In an effort to keep our systems and data secure, Good Eggs invites well-formed and responsibly disclosed reports of security issues (“bugs”) as described below (the “Bug Bounty Program”). We support independent security research. Depending on the bug’s security impact, researchers may qualify for a bounty payout (see below for details).
Your participation in the Bug Bounty Program is voluntary. By submitting a vulnerability to Good Eggs, you acknowledge and agree that your participation is subject at all times to the terms and conditions set forth on this page (the “Program Terms”). Any bug-related submission you make to Good Eggs, whether via the Bug Bounty Program or otherwise, together with any verbal or written ideas or feedback to Good Eggs concerning any platform or services, will be considered a “Submission” for purposes of these Program Terms.
The Bug Bounty Program, including without limitation the Program Terms, is subject to change or cancellation by Good Eggs at any time, with or without notice. Good Eggs may amend these Program Terms and/or the Bug Bounty Program at any time by posting a revised version on its website or this site. By continuing to participate in the Bug Bounty Program after any such changes, you accept the Program Terms as modified.
You are not eligible to participate in the Bug Bounty Program if you are: (i) a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria); (ii) employed by Good Eggs or any of its affiliates; (iii) an immediate family member of a person employed by Good Eggs or any of its affiliates; or (iv) less than 18 years of age (each, a “Prohibited Participant”).
If (a) you are a Prohibited Participant; (b) you breach any of these Program Terms or any other agreements you have with Good Eggs or its affiliates; or (c) Good Eggs determines that your participation in the Bug Bounty Program could adversely impact Good Eggs, its affiliates or any of their users, employees or agents, Good Eggs, in its sole discretion, may remove you from the Bug Bounty Program and/or disqualify you from receiving any benefit of the Bug Bounty Program. In addition, Good Eggs may terminate the Bug Bounty Program at any time, without notice to you.
Please send any security issues you identify to security@goodeggs.com. We appreciate it if you could include the following information:
Please specify if we may publicly credit you. In case you need to send any sensitive information, please encrypt the message using this PGP key.
You hereby grant to Good Eggs and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative works from, make, use, sell, offer for sale and import your Submissions, and any materials submitted by you in connection with your Submissions, for any purpose. You should not send us any Submission that you do not wish to license to us. In no event shall Good Eggs be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in your Submissions irrespective of their similarity to the information in the Submission.
You hereby represent and warrant (i) that all Submissions are original to you and you own all right, title and interest therein and thereto, and (ii) your participating in the Bug Bounty Program will not violate any applicable law, disrupt or compromise any data that is not your own or violate the rights of any person.
You agree that you will not at any time: (a) attempt to gain unauthorized access to another user’s account or data; (b) undertake any action or attack that could harm the reliability or integrity of our products, services or data; (c) impact others’ access to or use of our products or services in connection with your testing, including testing for vulnerabilities in repositories that you do not own; (d) use scanners or automated tools to find vulnerabilities; or (e) undertake or attempt to undertake actions such as social engineering, phishing, DoS attacks, black hat SEO techniques or spamming, physical attacks against our employees, users, affiliates or infrastructure or other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic.
You hereby waive all other claims of any nature arising out of any disclosure of Submissions to Good Eggs.
You may be eligible to receive a monetary reward, or “bounty payout” if Good Eggs, in its sole discretion, determines that: (i) you are the first person to submit a particular vulnerability; (ii) the vulnerability is verifiable, replicable, and determined to be a valid security issue by Good Eggs in its sole discretion; and (iii) you are in compliance with the Program Terms and our Terms of Service.
Bounties are determined in Good Eggs’ sole discretion, but generally will be sized based on a bug’s security impact utilizing a formula based on NVD - CVSS v3 Calculator. Security issues that have a secondary impact that a researcher may not initially realize or have a larger potential risk to customers will also tend to be rewarded better. In general, a higher quality write up and proof of concept will be rewarded with a higher payout. We will not disclose our formulas or calculations and any bounty offered is non-negotiable. In no event is Good Eggs obligated to provide a payout for any Submission. All determinations as to the amount of a bounty made by Good Eggs are final.
We take our security seriously and will respond to every submission. Evaluating submissions will take time! Whenever possible we will update researchers on the state of their submissions as they travel through the process. Please don’t spam us with status update requests.
This program is not open to minors, individuals on sanctions lists, or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not violate any law.
You also must not disrupt any service or compromise anyone’s data. For example, any activity extraneous to providing us a “proof-of-concept” – dumping databases, taking screenshots of systems you don’t own, exfiltrating auth cookies, etc – may disqualify you.
Any information you receive or collect about Good Eggs, its affiliates or any of their users, employees or agents in connection with the Bug Bounty Program, including your Submissions (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information without Good Eggs’ prior written consent.