Spokeo Bug Bounty Program
Our Information Security team works hard to help keep user information secure. If you believe you have found a security vulnerability on Spokeo or a Spokeo-owned website, we encourage you to let us know right away via email at security@spokeo.com. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting, please review this page for reporting guidelines.
Sections
Program Terms
Please note that your participation in the Bug Bounty Program is voluntary and subject to the terms and conditions set forth on this page (“Program Terms”). By submitting a site vulnerability to Spokeo, Inc. (“Spokeo”) you acknowledge that you have read and agreed to these Program Terms.
These Program Terms supplement the terms of the Spokeo Terms and Conditions (www.spokeo.com/terms-of-use-consumer), the Spokeo Privacy Policy (www.spokeo.com/privacy-policy), all other policies referenced in the Spokeo Terms and Conditions, and any other agreement in which you have entered with Spokeo (collectively “Spokeo Agreements”). The terms of those Spokeo Agreements will apply to your use of, and participation in, the Bug Bounty Program as if fully set forth herein. If there is any inconsistency exists between the terms of the Spokeo Agreements and these Program Terms, these Program Terms will control, but only with regard to the Bug Bounty Program.
Responsible Disclosure Policy
To encourage responsible disclosures, if Spokeo determines that a disclosure complies with all the guidelines of these Program Terms and the Spokeo Agreements, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.
We ask that:
- You do not access, expose, modify, or destroy user data that does not belong to you
- You avoid scanning techniques that may cause degradation of services to our users
- You give us reasonable time to investigate an issue you report before making public any information about the report
- You do not violate any other applicable laws or regulations
Eligibility Requirements
To be eligible for the Bug Bounty Program, you must not:
- Be in violation of any national, state, or local law or regulation
- Be employed by Spokeo, Inc
- Be an immediate family member of a person employed by Spokeo
- Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program
- Be from a country sanctioned by any agency of the United States
Bug Submission Requirements and Guidelines
In researching vulnerabilities on Spokeo’s sites, you may not engage in testing that:
- Results in a degradation of Spokeo resources
- Results in you, or any third party, accessing, exposing, modifying, or destroying Spokeo or customer data
- May impact Spokeo customers, such as denial of service, social engineering or spam\f
Please be sure to review the Eligible Domains Policy section below to ensure that you do not test on a site that does not belong to Spokeo. In addition, please review the Out-of-Scope Vulnerabilities section so that you are aware of the types of vulnerabilities that are not eligible for a Bug Bounty payment.
You may not publicly disclose your findings or the contents of your Submission in any way without Spokeo’s prior written approval.
Failure to follow these guidelines will result in immediate ineligibility for receiving any Bug Bounty payments.
For all submissions, please include:
- A description of the vulnerability
- All steps required to reproduce the exploit of the vulnerability, which may include a step-by-step video
- Provide all:
- URL(s) affected in the submission
- IPs that were used while testing
- Any files that you attempted to upload, if applicable
- Provide the complete PoC code for the exploit, if applicable
Failure to include any of the above items may delay or jeopardize the bounty payment.
All Submissions should be in English.
Spokeo does not accept submissions from the following countries: Iran, Syria, Cuba, North Korea and Sudan.
Ownership of Submissions
As between Spokeo and you, as a condition of participation in the Spokeo Bug Bounty Program, you hereby grant Spokeo, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to Spokeo in connection therewith, for any purpose. You should not send us any Submission that you do not wish to license to us.
You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to Spokeo. In no event shall Spokeo be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission.
Eligible Domains Policy
The following domains are included for Spokeo and Spokeo-related websites:
- Spokeo and all subdomains (*.spokeo.com)
- Not including community.spokeo.com and spokeo.com/compass
- Free People Directory (*.freepeopledirectory.com)
- Spokeo Affiliates (*.spokeoaffiliates.com)
Out-of-Scope Vulnerabilities
Certain vulnerabilities are considered out-of-scope for the Bug Bounty Program. Those out-of-scope vulnerabilities include, but are not limited to:
- Vulnerabilities dependent upon social engineering techniques
- Vulnerabilities dependent upon web browser add-ons
- Vulnerabilities dependent upon outdated browsers
- Security bugs in third-party websites that integrate with Spokeo
- Denial of service (DoS)
- Rate-limiting/Lack of Captcha based vulnerabilities
- Host Header
- Self-XSS
- Login/logout CSRF
- Content spoofing without embedded links/HTML
- Infrastructure vulnerabilities, including:
- Certificates/TLS/SSL related issues
- DNS issues
- Server configuration issues
- Information disclosure of public or information that does not present risk to Spokeo or or Spokeo customers (i.e. web server type disclosure)
- Attacks involving brute force enumeration
- Email spoofing of any of the Spokeo owned domains
- “Best practice” or other non-exploitable issues.
- Server configuration issues that are not directly exploitable, unless the misconfiguration can be chained with other otherwise non-exploitable issues to become exploitable.
Bounty Payments
You may be eligible to receive a monetary reward, or “bounty,” if:
- You are the first person to submit a site vulnerability;
- The vulnerability is determined to be a valid security issue by our Information Security team; and
- You have complied with all Program Terms
If two or more participants happen to find the same bug, the bounty will be paid only to the one whose Submission came in first.
Bug Bounty payments are entirely at Spokeo’s discretion. In no event shall Spokeo be obligated to pay you a bounty for any Submission. The format and timing of all bounty payments shall be determined in Spokeo’s sole discretion.
All bounty payments will be made in United States dollars (USD). Spokeo will determine all bounty payout based on the risk and impact of the vulnerability. The minimum bounty amount for a validated bug submission is $50 USD and the maximum bounty for a validated bug submission is $5,000 USD. Payout amounts are based on the classification and sensitivity of the data impacted, ease of exploit, and overall risk to Spokeo customers or the Spokeo brand. The vulnerability must also be determined to be a valid security issue by Spokeo’s Information Security Team.
Please note for United States domestic payments, we only send payments through Domestic ACH at a US bank, PayPal, or by check. For international payments, we only send payments through PayPal. In addition, it is your responsibility to pay any taxes or any other applicable fees, which may include foreign exchange fees and transaction fees.
The Spokeo Information Security Team retains the right to determine if the bug submitted to the Bug Bounty Program is eligible. All determinations as to the amount of a bounty made by the Information Security Team are final.
Termination
In the event you breach any of these Program Terms or the Spokeo Agreements, Spokeo may immediately terminate your participation in the Bug Bounty Program and disqualify you from receiving any bounty payments.
Confidentiality
Any information you receive or collect about Spokeo or any Spokeo user through the Bug Bounty Program (“Confidential Information”) must be kept confidential and only used in connection with the Bug Bounty Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the Spokeo sites, without Spokeo’s prior written consent.
Indemnification
In addition to any indemnification obligations you may have under the Spokeo Agreements, you agree to defend, indemnify and hold Spokeo, its subsidiaries, affiliates and the officers, directors, agents, joint ventures, employees and suppliers of Spokeo, its subsidiaries, or our affiliates, harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising out of your Submissions, your breach of these Program Terms or the Spokeo Agreements, and/or your improper use of the Bug Bounty Program.
Changes to Program Terms
The Bug Bounty Program, including its policies, is subject to change or cancellation by Spokeo at any time, without notice. As such, Spokeo may amend these Program Terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the Bug Bounty Program after Spokeo posts any such changes, you accept the Program Terms, as modified.