Privacy Policy 1

Responsible Disclosure Program.

Carrot is committed to maintaining the security of our systems and our customers’ information. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to Carrot.

If you believe you have identified a potential security vulnerability, please share it with us by following the submission guidelines below. Thank you in advance for your submission, we appreciate researchers assisting us in our security efforts. Bug bounties will be considered in proportion to the severity of reported security bug, but we do not want submitters to ask for compensation with report submissions.

1. Researchers shall disclose potential vulnerabilities in accordance with the following guidelines

Do not engage in any activity that can potentially or actually cause harm to Carrot, our customers, or our employees.

Do not engage in any activity that can potentially or actually stop or degrade Carrot services or assets.

Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.

Do not store, share, compromise or destroy Carrot or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Carrot. This step protects any potentially vulnerable data, and you.

Provide Carrot reasonable time to fix any reported issue, before such information is shared with a third party or disclosed publicly.

By responsibly submitting your findings to Carrot in accordance with these guidelines Carrot agrees not to pursue legal action against you. Carrot reserves all legal rights in the event of noncompliance with these guidelines.

Once a report is submitted, Carrot commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

2. Submission Instructions

When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).

Please email us at dev@playcarrot.com