Updated 14 Nov, 2019
Groove appreciates the effort of software security researchers who work to make the Internet more secure. Our security vulnerability bounty system exists to reward the work of security researchers who find issues with our software and web services.
If you have questions about our bug bounty program or are unable to properly access/test an in-scope asset please email firstname.lastname@example.org
- Do not publicly disclose the bug until Groove has confirmed the bug is fixed.
- Do not subject our website or web services to DoS, DDoS, scraping, brute force, or other type of automated attack.
- Do not spam our contact form or support inboxes.
- Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behavior against our web services or website.
- Do not attempt to gain access to another user's account or data - please use test accounts.
Eligibility for a bounty
To qualify for a bounty:
- You must be the first reporter of the vulnerability and it must not be a duplicate or known issue
- Your report must be within scope and not on our list of ineligible reports and known issues
- You must not be a minor
- You must not be a resident of or be located in a country on any U.S. sanctions lists
Public disclosure of the issue before its resolution will result in disqualification from the Groove program. Evidence of abuse or accessing another user's data or account without their permission will also result in disqualification from the program.
All bug reports should include the following information to be considered for a bounty. Reports missing the information below will be marked as "Needs More Information," resulting in a minor loss of reputation points.
- Vulnerable URL(s) and any affected parameters
- Your browser and operating system
- Detailed, step-by-step explanation of how to replicate the issue
Screenshots or videos of the vulnerability are highly encouraged and will result in quicker triaging of the issue and possibly a higher bounty at Groove's discretion.
Here is an incomplete list of reports we are interested in:
- Cross-site scripting (XSS)
- Directory traversal
- Privilege escalation
- Server-side remote code execution or command injection
- SQL or NoSQL injection
- Access control bypass
- Presence or disclosure of secret access tokens
Ineligible reports or known issues
The following reports are ineligible to receive bounties or reputation points. Any submitted reports related to them will be closed as N/A.
- Social engineering of Groove staff, contractors, or customers
- Reports from automated tools or scans
- Issues related to software or protocols not under Groove's control
- Denial of Service attacks, including mass requests against password reset, login, account creation, or other endpoints. We have monitoring and mitigation against brute force attacks which we believe are adequate. Please do not conduct brute force attacks.
- Presence of autocomplete on form fields, including username and password fields
- SPF, DKIM, or DMARC settings
- Password and account recovery policies, including password reset emails and password reset links
- Reports noting the lack of or suggesting the institution of a password policy, including account lockout settings
- Email spoofing
- DNSSEC settings
- Presence of public (
- Username enumeration, including an oracle that discloses whether a given username or email address is associated an account
Reports of CSRF or reports of a lack of CSRF tokens on www.groovehq.com, unless accompanied by a detailed proof of concept exploit. We have alternative CSRF mitigation in place.
- Missing HTTP security headers, unless accompanied by a detailed proof of concept exploit that leverages their absence
- Existence of access-controlled administrative pages
- Reports related to the SSL/TLS certificate for www.groovehq.com
- Open redirects
- Use of a known-vulnerable library (without evidence of exploitability)
- Vulnerabilities only affecting older browsers.
- HSTS or CSP headers
- Content spoofing or HTML injection, unless accompanied by a proof of concept that demonstrates a security risk beyond injecting plain text
- Reports of insecure SSL/TLS ciphers or weak signature algorithms, unless accompanied by a working proof of concept of an exploit
Ineligible for monetary bounty, but appreciated
The following reports are ineligible for a cash bounty due to their low severity. if accompanied by a detailed proof of concept of an exploit leveraging their existence they may be eligible for a cash bounty at Groove's discretion.