Bug Bounty Policy
The Program is not a game or competition, but rather an experimental and discretionary reward program. The decisions made by GrowthLoop in connection with this program, including the payment of any bounties, are final and binding. In the event of a conflict between these Program Terms and the GrowthLoop Terms & Conditions, these Program Terms will control to the extent of such conflict.
Please feel free to reach out to us at security@GrowthLoop.com with any questions regarding the Program. We look forward to hearing from you.
CHANGES TO THESE PROGRAM TERMS
We reserve the right to change these Program Terms, including the program rules, procedures, benefits or conditions of participation, in whole or in part, at any time, with or without notice. Your participation in the Program after changes are effective constitutes your acceptance of these Program Terms as updated. If you do not agree to any changes made to these Program Terms, you may not participate in the Program.
We may cancel the Program at any time, and the decision whether to pay particular rewards remains entirely within GrowthLoop’s discretion as described herein.
The program only applies to Bug Bounty Submissions made in accordance with these Program Terms on or after January 1, 2022. The Program is void where prohibited, and these Program Terms are subject to Canadian law, and there may be additional restrictions on participation in the program under your local law.
To be eligible to participate in the Program, you must be at least 18 years old prior to participating in this program, and you must be either (1) an individual researcher participating in the Program in your own individual capacity or (2) an individual participating on behalf of an organization that you work for that permits you to participate in the Program. You are solely responsible for reviewing and understanding your organization’s rules about whether and when you may participate in the Program, and you may not participate in the Program if you are not sure such participation is permitted. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty.
You may not participate in the Program if:
- You are under the age of 18;
- Your organization does not allow you to participate in these types of programs;
- You are a public sector employee (government and/or education) and have not obtained permission from your ethics compliance officer to participate in the Program;
- You are currently an employee, contractor, or consultant of GrowthLoop or any GrowthLoop subsidiary or affiliate, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee, contractor, or consultant;
- Within one year prior to your Bug Bounty Submission via the Program you were (or your immediate family member or household member was) an employee, contractor, or consultant of GrowthLoop or any GrowthLoop subsidiary or affiliate;
- You are the author, or were otherwise involved in the development of, any vulnerable code that is the subject of your submission;
- You are or were involved in any part of the development, administration, and/or execution of this Program;
- You are a resident of any country subject to sanctions by the United States and/or Canada that prohibit or restrict the payment to you of any applicable Bounty, or of any other country that does not allow participation in this type of program.
If (i) you do not meet the eligibility requirements above any other requirements in these terms (including any submission-specific requirements set out in the following section); (ii) you breach any of these Program Terms or any other agreements you have with GrowthLoop or its subsidiaries or affiliates; or (iii) we determine that your participation in the Program could adversely impact us, our affiliates or any of our customers, employees or agents, we, in our sole discretion, may remove you from the Program and disqualify you from receiving any benefit of the Bug Bounty Program.
SUBMISSION ELIGIBILITY AND PROGRAM SCOPE
To ensure that Bug Bounty Submission and payouts are fair and relevant, the following requirements and guidelines apply to all researchers submitting reports:
- Submit one vulnerability per underlying issue.
- All issues must be new discoveries. Rewards will be provided only to the first researcher who submits a particular security bug.
- The researcher submitting the bug must not be currently nor have been under contract to GrowthLoop, within six months prior to the submission.
- The researcher submitting the bug must not be the author of the vulnerable code
- The researcher must not disclose the bug publicly before a fix is released or try to exploit it.
Bug Bounty Submissions pertaining to the following domains are deemed “in scope” and potentially eligible for payouts pursuant to the Program, subject to the additional requirements set forth in these Program Terms:
Bug Bounty Submissions relating to the following domains are deemed not “in scope” and are not eligible for payouts pursuant to the Program:
- Any domain or subdomain not listed in the In Scope section is considered out of scope
- All domains hosted by a third-party service provider (e.g. Zendesk)
- All staging/development environments unless explicitly mentioned in the In Scope section.
- The following are explicitly prohibited:
- Attempts to access private customer information
- Any social engineering attempts (this includes phishing attacks against GrowthLoop employees)
- Attempts to take over social media pages (Twitter, Facebook, LinkedIn, etc
- Any attempts to access the GrowthLoop offices or employee devices and endpoints or the testing of any physical security controls.
- Any volumetric testing, denial of service, or similar.
Bug Bounty Submissions pertaining to the following issues are not eligible for payouts pursuant to the Program:
- HTML injection and Self-XSS
- Password complexity related vulnerabilities
- Pre-authentication open redirects
- Unchained open redirects?
- Missing cookie flags
- SSL/TLS best practices
- Mixed content warnings
- Denial of Service attacks and Distributed Denial of Service attacks
- Host header and banner grabbing issues
- Clickjacking or UI Redressing attack with no sensitive actions
- Cross-Origin Resource Sharing (CORS) without a specific, demonstrable impact
- Missing CSRF token
- Missing best practices in Content Security Policy
- Missing security-related HTTP headers which do not lead directly to a vulnerability
- Attacks requiring MITM or physical access to a user’s device
- Comma Separated Values (CSV) injection without demonstrating a vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Email/Username enumeration without a specific, demonstrable impact
- Tabnabbing without a specific, demonstrable impact
- Exposed configuration files without a specific, demonstrable impact
- Reflected file download attacks
- Incomplete or missing SPF/DKIM/DMARC records
- Physical or social engineering attacks
- Results of automated tools or scanners (such as Acunetix, Core Impact or Nessus)
- Recently disclosed 0-day vulnerabilities – please give us two weeks to patch our systems before reporting these types of issues.
- Login/logout/unauthenticated/low-impact CSRF
- Presence of autocomplete attribute on webform
- CVE’s affecting outdated browsers or platforms
- Using unreported vulnerabilities to find other bugs
- Self-exploitation (i.e. password reset links or cookie reuse)
- Use of a known-vulnerable library (without proof of exploitability)
- Descriptive/verbose/unique error pages (without proof of exploitability)
The foregoing lists of ineligible submissions are not necessarily comprehensive and are not intended to suggest that any Bug Bounty Submission that fails in GrowthLoop’s sole discretion to meet the express eligibility requirements of these Program Terms is eligible for a Bounty pursuant to the Program.
If you think you have discovered an eligible security bug (a “Bug”), we would love to work with you to resolve it. Please email us at security@GrowthLoop.com and include “Bug Bounty Submission” in the subject line.
Within the body of the email, please provide as much information as possible, including:
- Describe in detail the nature of the Bug.
- Detailed steps to reproduce the Bug with appropriate screenshots if applicable.
- Estimated severity and/or impact of the issue, if any.
- Any relevant attachments. They must be encrypted.
- Pertinent applications, programs, or tools used to discover the Vulnerability
- Date and time testing took place.
- IP address at the time of testing.
Bugs must be submitted to security@GrowthLoop.com and include the researcher’s legal name as well as a thorough description of the Bug and supporting evidence. By making any submission pursuant to the Program (a “Bug Bounty Submission”), you acknowledge that you are not guaranteed any Bounty or other compensation for the use of your Bug Bounty Submission.
By making any Bug Bounty Submission, you represent and warrant that (1) you have the legal right to submit the Bug Bounty Submission to us and to grant us the rights set forth in these Program Terms, and (2) the Bug Bounty Submission is your own work and does not contain content owned by a third party (other than such third-party content that you have valid permission to provide to us pursuant to these terms). Bug Bounty Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Bounties.
Bugs must be new discoveries in order to be eligible for a Bounty. Bounties will be provided only to the first eligible researcher to submit a particular Bug. Multiple vulnerabilities caused by one underlying issue will be eligible for only one Bounty except as determined otherwise by GrowthLoop in our sole discretion. You can earn Bounties for additional Bug Bounty Submission an unlimited number of times, subject to the limitations in these Program Terms.
We are not responsible for submissions that we do not receive regardless of the reason. If you submit a Bug for a product or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive Bounty payments if the product or service is later added to the Program.
How much is a bug worth?
Depending on the detail of your submission, we will award a Bounty of varying scale. We will work with you in good faith to compensate accordingly. Well-written reports and functional exploits are more likely to result in Bounties.
Multiple vulnerabilities caused by one underlying issue will be eligible for only one award. Bugs already known by GrowthLoop are not eligible for an award. GrowthLoop’s determinations with respect to the eligibility of any Bug submitted via the Program are final and binding.
HOW WE PAY BOUNTIES
Subject to the following parameters, payment of Bounties will be made for valid and eligible Bug Bounty Submissions once we have fixed the Bug in question (or, in very specific cases, once we have decided not to fix it). Our desired timeframe to remediate each valid submission is within 90 days following receipt of a valid Bug Bounty Submission, but this process may require additional time for a variety of reasons. All decisions we make pertaining to the availability of any Bounties are final and binding.
If we determine that your Bug Bounty Submission is eligible for a Bounty, we will provide you with the necessary paperwork for payment processing. Before receiving a Bounty, you may be required to complete and submit appropriate tax forms or other information. We cannot process payment until you have completed and submitted the fully executed required documentation. GrowthLoop will make commercially reasonable efforts to provide a payout for each qualifying Bug within a reasonable time from our remediation of the applicable issue (or our determination not to remediate), provided that we have determined that the applicable Bug Bounty Submission remains eligible for receipt of the Bounty.
We reserve the right to select reasonable payment methods for Bounties. If you are unable or unwilling to receive your Bounty payment via GrowthLoop’s selected method of payment and are subject to these Program Terms, we reserve the right to rescind or modify it as appropriate. If you are a minor under the law applicable to you, we will make the applicable Bounty payment to your parent or legal guardian upon receipt of appropriate documentation. Please note that reward payouts are subject to the taxes of your country of residence and citizenship and you are responsible for any tax implications.
LICENSE; RIGHT TO SUBMIT
You retain ownership of the content of your Bug Bounty Submissions. However, by choosing to submit any Bug Bounty Submissions, you grant GrowthLoop a non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the content of your Bug Bounty Submission, including any intellectual property rights associated with that content. This license permits us to: (i) use, review, assess, test, and otherwise analyze your Submission; (ii) reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) display or otherwise present your Bug Bounty Submission and all of its content in connection with the marketing, sale, or promotion of this program or our other programs or activities in any media or format. You agree to sign any documentation necessary for GrowthLoop or our designees to confirm the rights granted under this licensee, and you agree and acknowledge that we may have developed content similar to your Bug Bounty Submission.
Confidential Information must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Bug Bounty Submission without GrowthLoop’s prior written consent.
Information you receive or collect about GrowthLoop or its affiliates or employees through the Program, whether in oral, visual, written, or electronic format, may be deemed proprietary and confidential (“Confidential Information”). For purposes of the Program, information and/or material shall be deemed “Confidential Information” if such information and/or material is otherwise not generally available to the public, or given the nature of the information or material, a reasonable person would consider such information and/or material “confidential” or “proprietary.”
Bugs or potential bugs you discover constitute “Confidential Information” and may not be disclosed publicly or to a third party without our written permission, except that you may make high-level general descriptions of your relevant research available after the applicable bug or vulnerability is fixed. Disclosing Bugs or potential bugs, or any other content of a Bug Bounty Submission, in violation of the foregoing provisions will disqualify you from receiving a Bounty and from participating in the Program in the future.
YOUR PERSONAL INFORMATION
You must not knowingly or intentionally access or acquire the personal information of any GrowthLoop customer or employee. In the event it is determined you knowingly or intentionally accessed the personal information of any GrowthLoop customer or employee, you will become immediately ineligible to participate in this program. In the event you inadvertently access or acquire the personal or other sensitive information of any GrowthLoop customer or employee, you must immediately cease all activity and notify us. In connection with your participation in the Program, you agree that you will not:• Make any threats, attempts at harassment, coercion, or extortion of GrowthLoop employees or customers.• Do anything that violates applicable law.• Infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.• Send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.• Sharing inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).• Engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).• Help others break these rules.
Activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you for research and vulnerability disclosure activities conducted in accordance with these Program Terms, or for accidental violations committed in a good-faith attempt to comply with these Program Terms. If legal action is initiated by a third party against you in connection with activities validly conducted under these Program Terms, we will take reasonable steps to make it known that your actions were conducted in compliance with these Program Terms. You are required, at all times, to comply with all applicable laws and not to disrupt any systems or data beyond activities expressly authorized by these Program Terms.Please note, however, that we cannot bind third parties with these safe harbor provisions, and if your security research involves systems, networks, products, or services of a third party, that party could pursue legal action against you. We do not authorize research activities in the name of any other entities, and we do not offer to defend, indemnify, or otherwise protect against any third-party actions based on such activities.If you submit a Bug Bounty Submission that affects or relates to a service provided by a third party, we may share non-identifying content from your Bug Bounty Submission with the affected third party, provided that before doing so, we will obtain confirmation from the third party that the third party will not initiate legal action against you based on the contents of your Bug Bounty Submission. We reserve the right to determine in our sole discretion whether any conduct violates these Program Terms and whether any violations were accidental. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please email us at email@example.com with your questions.
GrowthLoop AND OUR RESELLERS, DISTRIBUTORS, AGENTS, AND AFFILIATES MAKE NO WARRANTIES, EXPRESS OR IMPLIED, OR GUARANTEES WITH RESPECT TO THE PROGRAM. YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER APPLICABLE LOCAL LAW, WE EXCLUDE ALL IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW LIMITING THE FOREGOING EXCLUSIONS. NOTHING IN THESE PROGRAM TERMS IS INTENDED TO AFFECT THOSE RIGHTS TO THE EXTENT APPLICABLE.
YOU SHALL INDEMNIFY AND HOLD GrowthLoop AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, AGENTS, AND EMPLOYEES, HARMLESS FROM ALL CLAIMS, ACTIONS, PROCEEDINGS, DEMANDS, DAMAGES, LOSSES, COSTS, AND EXPENSES (INCLUDING REASONABLE ATTORNEYS’ FEES), INCURRED IN CONNECTION WITH ANY MATERIALS SUBMITTED, POSTED, TRANSMITTED OR MADE AVAILABLE BY YOU THROUGH PARTICIPATION IN THE PROGRAM (INCLUDING ANY BUG BOUNTY SUBMISSIONS YOU MAKE) AND/OR ANY VIOLATION BY YOU OF THESE PROGRAM TERMS, THE RIGHTS OF ANY THIRD PARTY, OR ANY APPLICABLE LAW OR REGULATION. This provision does not require you to indemnify GrowthLoop for any unconscionable commercial practice by GrowthLoop or for GrowthLoop’s fraud, deception, false promise, misrepresentation or concealment, suppression or omission of any material fact in connection with the Program.
LIMITATION OF LIABILITY
UNDER NO CIRCUMSTANCES SHALL GrowthLoop BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR OTHER DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, ANY DAMAGES THAT RESULT FROM (I) YOUR USE OF OR YOUR INABILITY TO USE THIS WEBSITE, APP OR THE SERVICE, (II) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS, DATA, INFORMATION OR SERVICES, (III) ERRORS, MISTAKES, OR INACCURACIES IN THE MATERIALS ON THE WEBSITE, OR (IV) ANY ERRORS OR OMISSIONS IN ANY MATERIAL ON THE WEBSITE, OR ANY OTHER LOSS OR DAMAGE OF ANY KIND ARISING FROM OR RELATING TO YOUR USE OF THE WEBSITE. THESE LIMITATIONS SHALL APPLY EVEN IF GrowthLoop HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, GrowthLoop’S LIABILITY TO YOU FOR ANY DAMAGES ARISING FROM OR RELATED TO THESE PROGRAM TERMS (FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION), WILL AT ALL TIMES BE LIMITED TO THE GREATER OF (A) ONE HUNDRED DOLLARS ($100) OR (B) THE AGGREGATE AMOUNT OF ANY BOUNTIES YOU HAVE RECEIVED PURSUANT TO THE PROGRAM IN THE PRIOR 12 MONTHS (IF ANY). THE FOREGOING LIMITATIONS SHALL APPLY TO THE FULLEST EXTENSION PERMITTED BY LAW IN THE APPLICABLE JURISDICTION.
ARBITRATION OF DISPUTESTo the extent permissible under applicable law, any disputes between you and GrowthLoop are subject to the provisions of our Terms of Service, including Section 12.8. Dispute Resolution (the “Arbitration Agreement”). By participating in the Program, you agree to the dispute resolution provisions set forth in the Arbitration Agreement. Unless you opt-out of the arbitration agreement as provided in the Terms of Service, (1) you will only be permitted to pursue claims and seek relief against GrowthLoop on an individual basis, not as a plaintiff or class member in any class or representative action or proceeding, and (2) you are waiving your right to seek relief in a court of law and to have a jury trial on your claims.
CHOICE OF LAW
Any dispute or claim relating to these Program Terms or your participation in the Program will be governed and interpreted by and under the laws of the US, without giving effect to any principles that provide for the application of the law of any other jurisdiction.