ngrok disclosure and reward program

Last updated: March 10, 2023

Program terms

These ngrok Disclosure and Reward Program Terms and Conditions ("Terms'') are between you (“you”) and ngrok, Inc. ("ngrok," "us," or "we").  These Terms govern your participation in the ngrok Disclosure and Reward Program ("Program"). By performing vulnerability research, submitting any vulnerabilities to ngrok, or otherwise participating in the Program in any manner, you accept these Terms.

Program overview

The Program enables users to submit vulnerabilities and exploitation techniques ("Vulnerabilities") to ngrok about eligible ngrok products and services for a chance to earn rewards in an amount determined by ngrok in its sole discretion ("Bounty"). The decisions made by ngrok regarding Bounty payments are final and binding. ngrok may change or cancel this Program at any time, for any reason.

Eligibility

You are not eligible to participate in the Program if you meet any of the following criteria:

  • You are a resident of any countries under U.S. sanctions (see link for current sanctions list posted by the United States Treasury Department) or any other country that does not allow participation in this type of program;
  • You are under the age of 18;
  • Your organization does not allow you to participate in these types of programs;
  • You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program; or
  • You are a current or past employee or contractor of ngrok, or an immediate family (parent, sibling, spouse, or child) or household member of an ngrok employee or contractor.

It is your responsibility to comply with any policies that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty. ngrok disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter. There may be additional restrictions on your ability to enter depending upon your local law.

Rules of engagement

  • By engaging in security research on in-scope assets, you agree to comply with the terms of this Program;
  • You must include a working proof-of-concept in your report to be eligible for a Bounty payment;
  • Your report must be related to an in-scope asset listed in the Scope section below.
  • Do not interact with ngrok accounts that you did not create yourself;
  • Avoid harm to others' data and privacy;
  • Upon confirming the existence of a Vulnerability, stop testing immediately and report it to ngrok;
  • Do not attempt to leverage the existence of a Vulnerability to gain additional access or find additional vulnerabilities; and
  • Your research must not involve social engineering or interacting with ngrok support staff.

Submission process & coordinated vulnerability disclosure

ngrok provides a table of in-scope assets, domains, and software that are in-scope for security research and a table of ineligible vulnerability types. If you believe you have identified a Vulnerability that meets the applicable requirements in these Terms, you may submit it to ngrok through the process described in the ngrok Disclosure and Rewards portal or, if none is provided, in accordance with the following process. Each Vulnerability submitted to ngrok shall be a "Submission." Submissions must be sent to security@ngrok.com or through the ngrok Disclosure and Rewards portal. Include as much of the following information as possible with the Submission:

  • Type of issue; 
  • Service packs, security updates, or other updates for the ngrok product you have installed;
  • Any special configuration required to reproduce the issue;
  • Step-by-step instructions on how to reproduce the issue;
  • Proof-of-concept or exploit code;
  • Impact of the issue, including how an attacker could exploit the issue.

Depending on the detail of your Submission, ngrok may award a Bounty payment of varying scale. Well-written reports and functional exploits are more likely to result in Bounty payments. Those Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Bounty payments. ngrok is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify ngrok at security@ngrok.com to ensure your Submission was received. There are no restrictions on the number of qualified Submissions you can provide.

Submission license

As a condition of participation in the Program, you hereby grant to ngrok, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to ngrok in connection with a Submission, for any purpose. You should not send us any Submission that you do not wish to license to us. You hereby represent and warrant that the Submission is original to you and you own all right, title and interest in and to the Submission. Further, you hereby waive all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to ngrok. In no event will ngrok be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Submission. You agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above. You understand and acknowledge that ngrok may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission.  You understand that you are not guaranteed any compensation or credit for use of your Submission. You represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to ngrok.

Confidentiality of submissions/ Restrictions on disclosure

Protecting customers is ngrok's highest priority. We endeavor to address each Vulnerability report in a timely manner. By participating in the Program, you agree not to publicly or privately disclose the contents of your submission, your findings, your communications with ngrok related to your participation in the program, or any facts you have learned about ngrok in the course of your participation in the Program to any third party without ngrok prior written approval.

We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for thirty (30) days after the Vulnerability is fixed. ngrok will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTY PAYMENTS FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

Submission review process

After a Submission is sent to ngrok in accordance with these Terms, ngrok engineers will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.

ngrok retains sole discretion in determining which Submissions are qualified. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to ngrok, we may award a differential to the person submitting the duplicate report. If you report a Vulnerability without a functioning exploit, you may be eligible for a partial Bounty. If you submit the functioning exploit within ninety (90) days of submitting the Vulnerability, we may, in our discretion, provide an additional Bounty payment (but are not obligated to do so).

Unsolicited ideas

Other than your Submission, ngrok does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to ngrok through the Program or otherwise, you hereby grant to ngrok, its subsidiaries, affiliates and customers a perpetual, irrevocable, worldwide, royalty-free, transferrable, sublicensable (through multiple tiers) and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission, as well as any materials submitted to ngrok in connection with a Submission, for any purpose. ngrok makes no assurances that your ideas will be treated as confidential or proprietary.

Bounty payments

ngrok provides a table of severities, payout ranges, and examples of vulnerability types in each payout range. Severity and rewards will be determined based on impact and attack complexity. Reward eligibility and amount is considered on a case by case basis and determined solely by ngrok.

You may be eligible to receive a Bounty if you are the first person to submit a Vulnerability,  that Vulnerability is determined to be a valid security issue by ngrok, and you have complied with all of these Terms.

All Bounty payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

If we have determined that your Submission is eligible for a Bounty, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Bounty.

If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.

All Bounty payments will be made in United States dollars (USD). You will be responsible for any tax implications related to Bounty payments you receive, as determined by the laws of your jurisdiction of residence or citizenship.

Before receiving a Bounty, you are required to complete and submit an Internal Revenue Service or equivalent tax form (e.g., Form W-9, W-8BEN, 8233) within 30 calendar days of notification of validation. If you do not complete the required forms as instructed or do not return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until you have completed and submitted the fully executed required documentation.

If your Submission qualifies for a Bounty payment, please note:

  • you may not designate someone else as the Bounty payment recipient unless you are considered a minor in your place of residence;
  • if you are unable or unwilling to accept your Bounty payment, we reserve the right to rescind it; and
  • if you accept a Bounty payment, you will be solely responsible for all applicable taxes related to accepting the payment(s).

NOTE: For public sector employees (government and education), all Bounty payments must be awarded directly to your public sector organization and subject to receipt of a gift letter signed by the organization's ethics officer, attorney, or designated executive/officer responsible for the organization’s gifts/ethics policy. ngrok seeks to ensure that by offering Bounty payments under this Program, it does not create any violation of the letter or spirit of a participant’s applicable gifts and ethics rules.

Public recognition

ngrok may publicly recognize individuals who have been awarded Bounty payments. ngrok at its discretion may recognize you on web properties or other printed materials unless you explicitly ask us not to include your name.

Privacy policy

These Terms incorporate ngrok’s Privacy Policy, which is currently located at https://ngrok.com/privacy (“Privacy Policy”).

Code of conduct

By participating in the Program, you will follow these rules:

  • Do not do anything illegal.
  • Do not engage in any activity that exploits, harms, or threatens to harm children.
  • Do not send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
  • Do not share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
  • Do not engage in activity that is false or misleading.
  • Do not engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
  • Do not infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
  • Do not help others break these rules.

If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.

Disclaimer of warranties

NGROK, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

Indemnification

You agree to defend, hold harmless and indemnify ngrok, and its affiliates, officers, agents, and employees from and against any third party claim arising from or in any way related to your participation in the Program, breach of these Terms, or violation of applicable laws, rules or regulations, including any liability or expense arising from any claims, losses, damages (actual and consequential), suits, judgments, litigation costs and attorneys' fees, of every kind and nature.

Limitation of liability

If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover from ngrok or any affiliates, resellers, distributors, third-party providers, and vendors, direct damages up to one hundred dollars ($100). You cannot recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or failures of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.

Termination

In the event (i) you breach any of these Terms or the terms and conditions of any other agreement with ngrok or if ngrok determines, in its sole discretion that your continued participation in the Program could adversely impact ngrok, ngrok may immediately terminate your participation in the Program and disqualify you from receiving any Bounty payments.

Governing law, jurisdiction, and venue

These Terms shall be governed by and construed in accordance with the laws of the State of California, without reference to its choice of law rules. Any action or proceeding arising out of this Agreement shall be brought only in a competent state or federal court located in Santa Clara County, California. Both parties hereby consent to the jurisdiction of, and venue in, such courts and waive any objection thereto.

Miscellaneous

ngrok and you are independent contractors and are not legal partners or agents. These Terms are the entire agreement between you and ngrok for your participation in the Program. The failure of ngrok to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. You shall not assign or otherwise transfer any of your rights or obligations hereunder and any such attempt is void. We may change these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you do not agree to the new Terms, you must not participate in the Program. If you wish to opt-out of the Program and not be considered for Bounty payments, contact us at security@ngrok.com. Opting out will not affect any licenses granted to ngrok in any Submissions provided by you. These Terms (including any policies, guidelines or amendments that are referenced in these Terms or that may be presented to you from time to time) constitute the entire agreement between you and ngrok regarding their subject matter of these Terms, superseding any prior agreements between you and ngrok regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court holds that we cannot enforce a part of these Terms as written, we may replace those Terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms will not change. You agree that ngrok may provide you with notices, including those regarding changes to the Terms, by email, regular mail, or postings on the ngrok Disclosure and Rewards portal. You agree to provide ngrok with your current email and regular mail address at all times.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.


Rewards

These are hypothetical examples, all rewards will be considered on a case-by-case basis. See Bounty Payments for more information. 

Example Severity: Example Reward
Example Vulnerability

  • Critical: $2,000 - $4,000
    Account takeover, Tunnel authorization bypass, RCE
  • High: $500 - $1,200
    Limited cross-account access, SSRF, disclosure of secrets
  • Medium: $200 - $400
    XSS, CSRF, Limited information disclosure
  • Low: $75 - $150
    XSS without CSP bypass

Scope

You must limit your testing to in-scope assets.  If you are aware of an asset that is not listed here, you can email security@ngrok.com and ask if it should be added to the scope.

In-scope assets

  • ngrok.com: ngrok website
  • dashboard.ngrok.com: ngrok application
  • corp.ngrok.com, *.corp.ngrok.com: internal ngrok applications
  • *.ngrok.io, *.ngrok-free.app, *.ngrok-free.dev, *.ngrok.app, *.ngrok.dev: ngrok tunnels. 
    Note: only access your own tunnels during testing.
  • ngrok-rs, ngrok-go, ...: ngrok client SDKs
  • ngrok binary: ngrok agent binary

Out-of-scope assets

  • trust.ngrok.com: Operated by safebase.io
  • status.ngrok.com: Powered by Atlassian Statuspage

DON’T report

  • Reports without a working proof-of-concept
  • Social engineering
  • Unconfirmed output from automated scanners

DO report

  • High impact vulnerabilities
  • Vulnerabilities with working proof-of-concepts