Bug Bounty Program Terms

Overview

In an effort to keep our systems and data secure, Good Eggs invites well-formed and responsibly disclosed reports of security issues (“bugs”) as described below (the “Bug Bounty Program”). We support independent security research. Depending on the bug’s security impact, researchers may qualify for a bounty payout (see below for details).

Participation

Your participation in the Bug Bounty Program is voluntary. By submitting a vulnerability to Good Eggs, you acknowledge and agree that your participation is subject at all times to the terms and conditions set forth on this page (the “Program Terms”). Any bug-related submission you make to Good Eggs, whether via the Bug Bounty Program or otherwise, together with any verbal or written ideas or feedback to Good Eggs concerning any platform or services, will be considered a “Submission” for purposes of these Program Terms.

The Bug Bounty Program, including without limitation the Program Terms, is subject to change or cancellation by Good Eggs at any time, with or without notice. Good Eggs may amend these Program Terms and/or the Bug Bounty Program at any time by posting a revised version on its website or this site. By continuing to participate in the Bug Bounty Program after any such changes, you accept the Program Terms as modified.

You are not eligible to participate in the Bug Bounty Program if you are: (i) a resident of, or make your Submission from, a country against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan and Syria); (ii) employed by Good Eggs or any of its affiliates; (iii) an immediate family member of a person employed by Good Eggs or any of its affiliates; or (iv) less than 18 years of age (each, a “Prohibited Participant”).

If (a) you are a Prohibited Participant; (b) you breach any of these Program Terms or any other agreements you have with Good Eggs or its affiliates; or (c) Good Eggs determines that your participation in the Bug Bounty Program could adversely impact Good Eggs, its affiliates or any of their users, employees or agents, Good Eggs, in its sole discretion, may remove you from the Bug Bounty Program and/or disqualify you from receiving any benefit of the Bug Bounty Program. In addition, Good Eggs may terminate the Bug Bounty Program at any time, without notice to you.

How to submit a bug

Please send any security issues you identify to security@goodeggs.com. We appreciate it if you could include the following information:

  • Your contact information, so we can follow up with questions;
  • A description of the issue and its nature;
  • Detailed steps that allow us to reproduce the issue (proxy logs are ideal);
  • A brief description of the security impact of the issue.

Please specify if we may publicly credit you. In case you need to send any sensitive information, please encrypt the message using this PGP key.

Submission Terms

You hereby grant to Good Eggs and its affiliates a perpetual, irrevocable, worldwide, royalty-free, transferable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative works from, make, use, sell, offer for sale and import your Submissions, and any materials submitted by you in connection with your Submissions, for any purpose. You should not send us any Submission that you do not wish to license to us. In no event shall Good Eggs be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in your Submissions irrespective of their similarity to the information in the Submission.

You hereby represent and warrant (i) that all Submissions are original to you and you own all right, title and interest therein and thereto, and (ii) your participating in the Bug Bounty Program will not violate any applicable law, disrupt or compromise any data that is not your own or violate the rights of any person.

You agree that you will not at any time: (a) attempt to gain unauthorized access to another user’s account or data; (b) undertake any action or attack that could harm the reliability or integrity of our products, services or data; (c) impact others’ access to or use of our products or services in connection with your testing, including testing for vulnerabilities in repositories that you do not own; (d) use scanners or automated tools to find vulnerabilities; or (e) undertake or attempt to undertake actions such as social engineering, phishing, DoS attacks, black hat SEO techniques or spamming, physical attacks against our employees, users, affiliates or infrastructure or other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic.

You hereby waive all other claims of any nature arising out of any disclosure of Submissions to Good Eggs.

Limits

  • Systems we do not control (such as links/redirects to third-party sites, or CDNs) are excluded from the scope of the bounty and permission to test.
  • You must be the first person to responsibly disclose the bug to us.
  • You must have found the vulnerability yourself.
  • You must follow responsible disclosure principles including giving us a reasonable time to address the issue before you make any information public.

Things we don’t accept as bugs

  • Best practices. We don’t accept submissions that are simply configuration/policy suggestions.
  • Output from automated tools without a proof of concept. Output that is copied from websites like ssllabs.org or vulnerability scanners without a proof-of-concept usually contain a lot of false positives.
  • Security reports that don’t pertain to goodeggs.com If you’re sending in a report for a domain that is not covered in the scope of our bug bounty program, we will ignore it.
  • Flaws specific to out of date browsers/plugins. Simple, non-XSS content injection.
  • Manipulating a URL to present a page that contains custom text does not qualify for the bug bounty program.
  • Lack of the Secure flag on non-sensitive cookies. We provide full site TLS as a mechanism to defend against MITM (via HSTS) for sensitive session cookies.
  • Lack of HTTPOnly flag on non-sensitive cookies.
  • Username enumeration through login or password reset.
  • CSRF issue submitted with a proof-of-concept containing a nonce.

Things to do

  • Only perform research on the *.goodeggs.com domain; All other domains are not in scope and may be considered an attack.
  • Don’t compromise the security or privacy of Good Eggs users, or the data on our systems.
  • Don’t destroy information or affect the availability of our services.
  • Don’t use social engineering or evaluate the physical security controls around our systems.
  • Do use test accounts.
  • Do limit the monetary transactions in that account.
  • Keep in mind that reports about fraud-related activity, account disputes, spam, and bugs with no security impact are not part of the bug bounty program. For these types of issues, please contact our customer care team.

How Much Payout Can I Expect?

You may be eligible to receive a monetary reward, or “bounty payout” if Good Eggs, in its sole discretion, determines that: (i) you are the first person to submit a particular vulnerability; (ii) the vulnerability is verifiable, replicable, and determined to be a valid security issue by Good Eggs in its sole discretion; and (iii) you are in compliance with the Program Terms and our Terms of Service.

Bounties are determined in Good Eggs’ sole discretion, but generally will be sized based on a bug’s security impact utilizing a formula based on NVD - CVSS v3 Calculator. Security issues that have a secondary impact that a researcher may not initially realize or have a larger potential risk to customers will also tend to be rewarded better. In general, a higher quality write up and proof of concept will be rewarded with a higher payout. We will not disclose our formulas or calculations and any bounty offered is non-negotiable. In no event is Good Eggs obligated to provide a payout for any Submission. All determinations as to the amount of a bounty made by Good Eggs are final.

Communication

We take our security seriously and will respond to every submission. Evaluating submissions will take time! Whenever possible we will update researchers on the state of their submissions as they travel through the process. Please don’t spam us with status update requests.

Taxes and restrictions

This program is not open to minors, individuals on sanctions lists, or individuals in countries on sanctions lists. You are responsible for any tax implications or additional restrictions depending on your country and local law. We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at our discretion. You must not violate any law.

You also must not disrupt any service or compromise anyone’s data. For example, any activity extraneous to providing us a “proof-of-concept” – dumping databases, taking screenshots of systems you don’t own, exfiltrating auth cookies, etc – may disqualify you.

Any information you receive or collect about Good Eggs, its affiliates or any of their users, employees or agents in connection with the Bug Bounty Program, including your Submissions (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information without Good Eggs’ prior written consent.