Vulnerability Disclosure Program

Version 14th November, 2019

Groove appreciates the effort of software security researchers who work to make the Internet more secure. Our security vulnerability bounty system exists to reward the work of security researchers who find issues with our software and web services.

If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please emailsecurity@groovehq.com

Rules

  • Do not publicly disclose the bug until Groove has confirmed the bug is fixed.
  • Do not subject our website or web services to DoS, DDoS, scraping, brute force, or other type of automated attack.
  • Do not spam our contact form or support inboxes.
  • Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.
  • Do not attempt to gain access to another user's account or data - please use test accounts.

Eligibility for a bounty

To qualify for a bounty:

  • You must be the first reporter of the vulnerability and it must not be a duplicate or known issue
  • Your report must be within scope and not on our list of ineligible reports and known issues
  • You must not be a minor
  • You must not be a resident of or be located in a country on any U.S. sanctions lists

Public disclosure of the issue before its resolution will result in disqualification from the Groove program. Evidence of abuse or accessing another user's data or account without their permission will also result in disqualification from the program.

Reporting

All bug reports should include the following information to be considered for a bounty. Reports missing the information below will be marked as "Needs More Information," resulting in a minor loss of reputation points.

  • Vulnerable URL(s) and any affected parameters
  • Your browser and operating system
  • Detailed, step-by-step explanation of how to replicate the issue

Screenshots or videos of the vulnerability are highly encouraged and will result in quicker triaging of the issue and possibly a higher bounty at Groove's discretion.

Scope

  • www.groovehq.com
  • api.groovehq.com
  • *.groovehq.com

Eligible reports

Here is an incomplete list of reports we are interested in:

  • Cross-site scripting (XSS)
  • Directory traversal
  • Privilege escalation
  • Server-side remote code execution or command injection
  • SQL or NoSQL injection
  • Access control bypass
  • Presence or disclosure of secret access tokens

Ineligible reports or known issues

The following reports are ineligible to receive bounties or reputation points. Any submitted reports related to them will be closed as N/A.

  • Social engineering of Groove staff, contractors, or customers
  • Reports from automated tools or scans
  • Issues related to software or protocols not under Groove's control
  • Denial of Service attacks, including mass requests against password reset, login, account creation, or other endpoints. We have monitoring and mitigation against brute force attacks which we believe are adequate. Please do not conduct brute force attacks.
  • HTML or CSS injection in editor features - this is by design so that our users can have rich, styled content. We sanitize JavaScript and arbitrary code usingsanitize-html. We are interested in reports about the execution of JavaScript though!
  • Presence of autocomplete on form fields, including username and password fields
  • SPF, DKIM, or DMARC settings
  • Password and account recovery policies, including password reset emails and password reset links
  • Reports noting the lack of or suggesting the institution of a password policy, including account lockout settings
  • Email spoofing
  • DNSSEC settings
  • Presence of public (pk.*) access tokens in web pages or URLs - due to their use in client-side JavaScript these are public by design.
  • Username enumeration, including an oracle that discloses whether a given username or email address is associated an account
  • Reports of CSRF or reports of a lack of CSRF tokens onwww.groovehq.com, unless accompanied by a detailed proof of concept exploit. We have alternative CSRF mitigation in place.
  • Missing HTTP security headers, unless accompanied by a detailed proof of concept exploit that leverages their absence
  • Existence of access-controlled administrative pages
  • Reports related to the SSL/TLS certificate forwww.groovehq.com
  • Open redirects
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Vulnerabilities only affecting older browsers.
  • HSTS or CSP headers
  • Content spoofing or HTML injection, unless accompanied by a proof of concept that demonstrates a security risk beyond injecting plain text
  • Reports of insecure SSL/TLS ciphers or weak signature algorithms, unless accompanied by a working proof of concept of an exploit

Ineligible for monetary bounty, but appreciated

The following reports are ineligible for a cash bounty due to their low severity. if accompanied by a detailed proof of concept of an exploit leveraging their existence they may be eligible for a cash bounty at Groove's discretion.

  • Mixed content
  • Self-XSS