Responsible Disclosure of Vulnerabilities


MCretail, SGPS, S.A (MC) is committed to the security of the information of its stakeholders as well as the security of its information systems that support the business.

This document aims to provide guidelines for security analysts conducting vulnerability discovery activities associated with MC’s information systems, as well as guidelines for reporting them in case their existence is confirmed.

At MC, we encourage the reporting of any potential vulnerabilities in our information systems but emphasize that this document does not constitute a bug bounty program.


If vulnerability discovery activities are conducted in good faith and in accordance with the provisions and spirit of this document, MC will consider such activities as authorized and will not recommend or pursue any legal action against the responsible parties. Instead, MC will promote collaboration to understand and address the reported vulnerabilities. However, MC’s authorization will not be relevant if a public crime is at stake.

Procedures for Responsible Disclosure

If any vulnerability is identified, we kindly request that you contact MC as soon as possible via the email address:

In order to expedite the triage and prioritization of reports, we recommend that the disclosure:

  • includes a description of the vulnerability, where it was discovered, i.e., the system/IP address involved, as well as the potential impact of its exploitation;
  • provides a detailed description of the steps required to replicate the vulnerability;
  • is written in Portuguese or English.

Whenever possible, the message contents should be encrypted using MC’s PGP key to ensure confidentialy and non-repudiation of information:
– Key_ID: AD94 843A A68B 87E6
– Fingerprint: CFAD33CFBE9F567E6ABF60D6AF94843AA68B876E6


The scope of this policy includes the below listed publicly available MC web services:


This policy also encompasses all other MC web services publicly available on the internet.

Scope exclusions

The following are considered outside the scope:

  • Exploiting vulnerabilities or using techniques that may result in degradation or denial of service (DoS/DDoS);
  • Employing disproportional and inappropriate means and resources to validate identified vulnerabilities;
  • Employing social engineering techniques, spam, phishing, or any other form of human resources exploitation;
  • Conducting physical security testes;
  • Exploiting vulnerabilities or identified errors to access data beyond what is strictly necessary for vulnerability validation;
  • Deleting or modifying data.
  • Topics related to general security recommendations such as:

– Weak TLS protocol configurations;
– Non- conformities with best practices (e.g., SPF/SKIM/DMARC configurations, CSP, TLS configurations);
– Results from widely known automated solutions/tools.
– Assets from MC partners.

What we request

  • That detailed, relevant, and sufficient information is provided to enable the analysis of the identified vulnerability;
  • That obtained information is not abused or used in a way that could compromise its availability and confidentiality nor the integrity of the platform;
  • That user privacy is assured;
  • That identified vulnerabilities are not publicly disclosed until they are mitigated or until 90 days after the receipt of the communication, unless otherwise expressly indicated by MC;
  • That cooperative, responsible, and law-compliant behavior is assured.

What to expect from MC

  • A response within a maximum of seven days, including an assessment of the reported vulnerability and an estimated timeline for the mitigation;
  • MC will not share information with third parties without authorization, except as required by law or judicial imposition;
  • Permission for disclosure of the work performed, provided that the reported vulnerabilities have already been mitigated and no negative consequences of disclosure are foreseen for MC.

Privacy Notice

Responsibility for personal data processing will be with the company that exclusively owns each asset listed within the scope of this policy, hereinafter referred as “company” and/or “companies”.

Companies will process your e-mail, name and/or pseudonym in the strict legitimate interest of ensuring the regular receipt and analysis of your report. Each of them undertakes to delete your personal data within a maximum period of five (5) years.

Your personal data may be transmitted to partner companies (Processors) whose participation is indispensable to ensure this initiative, such as IT companies, it being understood that the same level of security and privacy in such processing is guaranteed.

Companies may need to transmit some of your personal data to the Competent Authorities, by legal and/or judicial imposition.

As a data subject, you can, at any moment, exercise your data protection rights – right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, and the right to object – and contact company Data Protection Officers (“DPOs”) through the email addresses indicated by the companies in their Privacy Policies, available for consultation in their own assets listed within the scope of this policy.

Companies will carefully analyze your requests, evaluating their legitimacy and relevance, committing themselves to respond within the legal timeframe for this purpose.

If you understand that any Company has not respected your rights, you can lodge a complaint with the Portuguese Supervisory Authority – Comissão Nacional de Proteção de Dados (CNPD):  Address:  Av. D. Carlos I, 134 – 1.º, 1200-651 – Lisboa | Phone: +351 213 928 400 | Fax: +351 213 976 832 | E-mail: