPACE SENTINEL   | Reported at least one critical vulnerability in two years in a row   |\n| TIER 2 - GALAXY GUARDIAN   | Reported at least one high vulnerability in two years in a row       |\n| TIER 3 - ASTRO NOMAD       | Reported at least one medium vulnerability in two years in a row     |\n| TIER 4 - GALAXY EXPLORER   | Reported at least one low vulnerability in two years in a row        |\n\nIn case you don't have the same amount in the two years, the decision is based on this table:\n\n|           | First Year | Second Year | Tier |\n|-----------|------------|-------------|------|\n| Hacker 1  | Critical   | Critical    | 1    |\n| Hacker 2  | Critical   | High        | 2    |\n| Hacker 3  | Critical   | Medium      | 3    |\n| Hacker 4  | Critical   | Low         | 4    |\n| Hacker 5  | High       | High        | 2    |\n| Hacker 6  | High       | Medium      | 3    |\n| Hacker 7  | High       | Low         | 4    |\n| Hacker 8  | Medium     | Medium      | 3    |\n| Hacker 9  | Medium     | Low         | 4    |\n| Hacker 10 | Low        | Low         | 4    |\n\n**Benefits**\n\n|          | T1 | T2 | T3 | T4 |\n|----------|----|----|----|----|\n| Special SWAG for the LHEs | X  | X  | X  | X  |\n| Triage and Bounty with priority | X  | X  | X  |    |\n| Getting invite to our special SUPER LHE LATAM | X  | X  | X  |    |\n| Priority in new workflows | X  | X  |    |    |\n| One Bonus 2X in a critical vulnerability every 3 months |  X  |    |    |   |\n\n** 4. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 5. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 6. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 7. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 8. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 9. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-04-05T14:51:22.131Z"},{"id":3713782,"new_policy":"Mercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n5. Considerations\n6. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-03-07T15:11:27.982Z"},{"id":3712672,"new_policy":"Mercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n5. Considerations\n6. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Biolibre Promotion | F3022185 | \n| Mplay Promotion | F3022182 | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- Cross-site scripting vulnerabilities without a CSP bypass will be assessed with a lower or none severity level compared to those with a bypass.\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-14T23:05:31.475Z"},{"id":3712168,"new_policy":"Mercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n5. Considerations\n6. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Biolibre Promotion | F3022185 | \n| Mplay Promotion | F3022182 | \n| Account TakeOver Challenge - 2FA Bypass | F3030657 | \n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-05T21:09:17.247Z"},{"id":3711965,"new_policy":"Mercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n5. Considerations\n6. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Biolibre Promotion | F3022185 | \n| Mplay Promotion | F3022182 | \n| Account TakeOver (ATO) - 2FA Bypass Challenge | F2626471 | \n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-02-01T15:46:31.717Z"},{"id":3710079,"new_policy":"Mercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n5. Considerations\n6. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Account TakeOver (ATO) - 2FA Bypass Challenge | F2626471 | \n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-01-02T14:44:46.704Z"},{"id":3708754,"new_policy":"Mercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Promotions and Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n5. Considerations\n6. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Promotions and Challenges ** \n\n| Name | Documentation | \n| --- | --- | \n| Automatic Debit Promotion | F2908477 | \n| Registration - Mercado Envíos Extra Promotion | F2908503 | \n| BHS - Pessoa Jurídica - Crypto Promotion | How to create a CNPJ account in Mercado Pago? https://www.mercadopago.com.br/hub/registration/landing/company https://conteudo.mercadopago.com.br/conta-pj-do-mercado-pago | \n| Account TakeOver (ATO) - 2FA Bypass Challenge | F2626471 | \n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-12-07T14:41:31.270Z"},{"id":3708264,"new_policy":"Mercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n5. Considerations\n6. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Challenges ** \n- Account TakeOver (ATO) - 2FA Bypass\n\nF2626471\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-29T20:07:02.497Z"},{"id":3708144,"new_policy":"Mercado Libre is committed to the security of our customers and their data. We believe that coordinated disclosure by security researchers and engaging with the security community is an important means of achieving our security goals.\n\nIf you believe you have found a security vulnerability in one of our websites, we welcome and greatly appreciate you reporting it to Mercado Libre, as long as it falls in scope and is not one of the types of vulnerability listed as out of scope below.\n\n#Table of Contents\n1. Rewards\n2. Current Active Challenges\n3. Response Times\n4. Restrictions\n5. Eligibility and Responsible Disclosure\n6. Vulnerabilities\n\u003e a. Qualifying Vulnerabilities\n\u003e b. Non-Qualifying Vulnerabilities\n5. Considerations\n6. Testing\n\n\n** 1. Rewards **\nMercadoLibre may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is $50 USD. The bounty table in for this program outlines the usual minimum rewards based on the assessed CVSS score for in-scope properties (see section on Scope). We reserve the right to reward vulnerabilities based on impact. Clarity and high technical skills in your report can give you an extra reward.\n\nBounty rewards will be decided based on internal team assessment and taking CVSS (when applicable) as input for final decision. Variables such as which customer data is involved?, how massively is the vulnerability? and which business unit is affected, could be taken into consideration as well when deciding the final bounty range.\n\n\n** 2. Current Active Challenges ** \n- Account TakeOver (ATO) - 2FA Bypass\n\nF2626471\n\n** 3. Response Times **\nMercadoLibre will make a best effort to meet the following Response Times for hackers participating in our program:\n- Time to first response (from report submit) - 2 business days\n- Time to triage (from report submit) - 4 business days\n- Time to bounty (from triage) - 30 business days\n\nWe’ll try to keep you informed about our progress throughout the process.\n\n** 4. Restrictions **\n- Massive automatic scanning are not allowed. Please do creative testing.\n- If you use test users improperly or out of scope, you risk a program ban.\n- If you significantly degrade our service, you risk a program ban.\n- No DoS - Our cloud providers prohibits this activity.\n- Participation in this program is prohibited for internal employees\n- Former employees are eligible to participate in the program only after a period of one year from their date of employment termination.\n- Participation from our company's providers, including any individuals or entities directly affiliated with our organization, is strictly prohibited\n\n** 5. Eligibility and Responsible Disclosure **\n\nTo encourage coordinated disclosure, MercadoLibre does not intend to initiate any legal action or law enforcement investigation against security researchers as long as they adhere to the following guidelines:\n\n - Researchers will report details of a discovered security issue to Mercadolibre without making any information or details of the vulnerability public until mutual agreement is made or with the explicit authorization of MercadoLibre.\n - Researchers will allow Mercado Libre reasonable time to resolve the issue before publishing any information or details about the vulnerability or other making such information generally known.\nMercado Libre will do their our best to follow the [HackerOne disclosure guidelines](https://hackerone.com/disclosure-guidelines) which committing to open communication, providing an initial response to the researcher within 30 days, and providing a disclosure timeline to the researcher to be mutually agreed upon.\n - Researchers will make all reasonable attempts in good faith to avoid destroying, stealing, modifying, damaging, violating or otherwise jeopardizing the personal data or privacy of any Mercadolibre's customer or Mercadolibre's data. This includes disrupting or degrading Mercadolibre’s products and service to its customers.\n\nThe following are expressly prohibited and are not covered under the above Coordinated Disclosure Policy:\n\n- Physical attacks against Mercado Libre employees, offices, and data centers\u2028.\n- Social engineering of Mercado Libre employees, contractors, vendors, or service providers, including phishing.\n- Pursuing vulnerabilities which send unsolicited bulk messages (spam).\n- Pursuing vulnerabilities through the compromise of a Mercadolibre customer or employee account – (e.g. do not attempt to gain access to another user’s account or data).\n- Knowingly posting, transmitting, uploading, linking to, or sending any malware to Mercado Libre or its employees.\n- Mass account creation for testing against Mercado Libre applications and services.\n- \"Brute force\" testing to determine if rate limiting is in place for APIs or other functionality.\n\n** 6. Vulnerabilities**\n\na.  Qualifying Vulnerabilities\n\nExamples of vulnerabilities MercadoLibre is interested in receiving:\n- Authentication flaws\n- Cross-site scripting (Stored, Reflected, DOM)\n- Any type of Injection (SQL, NOSQL, LDAP, NOSQL, OS, XML, Eval)\n- Cross-site request forgery on sensitive controllers (CSRF/XSRF)\n- Mixed content scripts (scripts loaded over HTTP on an HTTPS page)\n- Server side code execution (Ej. Exposed consoles or server-side template injection)\n- Privilege Escalation (lateral and vertical)\n- Business logic abuse with clear impact. \n- IDOR (Insecure Direct Object Reference)\n- XML External Entity injection\n- Security misconfigurations with clear impact. \n- Server Side Request Forgery.\n- Remote File Inclusion.\n- Unvalidated Redirects and Forwards\n\nb. Non-Qualifying Vulnerabilities\n\nOut-of-scope issues that should not be tested or reported:\n\n- [Temporarily] All vulnerabilities related to Collaborators feature.\n- Lack of rate limiting on a particular API or other 'load testing' types of issues\n- Wordpress services exposed are out of scope. \n- OAuth related vulnerabilities.\n- Non-sensitive (ie. non-session) cookies missing the Secure or HttpOnly flags\n- Denial-of-service attacks \n- Information disclosure based on Stack traces or any type of banners (Server error, ftp banners, language, etc )\n- Use of out-of-date 3rd party libraries without proof of exploitability\n- Vulnerabilities in 3rd party scripts used on Mercadolibre's websites\n- Non-sensitive cross-site request forgery (Ej. Logout) \n- Leaking information via the Referer header \n- Missing Security Headers (Ej. X-Frame-Options, Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, CORS, CSP, Referer Policy HKPK) \n- SPF, DKIM, DMARC or other email configuration related issues\n- Password or account recovery policies, such as reset link expiration or password complexity\n- Reports from automated web security scanners \n- HTTP 404 codes/pages or other HTTP non-200 codes/pages\n- Version number/banner disclosure on public facing websites\n- Disclosure of known public files or directories, (e.g. robots.txt,readme.html on WordPress, etc)\n- Lack of DNSSEC\n- SSL configuration issues (cipher suites, SHA-1 certificates, BEAST/CRIME, lack of PFS)\n- HTTP TRACE or OPTIONS methods enabled\n- Clickjacking not directly related to account takeover\n- Vulnerabilities only affecting the end of life browsers or platforms\n- Self-XSS and issues exploitable only through Self-XSS\n- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality\n- Bugs requiring exceedingly unlikely user interaction\n- Certificate Pinning and SSL/TLS best Practices on native apps\n- Obfuscated Code on native apps\n- Use of Safety Net attestation API or similar tools to protect against Anti-Dynamic Instrumentation,  Debugging, Emulation, Tampering, or Root detection on native apps\n- Exported components with no real security impact on native apps\n- Issues related to credentials/info disclosure in public sources such as Trello, GitHub, Wayback, etc, will be analyzed in each case and may not be eligible for bounty.\n- Vulnerabilities related to loading arbitrary domains on the following deeplinks:\n    - mercadopago://in-app-browser/?url=$URL\n    - meli://in-app-browser/?url=$URL\n    - The In-App Browser feature is designed to open external web pages through deeplink directly from the app without breaking its flow. Therefore, any external website that may be opened in the in-app browser is treated as an untrusted domain.\n-  [Temporarily] Dependency confusion vectors \n\n** 7. Considerations **\n\na. Considerations on issues related to hardcoded credential on public sources:\n- It’s a must give a working PoC with proven impact, at least demonstrating its a working credential\n- As it is already specified in safe harbor/DataPrivacy, it’s not allowed to dump sensitive information. Please investigate the purpose of hardcoded credentials you find in order to demonstrate the vulnerability impact with the least damage possible.\n\n\nb. Considerations on Issues related to vulnerabilities find in code review exercise or SAST:\n- Please avoid upload of automatic scanning tool results\n- 0-day and other CVE vulnerabilities may be reported 30 days after initial publication ([CVE List Status](https://nvd.nist.gov/vuln/vulnerability-status) of Published).\n- Vulnerabilities related to vulnerable dependencies detected, CVEs, 0-day \u0026 working exploits needs to be exploitable through internet with a proper PoC.\n \n\nc. Considerations on Issues related to vulnerabilities find in third parties applications use by MercadoLibre:\n- If the vulnerability is found in a third-party application used by MercadoLibre, it must be exploitable on MercadoLibre's infrastructure to be considered valid. Otherwise, it will be marked as informative.\n\nd. Other Considerations\n\n- We reserve the right to establish the severity of the vulnerability taking into account the direct impact on Mercadolibre, for this reason sometimes the severity can go down or up depending on the case.\n- The MercadoLibre team can also decide if a vulnerability is a duplicate of either a previous report in our bug bounty program or an internal report made by one of our collaborators.\n- Bounties are set according to our current payout table.\n- The value of the bounties delivered in previous vulnerabilities does not represent a precedent for future vulnerabilities.\n\n\n** 8. Testing **\n\n### Users\nHackers can create users in order to launch testing probes. To do so, follow the steps detailed at: https://developers.mercadolibre.com.ar/en_us/start-testing\n- Testing with test users is limited exclusively to our scope. Please check the restrictions section.\n\n### Credit cards\nYou can use test credit cards from local payment methods in each country and simulate different payment responses, with no real credit cards needed. To do that, pick up any of the cards we provide in the link below, according to the country your user is registered in:\nhttps://www.mercadopago.com.ar/developers/es/docs/checkout-api/additional-content/your-integrations/test/cards\n\n##Additional notes\n\n- In addition to scopes, if you’ve found a vulnerability in an URL that contains the following header in the response: **X-Meli-Header: bee57219-4933-4d21-89bb-96169262a69f**, then it is NOT eligible for bounty.\n- Former employees could play after 1 year and bounty table could be affected based in known vectors\n\n\n#Thank you for helping keep MercadoLibre and our customers Safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-28T15:13:02.454Z"}]