Bug Bounty Program

Placer Labs Inc. (“Placer”, “us” or “we”) recognizes the value external security researchers provide in highlighting potential Vulnerabilities in our systems. If you feel you have identified a security Vulnerability, we encourage you to complete the form below or contact us at bug-bounty@placer.ai. We will review your claim in accordance with the Bug Bounty Program (the “Program”) terms and Conditions (the “Terms”) below. Thanks!!!!

Before submitting a claim, please read the following guidelines and Terms. By submitting any Vulnerabilities to Placer or otherwise participating in the Program in any manner, you accept these guidelines and Terms.

NOTE: Accessing another person’s account while logged into your account violates a number of laws and can be seen as a breach of your contract.

Bug Bounty Scope

Applications in scope for the Program:

• https://analytics.placer.ai/#!/auth/signin

Vulnerabilities in third-party libraries that integrate with Placer are within scope only where the Vulnerability has an impact on Placer user data or systems (e.g. access token disclosure).

Vulnerabilities identified by another person or by an organization will not be eligible for the Program. In addition, findings with a very low probability and many assumptions are not in scope.  

Qualifying Vulnerabilities

Any issue that affects the integrity or confidentiality of user data would likely be considered in scope. Some examples include:

• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Mixed-content scripts
• Authentication or authorization flaws
• Server-side code execution bugs

Out-of-Scope Activities

Any of the following (or related) activities will be automatically considered out of the scope of the Program:

• Server or software banner disclosure
• Use of outdated/Vulnerable software/component versions (without evidence of the exploitation)
• Default configuration files that do not disclose sensitive information
• Descriptive error messages and debugging information (stack traces, path disclosure, etc.)
• HTTP Security headers-related issues (including X-Frame-Options and Clickjacking, content-security-policy, X-XSS-protection, etc.)
• Lack of Secure and HTTPOnly flags on non-sensitive cookies.
• Enabled OPTIONS HTTP method
• Content injection or “HTML injection” unless you can clearly show risk
• Self Cross-Site Scripting (aka Self XSS)
• Cross-Site Request Forgery (CSRF) for non-sensitive or significant actions (e.g. logout)
• Cross-Site Request Forgery (CSRF) on features which available to anonymous users
• Lack of brute force protection on login pages
• Account lockout enforcement
• User enumeration via error messages of failed login attempts
• Failure to invalidate session on 2FA implementation or on password change
• Lifetime duration of “sign-up” or “reset password” tokens
• Spam or social engineering techniques (phishing)
• Exploits that require (or partly require) physical access to the target external device/account or unlikely user interaction
• SMTP Policy-related issues (including SPF, DKIM, and DMARC)
• Theoretical subdomains takeover claims with no supporting evidence
• Email flooding attacks
• Denial-of-service attacks (DoS)
• Distributed DoS (DDoS)
• Other third-party apps or websites that integrate and are not relevant to our component integration
• Outdated and non-supported applications
• Weak TLS version and insecure SSL/TLS ciphers
• Bugs that do not affect and are exploitable on the latest version of modern browsers
• Reports lacking evidence of the exploitability (PoC which actually demonstrate the compromise is required and mandatory)

Important

If reported findings are missing all the proof of potential exploit, or if your submitted findings cannot be reproduced, this will result in not qualifying for the Program.

Program Reporting

Full disclosure of your finding the bug/Vulnerability must be provided:

• Type of issue 
• What you have found in detail so we can investigate your claim thoroughly
• Step-by-step instructions to reproduce the issue and what you saw
• What you are able to see or do with the Vulnerability if exploited
• Can see or extract data that is not yours
• Connect as another user
• Connect to systems that are not included in the direct use of the service
• Impact of the issue, including how an attacker could exploit the issue
• Anything else you think is needed to support your claim

Program Rules of Engagement

We appreciate independent Security Analysts helping companies like Placer improve our security posture.  To qualify for the Program all the criteria as outlined in this Program must be met.

Rules of engagement include the following but this is not an exhaustive list:

• You do not exploit a security issue you discover for any reason other than to validate your finding.
• You only use an account you are assigned and not one that is not yours.
• You are able to demonstrate the Vulnerability found is yours and not a third party.
• You are not paid for testing our products and services.
• You provide us with sufficient time to investigate and mitigate the Vulnerability you submitted.
• You do not post the Vulnerability for others to take advantage of, prior to us closing it.
• You report a security bug that identifies a Vulnerability in our services or infrastructure that creates a security or privacy risk.
• You report a security bug that no other person or company has already issued before you.
• Report your findings without undue delay.
• Your Vulnerability can be verified by our team to be an actual valid bug/vulnerability that can be exploited.
• We reserve the right to report this event and activity as we see fit.
• We may retain any communications about security issues you report for as long as we deem necessary for program purposes.
• Bug Bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
• We reserve the right to accept or reject your application if we see extremely low risk and impact.

NOTE: Changes, adjustments, outsourcing, or cancellations may be made at any time to the Program without notice.

Payments

Payment of any bounty for a reported Vulnerability affecting our services is completely under Placer’s management discretion and may vary based on the details of your submission.

Factors that will influence our decision include but are not limited to:

• Our ability to verify the Vulnerability
• Our ability to remediate any Vulnerability based on your submission
• The potential impact the Vulnerability could have on Placer’s user data or service if not closed
• Other factors, including (but not limited to) ease of exploitation and quality of your submission. Well-written reports and functional exploits are more likely to result in Bounties. 

Those submissions that do not meet the minimum bar described above are considered incomplete and not eligible for bounties.

NOTE: Extremely low-risk issues may not qualify for a bounty unless your finding leads us to discover higher-risk Vulnerabilities, in which case we may, at our sole discretion, pay an increased award.

Payments will be made using PayPal ONLY.

Bug Bounty Program Terms and Conditions

These Terms cover your participation in the Program and are between you and Placer.

PROGRAM OVERVIEW

The Program enables users to submit Vulnerabilities and exploitation techniques ("Vulnerabilities") to Placer for a chance to earn rewards in an amount determined by Placer in its sole discretion ("Bounty"). The decisions made by Placer regarding Bounties are final and binding. Placer may change or cancel this Program at any time, for any reason.

CHANGES TO THESE TERMS

We may change or cancel these Terms at any time. Participating in the Program after the changes become effective means you agree to the new terms. If you don't agree to the new Terms, you must not participate in the Program.

PROGRAM ELIGIBILITY

The following criteria must be met in order to participate in the Program.

• You are not a resident of a U.S. Government embargoed country or any other country that does not allow participation in this type of program.
• You are not on a U.S. Government list of sanctioned individuals.
• You are 18 years or older.
• You are not currently nor have been an employee of Placer or a subsidiary.
• You are reporting as an individual and not part of a company.
• You or any member of your family is not under any contracting agreement with Placer or a subsidiary and has not been for the past 6 months.
• You did not and will not access any personal information that is not your own, including exploiting the Vulnerability.
• You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information.
• Your country of residence does not have local laws prohibiting you from participating in the Program.
• You provide the necessary payment and identity information to enable us to validate the above information.

SUBMISSION PROCESS & COORDINATED VULNERABILITY DISCLOSURE

If you believe you have identified a Vulnerability that meets the applicable requirements set forth in these Terms, you may submit it to us by completing the form above or contacting us at bug-bounty@placer.ai.

Each Vulnerability submitted to Placer shall be a "Submission."

Your Submission must specify the Vulnerability details and as much of the information in the section above titled “Program Reporting” as possible.

There are no restrictions on the number of qualified Submissions you can provide and potentially be paid a Bounty for. 

SUBMISSION LICENSE

Placer is not claiming any ownership rights to your Submission. However, by providing any Submission to Placer, you:

• Grant Placer the following non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs in all media (now known or later developed);
• Agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
• Understand and acknowledge that Placer may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
• Understand that you are not guaranteed any compensation or credit for the use of your Submission; and
• Represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Placer.

CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE

Protecting Placer's services and data is our highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on our services be withheld for 30 days after the Vulnerability is fixed. Placer will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. 

VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

SUBMISSION REVIEW PROCESS

After a Submission is sent to Placer in accordance with the above, Placer will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.

Placer retains sole discretion in determining which Submissions are qualified. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to Placer, we may award a differential to the person submitting the duplicate report.

If you report a Vulnerability without a functioning exploit, you may be eligible for a partial Bounty. If you submit the functioning exploit within 90 days of submitting the Vulnerability, we may, at our discretion, provide an additional Bounty payment (but are not obligated to do so).

BOUNTY PAYMENTS

The decisions made by Placer regarding Bounties are final and binding.

If we have determined that your Submission is eligible for a Bounty we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. 

To receive a Bounty you must provide the following information to us: Full Name; ID Number; Country of residence; Tax number if available; Phone number; and Address. Before receiving a Bounty, you may also be required to complete and submit certain tax forms (e.g., Form W-9, W-8BEN, 8233). If you do not provide the above information or complete the required forms as instructed, we may not provide payment.

You may waive the payment if you do not wish to receive a Bounty.  

If your Submission qualifies for a Bounty, please note:

• You may not designate someone else as the Bounty recipient;
• If you are unable or unwilling to accept your Bounty, we reserve the right to rescind it; and
• If you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s). 

PRIVACY

See Placer’s Privacy Policy relating to the collection and use of your information in connection with the Program. 

CODE OF CONDUCT

By participating in the Program, you will follow these rules:

• Don’t do anything illegal.
• Don't engage in any activity that exploits, harms, or threatens to harm children.
• Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
• Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
• Don't engage in activity that is false or misleading.
• Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
• Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
• Don't help others break these rules.

If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments. 

NO WARRANTIES

PLACER, AND OUR AFFILIATES, PARTNERS AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

LIMITATION OF LIABILITY

If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover from Placer direct damages up to $100.00. You can't recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.

CHOICE OF LAW AND PLACE TO RESOLVE DISPUTES

If you live in (or, if a business, your principal place of business is in) the United States, the laws of the state where you live govern all claims, regardless of conflict of laws principles. You and we irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in San Francisco, California, for all disputes arising out of or relating to these Terms or the Program that are heard in court (excluding small claims court).

MISCELLANEOUS

These Terms and Placer’s Privacy Policy are the entire agreement between you and Placer for your participation in the Program. It supersedes any prior agreements between you and Placer regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court holds that we can't enforce a part of these Terms as written, we may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms won't change.

UNSOLICITED IDEAS

Other than your Submission, Placer does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback, and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to Placer through the Program or otherwise, Placer makes no assurances that your ideas will be treated as confidential or proprietary.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.

‍