Secret Santa Organizer Bug Bounty Terms and Conditions

Bug Bounty Program Info

Secret Santa Organizer welcomes security researchers and white hat hackers to review our Santa Claus tool. Make the world better by making sure that everyone gets their gift. Unless they’ve been naughty, of course.

We do not want to hide our mistakes, but please allow us to fix what’s broken before disclosing any vulnerabilities to the outside world. There be dragons.

What are the rules?

Play nice. Do not exploit or leverage any vulnerabilities you discover, for any reason. Demonstrating your discovery via exploitation or its impact is not required for any submissions. If you have inadvertently caused exposure, disruption, or any other damage then please contact us immediately via the form below.

Here’s a list of things NOT to do:

  • Publicly disclosing vulnerabilities
  • Copying, changing or deleting data or systems
  • Causing damage, abuse, spamming
  • Placing malware
  • Using denial-of-service or social engineering
  • Exposing of sensitive or customer data
  • Causing interruption or impediment of Secret Santa Organizer services and operation
  • Including third parties in your submissions

What do we do and what’s in it for you?

Because reviewing your submissions takes time, we can’t guarantee a prompt response. We’ll try to get back to you within five days of submission, with regular updates once the vulnerability is verified. Together with you we will decide whether, when, and how to publicly disclose the vulnerability. Santa will reward your submission with gift cards or swag.

We’ll score every submission on risk, likeliness to be exploited, and potential impact. Rewards are entirely at Secret Santa Organizer discretion and subject to change without notice. Secret Santa Organizer reserves the right to modify or terminate the Bug Bounty program at any time.

We will treat your submission with confidence and will use your personal data only for taking action on your submission. We will not share personal data with other companies, unless we are legally required or a court order requires us to do so. We may have to engage other companies to further investigate your submission. We will make sure these companies will also keep your data confidential. And we’ll tell Santa you’ve been good.

Please don’t use vulnerability testing tools, as they can generate significant server load, traffic, or risk of disruption of any kind.

Note: the bug bounty program and its rewards are applicable only to security vulnerabilities. If you want to report a functionality bug please make an issue on our Github page. When you have finished reading and accept the above policies and guidelines, please submit your bug report using the contact form.