Security
How to report a vulnerability, what's in scope, and what to expect from Swepay.
To report a security issue affecting Swepay infrastructure or this site, email security@swepay.com.br. We acknowledge within one business day and aim to resolve confirmed issues within 30 days. Please do not open public GitHub issues for security reports.
In scope: the marketing site (swepay.co, swepay.com.br) and any production identity-infrastructure endpoint reachable from the public internet under *.swepay.co or *.swepay.com.br. Out of scope: social engineering of staff, denial-of-service via volumetric traffic, and third-party services we do not operate (Cloudflare, registrars, Google Fonts).
PGP key publication is on the roadmap. Until then, send unencrypted reports to security@swepay.com.br and we will arrange a key exchange. This page reflects current operational intent; the formal policy is being finalized by counsel.