Placer recognizes the value external security researchers provide in highlighting potential vulnerabilities in our systems. If you feel you have identified a security vulnerability, we encourage you to complete the form below or contact us on bug-bounty@placer.ai. We will review your claim according to our internal processes. Thanks!!!!
Before submitting a claim, please read some of the guidelines and scope of the program.
Need help from Customer Success for a security event, compromised account, please contact: support@placer.ai or contact your account rep directly
For privacy questions:
privacy@placer.ai
For security questions:
security@placer.ai
NOTE: Accessing another person’s account while logged into your account violates a number of laws and can be seen as a breach of your contract.
Bug Bounty Scope
Applications in scope for the Bug Bounty program:
Vulnerabilities in third-party libraries that integrate with Placer are within scope only where the vulnerability has an impact on Placer user data or systems (e.g. access token disclosure).
Vulnerabilities identified by another person or by an organization will not be eligible for the Bug Bounty program.
Qualifying Vulnerabilities
Any issue that affects the integrity or confidentiality of user data, would likely be considered in scope. Some examples include:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Mixed-content scripts
- Authentication or authorization flaws
- Server-side code execution bugs
Out-of-Scope Activities
Any of the following (or related) activities, will be automatically considered out of scope for the bug bounty program:
- Server or software banner disclosure
- Use of outdated/vulnerable software/component versions (without evidence of the exploitation)
- Default configuration files which do not disclose sensitive information
- Descriptive error messages and debugging information (stack traces, path disclosure, etc.)
- HTTP Security headers related issues (including X-Frame-Options and Clickjacking, content-security-policy, X-XSS-protection, etc.).
- Lack of Secure and HTTPOnly flags on non-sensitive cookies.
- Enabled OPTIONS HTTP method
- Content injection or “HTML injection” unless you can clearly show risk
- Self Cross-Site Scripting (aka Self XSS)
- Cross-Site Request Forgery (CSRF) for non-sensitive or significant actions (e.g. logout)
- Cross-Site Request Forgery (CSRF) on features which available to anonymous users
- Lack of brute force protection on login pages
- Account lockout enforcement
- Users enumeration via error messages of failed login attempts
- Failure to invalidate session on 2FA implementation or on password change
- Lifetime duration of “sign-up” or “reset password” tokens
- Spam or social engineering techniques (phishing)
- Exploits that require (or partly require) physicals access to the target external device/account or unlikely user interaction
- SMTP Policy related issues (including SPF, DKIM and DMARC)
- Theoretical subdomains takeovers claims with no supporting evidence
- Email flooding attacks
- Denial-of-service attacks (DoS)
- Distributed DoS (DDoS)
- Other third-party apps or websites that integrate that are not relevant to our component integration
- Outdated and non-supported applications
- Weak TLS version and insecure SSL/TLS ciphers
- Bugs which do not affect and exploitable on the latest version of modern browsers
- Reports lacking evidence of the exploitability (PoC which actual demonstrate the compromise is required and mandatory)
Important
Reported findings missing all the proof of potential exploit, or your submitted finding cannot be reproduced, will not qualify for the Bug Bounty program.
Bug Bounty Reporting
Full disclosure of your finding the bug/vulnerability must be provided:
- What you have found in detail so we can investigate your claim thoroughly
- Steps and what you saw
- What you are able to see or do with the vulnerability if exploited
- Can see or extract data which is not yours
- Connect as another user
- Connect to systems that are not included in the direct use of the service
- Anything else you think is needed to support your claim
Bug Bounty Rules of Engagement
We appreciate independent Security Analysts helping companies like Placer.ai improve our security posture. To qualify for the Bug Bounty program all the criteria as outlined in this bug bounty program must be met.
Rules of engagement include the following but not an exhaustive list:
- You do not exploit a security issue you discover for any reason other than to validate your finding.
- You only use an account you are assigned and not one that is not yours.
- You are able to demonstrate the vulnerability found is yours and not a third party.
- You are not paid for testing our products and services.
- You provide us sufficient time to investigate and mitigate the vulnerability you submitted.
- You do not post the vulnerability for others to take advantage of, prior to us closing it.
- You report a security bug that identifies a vulnerability in our services or infrastructure which creates a security or privacy risk.
- You report a security bug that no other person or company has already issued before you.
- Report your finding without undue delay.
- Your vulnerability can be verified by our team to be an actual valid bug/vulnerability that can be exploited.
- We reserve the right to report this event and activity as we see fit.
- We may retain any communications about security issues you report for as long as we deem necessary for program purposes.
- Bug Bounty awards are permitted by applicable laws, including (but not limited to) US trade sanctions and economic restrictions.
NOTE: Changes, adjustments, outsourcing or cancellation may be made at any time to the bug bounty program without notice.
Payments
Payment of any bug bounty for reported vulnerability affecting our services is completely under Placer.ai management discretion.
Factors that will influence our award decision include but are not limited to:
- Our ability to verify the vulnerability
- Enable us to remediate it
- Evaluation of the extent of the potential impact the vulnerability could have on Placer.ai user data or systems if not closed
- Bounties are based on risk, impact, and a variety of factors, including (but not limited to) impact, ease of exploitation, and quality of your findings
NOTE: Extremely low-risk issues may not qualify for a bounty unless your finding leads us to discover higher-risk vulnerabilities, we may, at our sole discretion, pay an increased award.
A payment will require you to provide the following detail:
- Full Name
- ID Number
- Country of residence
- Tax number if available
- Phone number
- Address
Payments will be made using Amazon Gift cards ONLY.
Disclaimer
The following criteria must be met in order to participate in the Placer.ai Bug Bounty Program (can change at any time without notice).
- You are not a resident of a U.S. Government embargoed country.
- You are not on a U.S. Government list of sanctioned individuals.
- You are 18 years or older.
- You are not currently nor have been an employee of Place.ai or a subsidiary.
- You are reporting as an individual and not part of a company.
- You or any member of your family is not under any contracting agreement with placer.ai or a subsidiary and has not been for the past 6 months.
- You did not and will not access any personal information that is not your own, including exploiting the vulnerability.
- You did not and will not violate any applicable law or regulation, including laws prohibiting unauthorized access to information.
- Your country of residence may have local laws adding restrictions on your eligibility to participate in the bug bounty.
- You provide the necessary payment and identity information to enable us to validate the above information.
