1. Home
  2. Bug Bounty Programs
  3. Itaú Unibanco
HackerOne · VDP

Itaú Unibanco Vulnerability Disclosure Program

Complete guide to Itaú Unibanco's vulnerability disclosure program on HackerOne. View in-scope assets, reward amounts, response times, and tips for finding vulnerabilities.

Program Overview

Itaú Unibanco runs a vulnerability disclosure program on HackerOne. The program has 138 in-scope assets and is managed by HackerOne's triage team.

138
In-Scope Assets
79%
Efficiency

In-Scope Assets

AssetTypeMax SeverityEligible
*.itauWILDCARDCriticalNo Bounty
*.itau.coWILDCARDCriticalNo Bounty
*.itau.com.brWILDCARDCriticalNo Bounty
*.itau.com.paWILDCARDCriticalNo Bounty
*.userede.com.brWILDCARDCriticalNo Bounty
afapitau.com.uyURLCriticalNo Bounty
afapitau.uyURLCriticalNo Bounty
apptc.itau.coURLCriticalNo Bounty
banco.itau.coURLCriticalNo Bounty
bancofiat.com.brURLLowNo Bounty
bancoitau.com.brURLLowNo Bounty
bankline.com.brURLMediumNo Bounty
bfb.com.brURLLowNo Bounty
cloud.clienteitau.coURLCriticalNo Bounty
comercial.itauseguros.coURLCriticalNo Bounty
contacto.itau.coURLCriticalNo Bounty
credicard.com.brURLMediumNo Bounty
credicardhall.com.brURLLowNo Bounty
credipronto.com.brURLHighNo Bounty
credlineitau.com.brURLCriticalNo Bounty
debitosoca.oca.com.uyURLHighNo Bounty
escrevendoofuturo.org.brURLLowNo Bounty
euleioparaumacrianca.com.brURLLowNo Bounty
funbep.com.brURLHighNo Bounty
fundacaoitausocial.org.brURLHighNo Bounty
fundacaoitauunibanco.com.brURLHighNo Bounty
fundacaosaudeitau.com.brURLHighNo Bounty
garantiasempresas.itau.coURLCriticalNo Bounty
hipercard.com.brURLHighNo Bounty
https://apps.apple.com/br/app/%C3%ADon-ita%C3%BA-investimentos/id1531733746APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/banco-ita%C3%BA-conta-cart%C3%A3o-e/id474505665APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/credicard-cart%C3%A3o-de-cr%C3%A9dito/id928152601APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/credicard-on-cart%C3%A3o-de-cr%C3%A9dito/id1456157878APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/hipercard-cart%C3%A3o-de-cr%C3%A9dito/id1058898100APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/ita%C3%BA-cart%C3%B5es-de-cr%C3%A9dito/id394401915APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/ita%C3%BA-empresas-conta-mei-e-pj/id348274534APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/ita%C3%BA-trader/id1567279093APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/iti-banco-digital-gr%C3%A1tis/id1442872271APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/br/app/players-bank-conta-e-cart%C3%A3o/id1589488655APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/uy/app/itaú-empresas-uruguay/id1593750012APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/uy/app/itaú-pagos/id1139215807APPLE_STORE_APP_IDCriticalNo Bounty
https://apps.apple.com/uy/app/itaú-uy/id1065572083APPLE_STORE_APP_IDCriticalNo Bounty
https://metraje.oca.com.uyURLHighNo Bounty
https://micuentanuevo.oca.com.uy/trx/loginURLCriticalNo Bounty
https://oca.uyURLHighNo Bounty
https://ocablue.oca.com.uyURLHighNo Bounty
https://ocablue.uyURLHighNo Bounty
https://ocacomercios.oca.com.uy/URLCriticalNo Bounty
https://play.google.com/store/apps/details?id=com.credicard.app&hl=pt_BR&gl=USGOOGLE_PLAY_APP_IDCriticalNo Bounty
https://play.google.com/store/apps/details?id=com.hipercard.app&hl=en&gl=USGOOGLE_PLAY_APP_IDCriticalNo Bounty

Showing 50 of 138 in-scope assets. View all on HackerOne.

Tips for Hacking Itaú Unibanco

  1. Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
  2. Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
  3. Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
  4. Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
  5. Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking Itaú Unibanco?

Sign up on HackerOne, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does Itaú Unibanco pay bounties?

No, Itaú Unibanco runs a Vulnerability Disclosure Program (VDP) without monetary rewards. You may receive recognition or swag.

What types of vulnerabilities does Itaú Unibanco accept?

Itaú Unibanco accepts reports for vulnerabilities found in their 138 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.

Similar Programs on HackerOne

Tinder

HackerOne · Bug Bounty · 8 assets

Kraken Tech

HackerOne · VDP · 0 assets

8x8

HackerOne · Bug Bounty · 101 assets