Our Security Vulnerabilities Bounty Policy

Introduction

Promo.com Ltd. (“Promo”, “we”, “us” or “our”) is committed to safeguarding the security of its services, customer information, and web pages (“Services”). This policy intends to give clear guidelines for those desiring to participate in, and be rewarded and recognized for, Promo’s Security Bounty Program (the “Bounty”) by submitting to Promo a valid, eligible, and originally discovered vulnerability report (“Reports”).

This policy describes the Reports and related activities covered under this policy. It explains how to send us Reports and what terms apply regarding rewards and public recognition for Reports.

By submitting a Report to us, you acknowledge and agree to this Policy.

Good faith activities under this Policy are not considered a breach of our Terms

If you make a good faith effort to comply with this policy and follow its guidelines in your Bounty-related activities, we will not consider your activities to be in breach of the Promo Terms of Service found at https://promo.com/terms-of-service.

Guidelines

We encourage you to contact us to report potential vulnerabilities in our Services via our designated email address available at [[email protected]], pursuant to this Policy. By emailing us any information to this email address, you confirm that you have read and agree to this Security Vulnerabilities Bounty Policy.

Under this policy, an eligible “activity” means anything in which you comply with all of the following:

Are the first to notify us in writing after discovery of a proven or potential information security issue that occurs on the publicly available Services, such notification being with a clear Report (as described below) following your own original research.
You are 18 years of age or older at the time of participation. If you are under the age of 18, you may not participate in the Bounty in any way.
You are not a resident of a country subject to trade sanctions or embargoes and are not an individual listed on trade sanctions lists or embargo lists.
Not engage in any privacy or data protection-related violations, degradation of user experience, disruption of the Promo Services, or disclosure, destruction, or manipulation of data on the Services.
Only investigate exploits to the extent necessary to confirm a vulnerability and not to compromise or exfiltrate data, establish persistent command line access, or pivot to other services.
Provide us with the required amount of time to mitigate the vulnerability and to verify the fix we’ve applied for it with a re-test before any disclosure of the matter to a third party or publicly.
Do not submit a high volume of low-quality Reports.
Comply with all applicable laws including local laws which apply to you.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must promptly stop your test or investigation, notify us immediately, and not disclose to anyone else the data or the information related to the vulnerability on the Services.

What we would like to see in Reports:

In order to help us triage and prioritize submissions and to meet the clear reporting requirements under this Policy, we require that your Reports:

Be in English
Describe in detail where and how the vulnerability was discovered and the potential impact of its exploitation.
Include a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts, screenshots, videos, system diagnosis reports, and crash logs are helpful).

You may be rewarded for eligible Reports under the following additional conditions:

Bounty payments are granted at Promo’s reasonable discretion of the reward factors specified below and subject to the reward ranges indicated below.
Individuals under the age of 18 that have submitted Reports as part of the Bounty will not be eligible to reward of any kind.
Promo will aim to review and respond to all valid Reports within 7 business days of Promo receiving your submission. Promo will prioritize Reports based on the severity of the vulnerability submitted.
Promo may notify you of your eligibility and ask you to provide additional details to receive your reward. Following Promo’s receipt of your timely response with the additional information requested, Promo will remit the reward in USD within thirty (30) business days through one of the following payment methods (at Promo’s choice): PayPal, Wire transfer.
You are responsible for any applicable taxes, tax filings or reports, and tax payments due, under the tax laws that apply to you with respect to the reward you receive.

Discretionary factors impacting the amount of the reward for a Report include (but are not limited to):

The assessed level of access or execution achieved by the Reported issue
The assessed quality of the Report.
The assessed extent and scope of effect on Promo’s Services.
The assessed extent and scope of effect on Promo.com’s user’s data confidentiality and integrity.
The assessed degree of uniqueness of the Reported issue to Promo’s newly added code and features.
The assessed extent and scope of impact on sensitive components.
The assessed degree of novelty of the Reported issue

Bounty categories and rewards

Services	Risk	Reward Range
Promo.com website	Low	$25-50
	Medium	$50-200
	High	$200-500
	Critical	$500-1000
Promo.com services	Low	$25-50
	Medium	$50-200
	High	$200-500
	Critical	$500-1000

Authorized and unauthorized scope and test methods

This policy applies to the following Services:

Promo.com Website found at https://promo.com/
Promo.com Services found at https://promo.com/tools

The following test methods are not authorized and must not be attempted:

Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing

Services of Promo.com not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. If you aren’t sure whether a Service is in scope or not, contact us via our designated email address [[email protected]] before starting your activity.

Privacy

Promo will collect your name and email address when you email the Report to us.

Promo may also ask you to provide the following:

Your residential address
For reward payment by PayPal: PayPal email address; or
For reward payment by wire transfer: your first and last name, address, bank name, SWIFT, IBAN number and sort code.

Promo may use and share the above personal information for the following purposes only:

To operate, administer and enforce this Bounty, and contact you as we believe may be necessary (including for updates and announcements regarding the Bounty). We may contact you with any matter directly or indirectly relating to the Bounty or arising from your Report.
To comply with applicable law and assist law enforcement agencies under applicable law, when we believe it is required or legally justified, and to take any action in any case of dispute or legal proceeding of any kind involving or related to you and the Bounty. We may share your personal information with competent authorities and third parties that may be related to the furtherance of these purposes, as well as with third parties to whom we believe that we are required by law to disclose your information.

Questions

Questions regarding this policy may be sent via our designated email address [[email protected]]. By emailing us any information to this email address, you confirm that you have read and agree to this Security Vulnerabilities Bounty Policy.

Last updated on: March 14th, 2022.

Promo's Bug Bounty Program