Cookie Policy

This site uses cookies. When browsing the site, you are consenting its use. Learn more

I understood

Responsible Disclosure

The Portuguese Cybersecurity Center (CNCS) and the DNS.PT Association (.PT) consider the security of their users and systems a priority. We are committed to investigate and correct any vulnerability found on this platform in direct collaboration with the infosec community.

As promoters and entities responsible for the maintenance of the platform, .PT and CNCS allow the interested community to perform security tests and disclosure of the results under the terms and conditions set forth in this policy in order to identify any vulnerability.

This policy aims to define the cooperation methodology between the sponsoring entities and the community in order to facilitate the identification and mitigation of the security vulnerabilities following an ethical and responsible approach and contributing to a safer and more reliable use of the Internet.

If you identify any vulnerability please contact us through the e-mail address:

The e-mail should be encrypted with our PGP key in order to guarantee the confidentiality of the information:
- Key-ID: 4761FCDB
- Fingerprint: 145D898B98FE9CCB225A761D8D43EEFE4761FCDB


The terms defined in this policy applies only to the vulnerabilities identified in the platform and the servers that support its operation.

1. Exploit vulnerabilities or use techniques that may lead to degradation or denial of service;
2. Use of means and resources that are disproportionate and inadequate to prove identified vulnerabilities;
3. Conduct physical security tests, use social engineering techniques, spam or phishing as well as extend testing to third-party applications even if they are being used by the platform;
4. Human resources exploitation;
5. Use of identified vulnerabilities or errors to access data beyond what is strictly necessary for its verification;
6. Erasing or modifying data.


1. Provide us detailed, relevant and sufficient information that allows the analysis of the identified vulnerability;
2. Do not use the information obtained in an abusive manner and that may compromise the availability and confidentiality of the information and the integrity of the platform;
3. Ensure the privacy of the users;
4. Do not disclose identified vulnerabilities until it is corrected or 90 days after receiving the first response, unless expressly stated otherwise by the promoting entities;
5. Ensure a cooperative and responsible behavior and in compliance with the law.


1. A response within a maximum of seven days stating the evaluation of the reported vulnerability and the temporal estimate of correction;
2. If you follow the rules and procedures described in this policy no criminal participation will be made for facts related to the discovery of the reported vulnerability;
3. Confidentiality: We will not provide information to third parties without authorization, unless arising from legal obligation;
4. Provide relevant information related to the resolution of the identified vulnerability, whenever possible and appropriate;
5. The recognition through the platform with the name/nickname  and vulnerability found;
6. In the context of the Responsible Disclosure and within the applicable legal regime, your personal data will be erased immediately after the reason for which they were processed. Any question regarding treatment or access to personal data should be addressed to with the subject: Treatment of personal data.