Placer Labs Inc. (“Placer”, “us” or “we”) recognizes the value external security researchers provide in highlighting potential Vulnerabilities in our systems. If you feel you have identified a security Vulnerability, we encourage you to complete the form below or contact us at firstname.lastname@example.org. We will review your claim in accordance with the Bug Bounty Program (the “Program”) terms and Conditions (the “Terms”) below. Thanks!!!!
Before submitting a claim, please read the following guidelines and Terms. By submitting any Vulnerabilities to Placer or otherwise participating in the Program in any manner, you accept these guidelines and Terms.
NOTE: Accessing another person’s account while logged into your account violates a number of laws and can be seen as a breach of your contract.
Applications in scope for the Program:
Vulnerabilities in third-party libraries that integrate with Placer are within scope only where the Vulnerability has an impact on Placer user data or systems (e.g. access token disclosure).
Vulnerabilities identified by another person or by an organization will not be eligible for the Program. In addition, findings with a very low probability and many assumptions are not in scope.
Any issue that affects the integrity or confidentiality of user data would likely be considered in scope. Some examples include:
Any of the following (or related) activities will be automatically considered out of the scope of the Program:
If reported findings are missing all the proof of potential exploit, or if your submitted findings cannot be reproduced, this will result in not qualifying for the Program.
Full disclosure of your finding the bug/Vulnerability must be provided:
We appreciate independent Security Analysts helping companies like Placer improve our security posture. To qualify for the Program all the criteria as outlined in this Program must be met.
Rules of engagement include the following but this is not an exhaustive list:
NOTE: Changes, adjustments, outsourcing, or cancellations may be made at any time to the Program without notice.
Payment of any bounty for a reported Vulnerability affecting our services is completely under Placer’s management discretion and may vary based on the details of your submission.
Factors that will influence our decision include but are not limited to:
Those submissions that do not meet the minimum bar described above are considered incomplete and not eligible for bounties.
NOTE: Extremely low-risk issues may not qualify for a bounty unless your finding leads us to discover higher-risk Vulnerabilities, in which case we may, at our sole discretion, pay an increased award.
Payments will be made using PayPal ONLY.
These Terms cover your participation in the Program and are between you and Placer.
The Program enables users to submit Vulnerabilities and exploitation techniques ("Vulnerabilities") to Placer for a chance to earn rewards in an amount determined by Placer in its sole discretion ("Bounty"). The decisions made by Placer regarding Bounties are final and binding. Placer may change or cancel this Program at any time, for any reason.
We may change or cancel these Terms at any time. Participating in the Program after the changes become effective means you agree to the new terms. If you don't agree to the new Terms, you must not participate in the Program.
The following criteria must be met in order to participate in the Program.
If you believe you have identified a Vulnerability that meets the applicable requirements set forth in these Terms, you may submit it to us by completing the form above or contacting us at email@example.com.
Each Vulnerability submitted to Placer shall be a "Submission."
Your Submission must specify the Vulnerability details and as much of the information in the section above titled “Program Reporting” as possible.
There are no restrictions on the number of qualified Submissions you can provide and potentially be paid a Bounty for.
Placer is not claiming any ownership rights to your Submission. However, by providing any Submission to Placer, you:
Protecting Placer's services and data is our highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on our services be withheld for 30 days after the Vulnerability is fixed. Placer will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion.
After a Submission is sent to Placer in accordance with the above, Placer will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.
Placer retains sole discretion in determining which Submissions are qualified. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to Placer, we may award a differential to the person submitting the duplicate report.
If you report a Vulnerability without a functioning exploit, you may be eligible for a partial Bounty. If you submit the functioning exploit within 90 days of submitting the Vulnerability, we may, at our discretion, provide an additional Bounty payment (but are not obligated to do so).
The decisions made by Placer regarding Bounties are final and binding.
If we have determined that your Submission is eligible for a Bounty we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment.
To receive a Bounty you must provide the following information to us: Full Name; ID Number; Country of residence; Tax number if available; Phone number; and Address. Before receiving a Bounty, you may also be required to complete and submit certain tax forms (e.g., Form W-9, W-8BEN, 8233). If you do not provide the above information or complete the required forms as instructed, we may not provide payment.
You may waive the payment if you do not wish to receive a Bounty.
If your Submission qualifies for a Bounty, please note:
By participating in the Program, you will follow these rules:
If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.
If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover from Placer direct damages up to $100.00. You can't recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.
If you live in (or, if a business, your principal place of business is in) the United States, the laws of the state where you live govern all claims, regardless of conflict of laws principles. You and we irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in San Francisco, California, for all disputes arising out of or relating to these Terms or the Program that are heard in court (excluding small claims court).
Other than your Submission, Placer does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback, and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to Placer through the Program or otherwise, Placer makes no assurances that your ideas will be treated as confidential or proprietary.
IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.