Demo
Search Venues
Login

Bug Bounty Program

The Groupize Bug Bounty Program is designed to provide reasonable compensation and incentive to report qualifying vulnerabilities that independent researchers identify with Groupize’s suite of products. Additionally the rules outlined in this program should help to guide the areas of our technical footprint that are eligible for, and ineligible for the payment of a bounty.

In short – we accept vulnerability reports for any publicly-exploitable and, as of yet unidentified, issue with our main suite of products. We do not accept reports for vulnerabilities related to our marketing platforms or websites, including groupize.com, or for base DNS or email configuration.

How to Participate

Security researchers may participate in the Groupize Bug Bounty Program by emailing [email protected]. Please include your name and contact information, the details of the issue you are reporting and any additional information about the vulnerability as you are able to provide. Groupize reserves the right to refuse participant’s requests without sufficient information.

Bounty Eligibility

  • You must agree and adhere to the Program Rules and Legal Terms as stated in this policy.
  • You must be the first to report the issue in order to be eligible for the bounty.
  • The issue must not have been previously identified by our own internal security screening utilities.
  • You must be able to supply additional information, as needed by our team, to reproduce and triage the issue.
  • Groupize partners are not eligible for participation in this program.

Program Rules

  • Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks. 
  • Do not attempt to view, modify, or damage data belonging to others. 
  • Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it. 
  • Do not attempt to gain access to another user’s account or data. 
  • Do not use scanners or automated tools to find vulnerabilities. We regularly run our own scanning utilities and the use of automated scanners may result in the blacklisting of your IP address. 
  • Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, partners, customers or infrastructure. 

  • We do not issue test accounts or credentials for independent security researchers. Should an individual identify a method of access, we encourage that to be reported but we reserve the right to then disable that account.

Eligible Targets

The scope of this program is currently limited to our main application: app.groupize.com

groupize.com, groupizesolutions.com and other websites primarily used for marketing are ineligible for participation in this program.

memo.thevendry.com is not eligible for participation in this program, nor is any wordpress based application owned or operated by Groupize.

We accept and welcome reports for thevendry.com, however all exclusions listed below apply and we reserve the right to reject any submission for eligibility in compensation until we can assess the impact of the report.

Exclusions

The following vulnerabilities are not eligible for bounty:

  • Lack of / Misconfigured CORS HTTP Header
  • Network level Denial of Service attacks
  • Application Denial of Service by locking user accounts
  • Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
  • Disclosure of known public files or directories, (e.g. robots.txt)
  • Outdated software / library versions
  • OPTIONS / TRACE HTTP method enabled
  • CSRF on forms that are available to anonymous users
  • Cookies that lack HTTP Only or Secure settings for non-sensitive data
  • Self-XSS and issues exploitable only through Self-XSS
  • Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
  • Attacks requiring physical access to a user’s device
  • Attacks dependent upon social engineering of Groupize employees or vendors.
  • Any enumeration attack including username enumeration, password brute force, etc.
  • Enforcement policies for brute force, rate limiting, or account lockout.
  • SSL/TLS best practices.
  • Clickjacking, without additional details demonstrating a specific exploit.
  • Mail configuration issues including SPF, DKIM, DMARC settings.
  • Use of a known-vulnerable library without a description of an exploit specific to our implementation.
  • Password and account recovery policies.
  • Presence of autocomplete functionality in form fields.
  • Publicly accessible login panels.
  • Lack of email address verification during account registration or account invitation.
  • Lack of email address verification password restore.
  • Session control during email/password changes.
  • Open-relay or open-redirects
  • Any dead link, on user managed content or within the site body – unless that deadlink is
    susceptible to a hijacking attack against Groupize of Vendry online resources
  • Any report related to embedded data in media (images / photos / etc) unless there is evidence of malware.
  • Any issue, display problem, missing content or other perceived problem with user provided
     content unless a specific exploit is triggered via that user provided content (i.e. XSS / Script Injection / etc)

Rewards

You may be eligible to receive a monetary reward if:

  • You are the first to submit a vulnerability in compliance with this policy.
  • The vulnerability is determined to be a valid security issue by the Groupize engineering team.
  • You have complied with all program terms.

All bounty amounts will be determined at the discretion of the Groupize engineering team who will evaluate each report for severity, impact, and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk such that we do not make changes.

The bounty amount for a validated bug submission is $50 USD. Groupize retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to bounty eligibility are final.

Payment

All payments must meet the legal requirements of the United States, the state of Massachusetts and the local laws of the bounty reporter. US-based reporters may require an invoice-based reporting mechanism at a certain threshold. If that applies you will be notified.

Non-invoice payments can be made via paypal – the reporter is responsible for providing an eligible paypal account.

We do not currently support payment via western union, crypto-currency or other alternative payment mechanisms.

Submit Your Report

  • Vulnerability information is extremely sensitive. When using email to report a potential security issue to Groupize, use [email protected].

 

It’s important to include at least the following information in the email:

  • Organization and contact name
  • Product / site affected
  • Description of the potential vulnerability
  • Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
  • Information about known exploits
  • Disclosure plans, if any

 

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. A well written report will allow us to more quickly and accurately triage your submission.

  • Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
  • A clear description of the issue, including the impact you believe it has to the user, Groupize or others.
  • Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
  • Your recommendations to resolve the issue.
  • Give us a reasonable time to correct the issue before making any information public

Terms and Conditions

There are constraints on who may participate in the Groupize Bug Bounty Program (the “Program”). In addition, there may be additional restrictions depending upon applicable local laws.

  • The parties to this agreement are you and “Groupize Inc.”
  • You must abide by the laws of the United States, the State of Massachusetts and the resident jurisdiction of the individual reporting the vulnerability. 
  • “Groupize inc.” employees, contractors, and their families are not eligible for rewards.
  • By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than “Groupize Inc.” via our Bug Bounty Process.
  • Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive appropriate recognition at the discretion of Groupize Inc.
  • By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting Groupize Inc. a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities. Only the first report of a given issue that Groupize had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
  • Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Groupize.
  • The Program is focused predominantly on: Internet-facing Groupize Inc. websites executing on internet domains that provide significant business value to Groupize, and are supported directly by Groupize and its suppliers. Vulnerabilities submitted outside this scope are generally less likely to receive recognition or rewards under this Program.
  • You are responsible for notifying Groupize Inc of any changes to your contact information, including but not limited to your email address. Failure to do so may lead to the forfeiture of Bounty Awards.
  • Groupize Inc. reserves the right to discontinue the Program at any time without notice.
  • You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
  • If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
  • Your testing activities must not negatively impact Groupize or Groupize online environment availability or performance.



Confidentiality

Any information you receive or collect about Groupize through the Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Groupize sites, without Groupize’s prior written consent.

Book a call with a Groupize expert today!

Join over 150,000 planners who trust Groupize to simplify meetings of all sizes—book a demo today and explore our global marketplace of venues and vendors to see how we can transform your planning process from start to finish.

Simplify My Meetings

Solutions

Legal

Copyright © 2025 Groupize. All rights reserved.
Groupize