Effective date: September 26th, 2024
The Browser Company of New York Inc.’s “Bug Bounty Program” (aka, the “Program”)
We recognize the important role that security researchers and our user community play in helping to keep The Browser Company of New York Inc. (“Browser”) and our users secure. If you have discovered a site or product vulnerability, you may be eligible, subject to Browser’s sole discretion and your agreement to the terms below, to a monetary award in accordance with the terms and conditions set forth below (the “Program Terms”).
If an issue is not explicitly “Out of Scope” and there is a security impact, we want to know about it. Issues without security impact that are submitted to the Program will be closed. Please review the program’s “Out of Scope” section and all other policies before submitting a report.
Your participation in the Program is voluntary. Before finding and reporting any vulnerabilities or other suggestions or feedback (each, a “Submission”) to Browser you acknowledge that you have read and agree to the Program Terms. In these terms, references to "you" or "researcher" refer to a researcher that submits a Submission in accordance with the Program Terms and "we" or "us" refers to Browser.
These Program Terms supplement the Browser Terms of Use and Privacy Policy available on the Browser website, and any other agreement in which you have entered with Browser (collectively “Browser Agreements”). The terms of those Browser Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If and to the extent any inconsistency exists between the terms of the Browser Agreements and these Program Terms, these Program Terms will control.
Table of Contents
I. Program Terms
- Safe Harbor
- Program Eligibility
- Program Rules
- Disclosure Policy and Confidentiality
- Legal
II. Submitting Reports
- Report Quality
- Out of Scope
III. Bounty Awards
- Pay At Triage
- CVSS Scoring Exceptions
- Additional Reward Policies
I. Program Terms
1. Safe Harbor
Any activities conducted in a manner consistent with these Program Terms will be considered authorized conduct, and we will not initiate legal action against you in connection with such activities. If legal action is initiated by a third party against you in connection with activities conducted in accordance with these Program Terms, we will make it known that your actions were conducted in accordance with these Program Terms. Browser reserves all legal rights in the event of noncompliance with these Program Terms.
2. Program Eligibility
To be eligible to participate in the Program, you must:
- Be at least 18 years of age.
- Not be employed by Browser or any of its affiliates or an immediate family member of a person employed by Browser or any of its affiliates.
- Not be a resident of, or make Submissions from, a country against which the United States has issued export sanctions or other trade restrictions and not otherwise be an embargoed or restricted person.
- Not be in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to the Program.
If (i) you do not meet the eligibility requirements above; (ii) you breach any of these Program Terms or any other agreements you have with Browser or its affiliates; or (iii) we determine that your participation in the Program could adversely impact us, our affiliates or any of our users, employees or agents, we, in our sole discretion, may remove you from the Program and disqualify you from receiving any benefit of the Program.
3. Program Rules
Do:
- Do abide by these Program Terms.
- Do respect privacy & make a good faith effort not to access, process or destroy personal data.
- Do be patient & cooperate with us in good faith, including by making a good faith effort to provide clarifications to any questions we may have about your Submission.
- Do be respectful when interacting with our team, and our team will do the same.
- Do perform testing only using accounts that are your own personal/test accounts.
- Do exercise caution when testing to avoid negative impact to users and the services they depend on.
- Do stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.
- Do limit exploitation only to the extent necessary to provide a proof of concept for your report. Exploitation should not harm actual users or systems, and misuse of any compromised data is strictly prohibited.
Do NOT:
- Do not leave any system in a more vulnerable state than you found it.
- Do not brute force credentials or guess credentials to gain access to systems.
- Do not participate in denial of service attacks.
- Do not upload shells or create a backdoor of any kind.
- Do not publicly disclose a vulnerability without our explicit review and consent.
- Do not engage in any form of social engineering of Browser employees, customers, affiliates or partners.
- Do not engage or target any Browser employee, customer, or partner during your testing.
- Do not attempt to extract, download, or otherwise exfiltrate data that may have personal data or other sensitive data other than your own.
- Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
- Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
- Do not interact with accounts you do not own.
4. Disclosure Policy and Confidentiality
Any data you receive, obtain access to or collect about Browser, Browser affiliates or any Browser users, employees or agents (or any of their businesses, products, systems, strategies or technologies) in connection with the Program (including, without limitation, your Submissions and the vulnerabilities they report) is considered Browser’s confidential information ("Confidential Information"). Confidential Information must be kept confidential and only used: (i) to make the disclosure to Browser under the Program; or (ii) to provide any additional information that may be required by Browser in connection with the Submission. No further use or exploitation or disclosure of Confidential Information is allowed. Upon Browser’s request, you will permanently erase all Confidential Information for any systems and devices. You may not use, disclose or distribute any such Confidential Information in any way, including without limitation any information regarding your Submission, without our explicit prior written consent. To request such consent, you must submit a disclosure request to our Program. Please note, not all requests for public disclosure will be approved. Any unauthorized public disclosure will result in immediate disqualification from the Program and ineligibility for receiving Bounty Payments, in addition to all other remedies we may have.
5. Legal
Browser reserves the right to modify the Program and/or the Program Terms at any time. Please check this site regularly for any updates to the Program and/or Program Terms, which are effective upon posting. Your participation in the Program after a change to the Program and/or Program Terms is effective means that you agree to all of the changes. As a condition of participation in the Program, you hereby acknowledge and agree that Browser shall own solely and exclusively and in perpetuity all right, title and interest (including all intellectual property and proprietary rights) relating to any and all Submissions (including any materials submitted to Browser in connection therewith) and you will promptly disclose and provide all Submissions to Browser. You hereby make and agree to make all assignments necessary to accomplish the foregoing ownership. You shall further assist Browser, at Browser’s expense, to further evidence, record and perfect such assignments, and to perfect, obtain, maintain, enforce and defend any rights purported to be assigned. You should not send us any Submission that you do not wish to assign to us. You hereby represent and warrant that the Submission is original to you and you have the full right to provide Browser with the assignments and rights provided for herein. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Browser. In no event shall Browser be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission, so long as Browser complies with the terms of participation stated herein.
II. Submitting Reports
1. Submission Process
Please submit your Submission via email to [email protected]. We will use commercially reasonable efforts to acknowledge receipt of your Submission within 1 business days and, if applicable, to provide an estimated timeline for resolving the vulnerability(ies) identified in your Submission.
2. Report Quality
High quality submissions allow our team to understand the vulnerability better and engage the appropriate teams to fix them. The best Submissions provide enough actionable information to verify and validate the vulnerability without requiring any follow up questions for more information or clarification. We recommend you provide enough information to (i) outline the vulnerability; (ii) reproduce the vulnerability; (iii) assess the coverage the vulnerability applies to; and (iv) provide additional related logs or information. Not all Submissions look the same, but many high quality Submissions share these common features:
- The vulnerability reported is verifiable and reproducible. A vulnerability that is not verifiable or reproducible by us will not be considered in-scope.
- Detailed descriptions of your discovery with clear, concise, reproducible steps or a working proof-of-concept (POC). If you do not explain the vulnerability in detail, there may be significant delays in the process, which is undesirable for everyone.
- Screenshots and/or videos can sometimes assist security teams in reproducing your issue. Most teams prefer written reproduction steps, but screenshots and videos can be used to augment your report and make it easier for security teams to quickly understand the issue you're reporting. Video only proof-of-concepts (PoCs) will not be considered.
- Detailed descriptions of the impact of the vulnerability; if this vulnerability were exploited, what could happen? Security teams need to file bugs internally and get resources to fix these issues. Describing why the vulnerability is important can assist in quickly understanding the impact of the vulnerability and help prioritize response and remediation.
- The vulnerability reported is within the scope of the Program. Check the scope page before you begin writing your Submission to ensure that’s the case.
- Detailed description of the attack scenario and exploitability of the vulnerability to make it easier for our team to reproduce the issue (include screenshots if possible).
- Detailed description of your understanding of the security impact of the issue. Our Bounty Payments are directly tied to security impact and all reports must demonstrate a security impact to be considered for a Bounty Payment, so the more detail you can provide, the better. We cannot provide Bounty Payments after the fact if we don’t have evidence and a mutual understanding of security impact.
- In some cases, it may not be possible to have all of the context on the impact of a vulnerability. If you’re unsure of the direct impact, but feel you may have found something interesting, feel free to submit a detailed report and ask.
3. Out-of-Scope
The following vulnerabilities and Submissions are deemed Out-of-Scope from the Program and are not eligible for a Bounty Payment.
- Submissions made within seven (7) days of a release, which identify vulnerabilities in related to such release
- Submissions related to vulnerabilities identified in third-party code or open source components
- Vulnerabilities identified via physical or social engineering attempts (this includes phishing attacks against Browser employees)
- Ability to send push notifications/SMS messages/emails without the ability to change content
- Ability to take over social media pages (Twitter, Facebook, LinkedIn, etc)
- Vulnerabilities with negligible security impact (to be determined in Browser’s sole discretion)
- Unchained open redirects
- Submissions that state that software is out of date/vulnerable without a proof-of-concept
- Highly speculative Submissions about theoretical damage
- Vulnerabilities as reported by automated tools without additional analysis as to how they're an issue
- Submissions based upon reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
- SSL/TLS scan reports (this means output from sites such as SSL Labs)
- Open ports without an accompanying proof-of-concept demonstrating vulnerability
- CSV injection
- Best practices concerns
- Protocol mismatch
- Rate limiting
- Dangling IPs
- Missing cookie flags on non-authentication cookies
- Issues that require physical access to a victim’s computer/device
- Path disclosure
- Banner grabbing issues (figuring out what web server we use, etc.)
- If a site is abiding by the privacy policy, there is no vulnerability.
- Enumeration/account oracles
- Account oracles -- the ability to submit a phone number, email, UUID and receive back a message indicating a Browser account exists
- Distributed denial of service attacks (DDOS)
III. Bounty Payments
1. Eligibility; Payment Terms. You may be eligible to receive a monetary reward (“Bounty Payment”) if and only if: (i) you meet all eligibility requirements set forth herein, (ii) you are the first person to submit a vulnerability, or if Browser determines, in its sole discretion, that you are one of two or more people to submit the vulnerability within seventy-two (72) hours of one another, in which case the Bounty Payment will be split as discussed below, (iii) Browser determines that your Submission is of high quality and that the vulnerability is a valid security issue and is not Out-of-Scope; and (iv) you have complied with all Program Terms. In addition, in order to receive a Bounty Payment, you will be required to enter into a separate Bug Bounty Agreement with Browser (the “Bug Bounty Agreement”), which Browser will provide to you. All Bounty Payments shall be considered gratuitous. All Bounty Payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty Payments you receive, as determined by the laws of your jurisdiction of residence or citizenship; if Browser becomes aware any tax reporting or withholding requirements related to your Bounty Payment or believes that any such requirements may apply, Browser is entitled file such reports and withhold any applicable amounts from your Bounty Payments and to defer payment to you until you have provided any information necessary to allow Browser to comply with such requirements.
2. Bounty Payment Amounts.
Browser has sole discretion to determine whether a Submission is eligible for a Bounty Payment, and the amount of such Bounty Payment, which will be set forth in the Bug Bounty Agreement. Such determination will be based on a number of factors, which may include:
- Severity: A vulnerability that Browser deems critical will generally receive a higher payout than one that Browser determines has low severity.
- Impact to our Business: A vulnerability affecting a high-traffic service or core business function could receive a higher payout given the potential consequences for users and business operations.
- Exploit Complexity: We reward Submissions that show a deep understanding of our system and identify complex attack vectors.
- Fix Complexity: If a fix requires a substantial amount of work, a higher payout may be justified to reflect the cost and effort of remediation.
If Browser determines, in its sole discretion, that multiple people have made a Submission regarding the same vulnerability within seventy two (72) hours of one another, the Bounty Payment will be split among any such persons who otherwise meet all eligibility requirements. Browser shall have sole discretion over how to split the Bounty Payment among such eligible persons, which determination will be based on a number of factors, including the quality of each person’s Submission.
All determinations as to the amount of a Bounty Payment made by Browser are final. Previous Bounty Payment amounts are not considered a precedent for future Bounty Payments. Bounty Payments are not additive and are subject to change as our internal environment evolves. In no event is Browser obligated to provide a Bounty Payment for any Submission. The format and timing of all Bounty Payments shall be determined by Browser in our sole discretion.