Promo.com Ltd. (“Promo”, “we”, “us” or “our”) is committed to safeguarding the security of its services, customer information, and web pages (“Services”). This policy intends to give clear guidelines for those desiring to participate in, and be rewarded and recognized for, Promo’s Security Bounty Program (the “Bounty”) by submitting to Promo a valid, eligible, and originally discovered vulnerability report (“Reports”).
This policy describes the Reports and related activities covered under this policy. It explains how to send us Reports and what terms apply regarding rewards and public recognition for Reports.
By submitting a Report to us, you acknowledge and agree to this Policy.
If you make a good faith effort to comply with this policy and follow its guidelines in your Bounty-related activities, we will not consider your activities to be in breach of the Promo Terms of Service found at https://promo.com/terms-of-service.
We encourage you to contact us to report potential vulnerabilities in our Services via our designated email address available at [[email protected]], pursuant to this Policy. By emailing us any information to this email address, you confirm that you have read and agree to this Security Vulnerabilities Bounty Policy.
Under this policy, an eligible “activity” means anything in which you comply with all of the following:
Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must promptly stop your test or investigation, notify us immediately, and not disclose to anyone else the data or the information related to the vulnerability on the Services.
What we would like to see in Reports:
In order to help us triage and prioritize submissions and to meet the clear reporting requirements under this Policy, we require that your Reports:
You may be rewarded for eligible Reports under the following additional conditions:
Discretionary factors impacting the amount of the reward for a Report include (but are not limited to):
This policy applies to the following Services:
The following test methods are not authorized and must not be attempted:
Services of Promo.com not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. If you aren’t sure whether a Service is in scope or not, contact us via our designated email address [[email protected]] before starting your activity.
Promo will collect your name and email address when you email the Report to us.
Promo may also ask you to provide the following:
Promo may use and share the above personal information for the following purposes only:
Questions regarding this policy may be sent via our designated email address [[email protected]]. By emailing us any information to this email address, you confirm that you have read and agree to this Security Vulnerabilities Bounty Policy.
Last updated on: March 14th, 2022.