Responsible Disclosure Program
At Swoogo, we strive to build high quality, reliable, and secure software that brings a high degree of value to our customers and strive to do so with efficiency and creativity. We value and welcome ethical hackers to find and report vulnerabilities to us. Our Responsible Disclosure Program (“RDP”) guidelines are listed below.
Program Terms
Please note that your participation in the RDP is voluntary and subject to the terms and conditions set forth in this document (“Program Terms”). By submitting a site or product vulnerability (each, a “Submission”) to Swoogo, LLC (“Swoogo”) you acknowledge that you have read and agreed to these Program Terms.
These Program Terms supplement the terms of the Swoogo Event Cloud Order Form, the Swoogo Privacy Policy, and any other agreement in which you have entered with Swoogo (collectively “Swoogo Agreements”). The terms of those Swoogo Agreements will apply to your use of, and participation in, the RDP as if fully set forth herein. If any inconsistency exists between the terms of the Swoogo Agreements and these Program Terms, these Program Terms will control, but only with regard to the RDP.
To encourage responsible disclosures, Swoogo commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the Swoogo Agreements, Swoogo will not bring a private action against you or refer a matter for public inquiry.
As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
Disclosure Guidelines
By providing a Submission or agreeing to the Program Terms, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without Swoogo’s prior written approval.
General Guidelines
- You may not commit any privacy violation, degradation, or disruption to the availability of our production systems during your testing.
- You may not attempt to brute-force or spam our systems.
- If the identified vulnerability can potentially extract information about our customers or systems, or impair our systems’ ability to function normally, then you must refrain from actually exploiting such a vulnerability. This is necessary for us to consider your disclosure a responsible one.
- You must keep your disclosure confidential between yourself and Swoogo until we resolve the issue.
- We will undertake reasonable efforts to confirm and fix issues promptly.
Vulnerability Submissions
Please report any security issues you find to [email protected]. If your submission contains any sensitive vulnerability information, please encrypt it using our PGP public key at the bottom of this page.
Please include the following in your submission:
- Your name and contact information.
- Company name (if applicable).
- A detailed description of the potential vulnerability.
- Exact steps to reproduce the issue, including any associated URL and parameters demonstrating the vulnerability.
- The relevant details of your system’s configuration, such as any browser or user-agent information and operating system version.
- Your IP address and Swoogo account or event registration, so we can coordinate your activity with our logs.
Ownership of Submissions
As a condition of participation in the Swoogo RDP, you hereby grant Swoogo, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative works from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Swoogo in connection therewith, for any purpose. You should not send us any Submission that you do not agree to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Swoogo. In no event shall Swoogo be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials that are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as Swoogo complies with the terms of participation stated herein.
Confidentiality
Any information you receive or collect about Swoogo or any Swoogo user through the RDP (“Confidential Information”) must be kept confidential and only used in connection with the RDP. You may not use, disclose or distribute without Swoogo’s prior, written consent any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Swoogo sites.
Indemnification
In addition to any indemnification obligations you may have under the Swoogo Agreements, you agree to defend, indemnify and hold Swoogo and its subsidiaries and affiliates, and its and our officers, directors, agents, joint ventures, employees, and suppliers (each, an “Indemnified Party”), harmless from any claim or demand (including attorneys’ fees) made or incurred by an Indemnified Party and/or any third party due to or arising out of your Submissions, your breach of these Program Terms, and/or your improper use of the RDP.
Changes to Program Terms
The RDP, including its policies, is subject to change or cancellation by Swoogo at any time, without notice. As such, Swoogo may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the RDP after Swoogo posts any such changes, you accept the Program Terms, as modified.
Thanks!
We really appreciate you working with us to responsibly submit a disclosure and working with us to improve our security. We recognize the work and talent you’ve put into finding these issues and thank you for reaching out to us.
Our PGP Key
If you are submitting sensitive vulnerability information or wish to communicate with us privately about your concern, please use the following PGP key to encrypt your message to [email protected].
-----BEGIN PGP PUBLIC KEY BLOCK----- xsFNBGoypOgBEADLRPjol2kIgdK5uGC1/Eev0NhLiTUTdz5vCO/wZ0gFotaN09Za 2CaO0J15yoz6n2KzA3/cKiAr4RufTkhjGSOfR3e094QbmteLDyJYYHNoVWubbg6r 3jyaHK+8qnwRpeYjPiHYy4G3lW6PanXFAknte1i+lxk6lCYi45NkG9zD47RqKaEG 1IQM2PpPYJV3MxL5sPPertR/J1xzgKUKuaLjZHJHVRa2q6upxMmbe8i/sUjYlzye bDjZANGSViu6fxD6HKw7U8JZA5gXf8igPceu7FqshUm/Yx8mRyUFf0j2SvOX+PqE 80N+eCLR6UY4qpXh0VBYKAEPSZVPR6n/cdk0TokYgTLcvYCkNfVWc3RvvIfA3yqh /tD58eI5qS4h+6db3cCxRNJaC0HOkeX4HCtSmWSaqGhMi/TqteN+J9u85qGtN6tZ DM09p+kPN4YEx88q1QJLyqqycSQSwGc4tk9ZXhUyxNapvqERq/1DcZBqktcrUaTx EFshndyyMXWmJBfoCNNFtcp0LINJTUyIyVGQu5apOeIE7RtiKokG3/BSYr5MAKZu i4Dc8voG0QrO403+Lx3WfN89GoA9WF7dvGsWv0tUclcYteaHSNpLRHoYvArXnk6u QK8OwxtqPjyn6tmSNmzE+QaHORFskADjrjQdqYYPdVlP7hylZ7zUVQJVqwARAQAB zSNTd29vZ28gUHJpdmFjeSA8cHJpdmFjeUBzd29vZ28uY29tPsLBeAQTAQgALAUC ajKk6AkQxG7j6AWsrY4CGwMFCR4TOAACGQEECwcJAwUVCAoCAwQWAAECAABpUxAA QzA2S38ErRdkpPutZydqhTS/XlyyltuYaBv8O92tgwLdasak6ygabuFURNUcAg7T DXmY7hIuAonAC+QDUUJq3+Pd0OJfJGcjGvDiP9dFY4sA/X3JNSh3G/Q4yDL53/rg eVwVSB3i6qDpm6E13MPpH36d3x8twJbQKnuJ+Ilh2sInYjcsYEtLnTHFCuSF5mEJ HmkYg0F/iQl85yupWFVu8bILrLaIRIctJRpuUiN5uNytWKRNhi/yBuKpK3bedvzK qHhUwyi8f3AXWStC4XB/W1ZZIZV6XXpC3coa1NQk1LSu4Sa9mR1VDSTbYxlWiwTL GG4rR7exe/FEQ6d3sELHvrOwqndhJvcK+Qs71K+UQvkAKQCLyZ2wZ/YnllsrPR0c YfWlm/Gr9lVJPB+E4Ysdw2cg33ozClZ5vYEM7dRcwkjZ+ufzTMEtSQ8wpUO8f68b 7nLZYPz9R1I+YzNuOOYzrzgO6pEKEX5k1ARZjc56uTVzyh7Ac/Idaz/28jllklKm upgVJwTIyuGc1Gr+NsNSa8A6WMy59N38SztGJtTkSa3kyNyTEjBaWKB3Hc/NR+WJ pNBv7I3zCqwQ3EZ0maBnosU/OC5PBeutXYoZ4hNKzeO5cgOgynVNbg4DxXxaQKML sZtNwcWnerNhh2Ari1PBuRN1oBCjJ49kKvnW1G8QgDDNJFN3b29nbyBQcml2YWN5 IDxzZWN1cml0eUBzd29vZ28uY29tPsLBdQQTAQgAKQUCajKk6AkQxG7j6AWsrY4C GwMFCR4TOAAECwcJAwUVCAoCAwQWAAECAAAvPBAASyN8bbsQ1Iz+HKPwMpQm0uje oxd2cMyM8hVJD/klCon9MXcC2QTMhYhfhjzS54YDaRdlL5Twkor3sNRuMqryQf4n zaq3MIN7Ex9L8z5HGkOMFjoY/t0ZIFNNaxQNDIqkn95wIETECdb+nPvC4KZOlGxZ mh5jzKJEKOaAJ99AiyD/63kVMrHHvtoL/uN/ApBeJ+7rPXw0t3JWPkqfSmbOKbOI qk4t0C0ozfrDo+Is3GiHpnpKVBf1ISUj1d4Xccqf5RDGZFi2jTJac9dScKboTvQn X19Emw7KsY5CMjQIFeI5OjyMOn0oM9VDFWCAHl/vp4aRTUNXgoIPf96ENESJhd6R Zw1xXG1vr1y61p0yqYG1ReBmybfuV/Wpl/6qIn9NcIW2+sCLKcc7UAAAoQYRAR1C PFu450ac9UwUGlntus/q1QDhHWihaNOXb3Td1fxszG5tKT7pG5QkBSaQk1cUZ9l4 RDX1CZQ9/55BEvD6Pvrb213tHCGaiQ9gs9URjrddHu9JvcMdvPpb48t1v6gNvt7X Yo0jIoF6Hp1IDiJrcWB7MAabmARI4lL+2McgeZEHigkZyeNSyv05zwiwQFRfHZEB TC595HXOjEolMku2x30IQhiReeKHD6uOXSEJgWje9tMsJttYkOtAE5+wzeVMJRBJ Z/rrVaVOy3MSZJAFEc7OwU0EajKk6AEQANBGbnfCcqaU7nSWAF28sFN4hyfAfx8q ArtZab0E+jGtAPvz2HYa92n7Kxm9P7gg7phYXMaEVRMzRjHSlQ60TvktaitNGyzt nPxK9VJnb7ecKH0dpv2TMee82INwL/WtzH7zH6c5uHCAHLnznTrZ6aftDGTia1TR bgiznUHXBq0qxUIJPDFNZO9Ge9BvEmCGmKJFIY/t1WN79v2I7dLmkDWJK/ZiorVY 03Vm5c6vE7zuizlyc/hJ0ah54mLvZeXAPa+d8bIZMyGnbHZcMfCGzk6z0Nf4Ssen vJBBnnlf8JD47xaXLP5TTDBGMoQ3GF9y+KncawLnAKXwvQxj/2/WPvr2ZrLC8b6T aX3Eob1zI4rkx+/gH/Q61bntxF5dZNr7yOsZYQZvIYD4inqabIuHYoOO8krDF6Jl XTTUT0diRK4BHYclJ+TbnXBJTxMYP+ngRC3oHP78P25mE+n9Iy7oKlLYeYJjncrg 1CFBx7oTl946VXfYjFQIjmc4pEO4ceW/ZBNzBksRbN5NK3KTvc1HrKpd42XkDmGh 1YNyIsiWGFqB3YrM6kT0Y/i65riCSTwuaHgSxUi4sbajIOad94L2TVsIwyCAOKDb 1mkUqGPWYU8wCGwVM9UqbkyMJmi80ucSW3/zmyU+UGhp9xuFkB+3lXua4eJHXbhq DGw8i1u6COFdABEBAAHCwXUEGAEIACkFAmoypOgJEMRu4+gFrK2OAhsMBQkeEzgA BAsHCQMFFQgKAgMEFgABAgAAFKYQAAXtPgknUhSmTO/SSsWCilvw6K4ln0PihVCY 5hrWh6RQGNTTYeNiNLiL+lHrPtmfSVCunI4kZ4enD1yfSeZCot2i795ONfLtBy3p jw78I5+Z9p8DUm6tUV6OFxrS7/TSRNXMAX1OX5AnyfvXeG97SprQEbFXWV4u4Oyu EXRozhm/DWecH2XdBO9w7lmkuVq5dKJurjXTesQp719SYcxkLltfZCAusBn290Ak WFt61dzpwgnJEHNpNe670/3DrBA/YHwumFlNFy36LYF9Xj4saDGwH68XeCeT4VsJ g8lhbyqezRS4SFYp1cQJ6WVrn86c9BRiYFp188J2WqwNOLxMt63xxUWrjzcRmJof v8DcC77ux+MmSvA3W7ke7kWvFmyXu8k3JyHD10oUoYMTNuQd3S/j6rIuPMxgVAzL ztnJDtnHH91TvkC47/xkNZ7HDPpuvNyF9n6PWWkz/Cm9RZhvYmeTfLDfbropYn7c C/CfdqwYVBmNQpz7ad0YQLNpEWljfK67BKYy/9vo/kt+QkQ34AOPEMDswbQo6rzq 5d652kYBHQ+Sqrysk+7B78so+vL+1FBvecGW9nfN05334tOeTfxIMm7EuylH4h1f vkcgB8u1sHe570JwOjEW18jqIhhpxI07lZhRYiQ+4nH4iWepQ7fztkcJns/NFRVz rVBn9kL2 =h7dZ -----END PGP PUBLIC KEY BLOCK-----