Bug Bounty Program

The Groupize Bug Bounty Program is designed to provide reasonable compensation and incentive to report qualifying vulnerabilities that independent researchers identify with Groupize’s suite of products. Additionally the rules outlined in this program should help to guide the areas of our technical footprint that are eligible for, and ineligible for the payment of a bounty.

In short – we accept vulnerability reports for any publicly-exploitable and, as of yet unidentified, issue with our main suite of products. We do not accept reports for vulnerabilities related to our marketing platforms or websites, including groupize.com, or for base DNS or email configuration.

How to Participate

Security researchers may participate in the Groupize Bug Bounty Program by emailing [email protected]. Please include your name and contact information, the details of the issue you are reporting and any additional information about the vulnerability as you are able to provide. Groupize reserves the right to refuse participant’s requests without sufficient information.

Bounty Eligibility

You must agree and adhere to the Program Rules and Legal Terms as stated in this policy.
You must be the first to report the issue in order to be eligible for the bounty.
The issue must not have been previously identified by our own internal security screening utilities.
You must be able to supply additional information, as needed by our team, to reproduce and triage the issue.
Groupize partners are not eligible for participation in this program.

Program Rules

Do not intentionally harm the experience or usefulness of the service to others, including degradation of services and denial of service attacks.
Do not attempt to view, modify, or damage data belonging to others.
Do not disclose the reported vulnerability to others until we’ve had reasonable time to address it.
Do not attempt to gain access to another user’s account or data.
Do not use scanners or automated tools to find vulnerabilities. We regularly run our own scanning utilities and the use of automated scanners may result in the blacklisting of your IP address.
Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, partners, customers or infrastructure.

Eligible Targets

The scope of this program is currently limited to our main application: app.groupize.com

groupize.com, groupizesolutions.com and other websites primarily used for marketing are ineligible for participation in this program.

Exclusions

The following vulnerabilities are not eligible for bounty:

Lack of / Misconfigured CORS HTTP Header
Network level Denial of Service attacks
Application Denial of Service by locking user accounts
Descriptive error messages or headers (e.g. Stack Traces, banner grabbing)
Disclosure of known public files or directories, (e.g. robots.txt)
Outdated software / library versions
OPTIONS / TRACE HTTP method enabled
CSRF on forms that are available to anonymous users
Cookies that lack HTTP Only or Secure settings for non-sensitive data
Self-XSS and issues exploitable only through Self-XSS
Reports resulting from automated scanning utilities without additional details or a POC demonstrating a specific exploit
Attacks requiring physical access to a user’s device
Attacks dependent upon social engineering of Groupize employees or vendors.
Any enumeration attack including username enumeration, password brute force, etc.
Enforcement policies for brute force, rate limiting, or account lockout.
SSL/TLS best practices.
Clickjacking, without additional details demonstrating a specific exploit.
Mail configuration issues including SPF, DKIM, DMARC settings.
Use of a known-vulnerable library without a description of an exploit specific to our implementation.
Password and account recovery policies.
Presence of autocomplete functionality in form fields.
Publicly accessible login panels.
Lack of email address verification during account registration or account invitation.
Lack of email address verification password restore.
Session control during email/password changes.

Rewards

You may be eligible to receive a monetary reward if:

You are the first to submit a vulnerability in compliance with this policy.
The vulnerability is determined to be a valid security issue by the Groupize engineering team.
You have complied with all program terms.

All bounty amounts will be determined at the discretion of the Groupize engineering team who will evaluate each report for severity, impact, and quality. Rewards amounts vary depending upon the severity of the vulnerability reported. There could be submissions that we determine have an acceptable level of risk such that we do not make changes.

The minimum bounty amount for a validated bug submission is $50 USD. Groupize retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the Groupize team are final.

Payment

You’ll need to submit an invoice to receive payment for any bounty payment in excess of $400 USD or for any individual who has collected more than $400 USD in bounties throughout a fiscal year. Any individual with payments less than that threshold need not send a formal invoice. If required, the invoice has to meet all legal requirements. Groupize accepts the following payment methods.

We do not currently support payment via western union, crypto-currency or other alternative payment mechanisms.

Submit Your Report

Vulnerability information is extremely sensitive. When using email to report a potential security issue to Groupize, use [email protected].

It’s important to include at least the following information in the email:

Organization and contact name
Product / site affected
Description of the potential vulnerability
Supporting technical details (such as system configuration, traces, description of exploit/attack code, sample packet capture, proof of concept, steps to reproduce the issue)
Information about known exploits
Disclosure plans, if any

We will investigate legitimate reports and make every effort to quickly correct any vulnerability. A well written report will allow us to more quickly and accurately triage your submission.

Provide details of the vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
A clear description of the issue, including the impact you believe it has to the user, Groupize or others.
Specific reproduction steps including the environment used for testing (browsers, devices, tools, configuration) and any accounts used during testing.
Your recommendations to resolve the issue.
Give us a reasonable time to correct the issue before making any information public

Terms and Conditions

There are constraints on who may participate in the Groupize Bug Bounty Program (the “Program”). In addition, there may be additional restrictions depending upon applicable local laws.

The parties to this agreement are you and “Groupize Inc.”
You must abide by the laws of the United States, the State of Massachusetts and the resident jurisdiction of the individual reporting the vulnerability.
“Groupize inc.” employees, contractors, and their families are not eligible for rewards.
By submitting the vulnerability, you affirm that you have not disclosed and agree that you will not disclose the bug or your submission to anyone other than “Groupize Inc.” via our Bug Bounty Process.
Submissions selected for rewards, and the individuals who submitted the vulnerabilities will receive appropriate recognition at the discretion of Groupize Inc.
By submitting information about a potential vulnerability, you are agreeing to these terms and conditions and granting Groupize Inc. a worldwide, royalty-free, non-exclusive license to use your submission for the purpose of addressing vulnerabilities. Only the first report of a given issue that Groupize had not yet identified is eligible. In the event of a duplicate submission, only the earliest received report is considered.
Eligibility for rewards and determination of the recipients and amount of reward is left up to the discretion of Groupize.
The Program is focused predominantly on: Internet-facing Groupize Inc. websites executing on internet domains that provide significant business value to Groupize, and are supported directly by Groupize and its suppliers. Vulnerabilities submitted outside this scope are generally less likely to receive recognition or rewards under this Program.
You are responsible for notifying Groupize Inc of any changes to your contact information, including but not limited to your email address. Failure to do so may lead to the forfeiture of Bounty Awards.
Groupize Inc. reserves the right to discontinue the Program at any time without notice.
You may only exploit, investigate, or target vulnerabilities against your own accounts. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is expressly prohibited.
If you inadvertently access proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Inadvertent access of the data must be declared within your submission.
Your testing activities must not negatively impact Groupize or Groupize online environment availability or performance.

Confidentiality

Any information you receive or collect about Groupize through the Bug Bounty Program must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Groupize sites, without Groupize’s prior written consent.