Responsible Disclosure Program
At Swoogo, we strive to build high quality, reliable, and secure software that brings a high degree of value to our customers and strive to do so with efficiency and creativity. We value and welcome ethical hackers to find and report vulnerabilities to us. Our Responsible Disclosure Program (“RDP”) guidelines are listed below.
Please note that your participation in the RDP is voluntary and subject to the terms and conditions set forth in this document (“Program Terms”). By submitting a site or product vulnerability (each, a “Submission”) to Swoogo, LLC (“Swoogo”) you acknowledge that you have read and agreed to these Program Terms.
To encourage responsible disclosures, Swoogo commits that, if we conclude, in our sole discretion, that a disclosure respects and meets all the guidelines of these Program Terms and the Swoogo Agreements, Swoogo will not bring a private action against you or refer a matter for public inquiry.
As part of your research, do not modify any files or data, including permissions, and do not intentionally view or access any data beyond what is needed to prove the vulnerability.
To be eligible for the RDP, you must not:
- Be a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria);
- Be in violation of any national, state, or local law or regulation;
- Be employed by Swoogo or its subsidiaries;
- Be an immediate family member of a person employed by Swoogo or its subsidiaries or affiliates; or
- Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.
If Swoogo discovers that you meet any of the criteria above, Swoogo will remove you from the RDP and disqualify you from receiving any Bounty Payments.
By providing a Submission or agreeing to the Program Terms, You agree that you may not publicly disclose your findings or the contents of your Submission to any third parties in any way without Swoogo’s prior written approval.
Failure to comply with the Program Terms will result in immediate disqualification from the RDP and ineligibility for receiving any Bounty Payments.
- You may not commit any privacy violation, degradation, or disruption to the availability of our production systems during your testing.
- You may not attempt to brute-force or spam our systems.
- If the identified vulnerability can potentially extract information about our customers or systems, or impair our systems’ ability to function normally, then you must refrain from actually exploiting such a vulnerability. This is necessary for us to consider your disclosure a responsible one.
- You must keep your disclosure confidential between yourself and Swoogo until we resolve the issue.
- We will update each submission with significant events, including confirmed validation, information requests, and if you have qualified for a reward or recognition.
- We will undertake reasonable efforts to confirm and fix issues promptly.
- Submissions may be closed if you are non-responsive to requests for information after seven days.
The following are in scope as part of our Responsible Disclosure Program:
- The Swoogo marketing website at https://swoogo.events.
- The Swoogo web application at https://www.swoogo.com (https://swoogo.com) .
- The most current Swoogo (production) mobile applications available on Google Play or Apple App Store.
- Event site(s) that may be directly provided for the purpose of testing.
Out of Scope
The following are not in scope as part of our Responsible Disclosure Program:
- Other *.swoogo.com domains including staging, test, or development environments.
- Any *.swoogo.net domains.
- Any events tied to customer domains or aliases other than those listed as In Scope.
- Our “Book a Demo” forms and all other forms on swoogo.events.
- Vulnerabilities identified with automated tools (including web scanners) that do not include proof-of-concept code or a demonstrated exploit that was manually verified.
- Third-party applications, websites or services that integrate with or link to Swoogo.
- Discovery of any in-use service (vulnerable third-party code, for example) where the running version includes known vulnerabilities without demonstrating an existing security impact.
- Findings derived primarily from social engineering (e.g., phishing, vishing).
- Functional, UI, and UX bugs and spelling mistakes.
- Network-level Denial of Service (DoS/DDoS) vulnerabilities.
- Our mail servers or related DNS records (MX, TXT, SPF, DMARC, etc).
- Path disclosure.
- Information disclosure.
- Version disclosure.
- Crime/beast attack and Lack of HTTP security headers (CSP, X-XSS, etc.).
- Missing cookie flags on non-sensitive cookies.
- Vulnerabilities affecting users of outdated browsers or platforms.
Please report any security issues you find to [email protected]. If your submission contains any sensitive vulnerability information, please encrypt it using our PGP public key at the bottom of this page.
Please include the following in your submission:
- Your name and contact information.
- Company name (if applicable).
- A detailed description of the potential vulnerability.
- Exact steps to reproduce the issue, including any associated URL and parameters demonstrating the vulnerability.
- The relevant details of your system’s configuration, such as any browser or user-agent information and operating system version.
- Your IP address and Swoogo account or event registration, so we can coordinate your activity with our logs.
You may be eligible to receive a monetary reward (“Bounty Payment”) if: (i) you are the first person to submit a site or product vulnerability; (ii) that vulnerability is determined to by a valid security issue by Swoogo’s security team; and (iii) you have complied with all Program Terms.. Each submission will be evaluated on a case-by-case basis. The decision and amount of the reward will be at our discretion. In no event shall Swoogo be obligated to pay you a bounty for any submission. All Bounty Payments shall be considered gratuitous.
All Bounty Payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship. You may be required to provide us your personal information so that proper disclosures can be made by Swoogo to applicable taxing authorities and/or we can provide you appropriate tax documentation.
Swoogo retains the right to determine if the bug submitted to the RDP is eligible. All determinations as to the amount of a bounty made by Swoogo are final. Bounty Payment ranges are based on the classification and sensitivity of the data impacted, ease of exploit and overall risk to Swoogo and its customers, Swoogo brand and determined to be a valid security issue by Swoogo’s security engineers.
Whether or not we offer a reward, we would consider publicly acknowledging your verified contribution in a Hall of Fame section on our website with your permission. We reserve the right to remove your name and/or discontinue such Hall of Fame section on our website at any time without notice to you.
Ownership of Submissions
As a condition of participation in the Swoogo RDP, you hereby grant Swoogo, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative works from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Swoogo in connection therewith, for any purpose. You should not send us any Submission that you do not agree to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Swoogo. In no event shall Swoogo be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials that are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as Swoogo complies with the terms of participation stated herein.
If (i) you breach any of these Program Terms or the terms and conditions of the Swoogo Agreements; or (ii) Swoogo determines, in its sole discretion that your continued participation in the RDP could adversely impact Swoogo (including, but not limited to, presenting any threat to Swoogo’s systems, security, finances and/or reputation), Swoogo may immediately terminate your participation in the RDP and disqualify you from receiving any Bounty Payments.
Any information you receive or collect about Swoogo or any Swoogo user through the RDP (“Confidential Information”) must be kept confidential and only used in connection with the RDP. You may not use, disclose or distribute without Swoogo’s prior, written consent any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Swoogo sites.
In addition to any indemnification obligations you may have under the Swoogo Agreements, you agree to defend, indemnify and hold Swoogo and its subsidiaries and affiliates, and its and our officers, directors, agents, joint ventures, employees, and suppliers (each, an “Indemnified Party”), harmless from any claim or demand (including attorneys’ fees) made or incurred by an Indemnified Party and/or any third party due to or arising out of your Submissions, your breach of these Program Terms, and/or your improper use of the RDP.
Changes to Program Terms
The RDP, including its policies, is subject to change or cancellation by Swoogo at any time, without notice. As such, Swoogo may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the RDP after Swoogo posts any such changes, you accept the Program Terms, as modified.
We really appreciate you working with us to responsibly submit a disclosure and working with us to improve our security. We recognize the work and talent you’ve put into finding these issues and thank you for reaching out to us.
Our PGP Key
If you are submitting sensitive vulnerability information or wish to communicate with us privately about your concern, please use the following PGP key to encrypt your message to [email protected].
—–BEGIN PGP PUBLIC KEY BLOCK—– mQGNBGCwMBkBDAC22shcxD6R1gvkS/sOKeb4FQFkzlknm6JRB0Ba1SCxtXJjVkjf HHSdH7qKDOYOh96B3RO93SuEZvCUYQIwv0mRpl5mZNYmOV9DH0zXuOR2VfO8L+O2 9osRkNfncmS2P4Gmvw+dewckAtFQDo01/AhlkzC5ivaFqN7GHNxxJzoEtUMqM6J5 8evlnfvJfivIPPVKchLYIgD6HxT9GPkqpVnrIdWpim3QVWBbiqX0vySDA65tuNoe kAjqqXlj3FEKuCTOy34pKWTVTHHpkP3dzlMEES4Ggf/8lGo6k3LqYBb+l7vt/Zho jsC6Hc/8nzEg+8xQ8i5Z3G40kqyaCFeM0yxVhm3o23oo9ZzGwlRcAIVZeextdkkw ri3k0U1oJ6Ouqkmhwy4VblDFc8VfJ4UDcT5nAEugTGMyipQ+Evz1+nwaEb+Gfy64 V2lZ9NV/sE9sj8N/+8158O32O8vg9ry/zrv0VyNwyiqAk5YjhhA5H0pmYjKZBmm/ 7PoA+r+lNzxFtfcAEQEAAbQjU3dvb2dvIFByaXZhY3kgPHByaXZhY3lAc3dvb2dv LmNvbT6JAdQEEwEKAD4WIQQ4mFnDM+KoGd/oel7AXP2kkIGT+wUCYLAwGQIbAwUJ A8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDAXP2kkIGT+wOsC/9YyIG2 ToyGZ5T4q8iz4hlOa+b5ZNfjvITBr5uu4M1WBCBBo39eGpqgNAj6XTNP6Y4VMB+T +S9ebLXJlP3hoRZrY6ZqB9uxW18cRDeLZrcpxRF/m2qIgoxtetheUSwdtEbxjbJM XOc9mqGcz+s1UHkWlK23kTS5OGMhXGY9bSw2W3SnnakaN35lVUZGH+NkF2C1hdwT xYWo9CMXKW7hxcqdHoM+4Np6O82eNBIomBwQJNUamiqCcnW9O9LVlzBzA3HEzEZv YmHamGHQmBjB9MGSRi/yIvg3H0VXPJg1zMTCZT0dSEnbfBI0oGee+r67Tm9/z2Rk 4gbG2de5NyGWLS05JzILj0dFMNImwNmAINzC6smqmy9EppvfEhEJB5qzPFWKFI17 nrYFz97ZnBxXA8mAphlvdIDewtg7T34LFZslsNzf61F2JjeZNqUVMPHE7kbS751P 9zh4mLDY6f3sOlmn50+9hIGlTOsSsQRAUWD1RKmS31hzQp2CxzeDoSNDuVS5AY0E YLAwGQEMALVgI6sb85aTa5NsoIPe8Z0V14nb8phD2FQtgcAjIxQ+K1oUl9QafnVv /O2oGygt8tSBrDHM8OTC88S7GZFgpIIM3gdpBFug39OsM4T0evinxwtTpu4EZOG7 nnVWhealcButBRfsaQLR5ZzezT7QdXl6vjwz1kn5fSd+NonUW8MrD+g6y5zsOyru y9/1rzobfuVS5sxk0f6Xi02DKdwhLWE7GNUsGKrNz2S35+isr0fEqCLQ0G61F5fL BOw2SaWW/5eO/P5N+Qw0fdlw9k5m0UBKf0AJ/EwN0InjslyJ3JR+6A5t8DPW0kFd 74akokvm3D4wFb2EDIzU/kdDD1XjET8unMX25o/dy5aa9VlQQ9Hd4OV+BNEs55cZ s+RGEs1HDnbvqcHtkcdXfHNo48FkpjP19hBeXCHQj0tVe/cqn5+YR7pJu+Fiyb82 FASK3gtqFDhH9l63Dzjqs0SZ/lddXd2KwKh8p+wjXTGlHjdVktCjIIyhc7q/3EG3 pccU76wERQARAQABiQG8BBgBCgAmFiEEOJhZwzPiqBnf6HpewFz9pJCBk/sFAmCw MBkCGwwFCQPCZwAACgkQwFz9pJCBk/t3UQv9HJYeCbJdTfhrDLmwo2/KaXPSO1XF eHd5I/EpTVVThf4uTqrbD5oxFEWMU4O+sc6eNOXoE9yKjiUke0ade6iwYWTDBsCP ZW/nVGcHlBwszutbVhR7tkehAb7edWPaXlOfKZVgEYtzA3ITKHkKqY0fZqaeA/FQ pVMZnoFUsz3aJXcH4Ko90HluV/LofFIipwA+qtoVdzehgpFgSpGfmZUG5SQlsPiQ YN9QN0aLseIR4KjhPF1doX83t9TIXepAocI/fxrnJbjabNnqKco/G3cOJdVNPNoN 4sBf8MFScUmcibuINcGnBPas1Oa3gJgzVfQjIKhzRHM6mp8gu4/yJRK+6UgFIECG t12+1OF0M6MhtQNYIBDh7c8e8CBglQywEnQ1pwg9PG801UBcVH60e224Yi91H728 +rp0mtCgUqtzYHtOAhtGVv0htZkcM9SVcjKo/lncZQ4X3h9b9Hp+Nz7nQAm8g5K4 tFIDHrgWm5y7p/ggMopBIdpruOoSuJStISD9 =CxOr —–END PGP PUBLIC KEY BLOCK—–