Expert Trust & Safety Reward Program

The trust & safety of expert operations is paramount. The program empowers employees to help us identify issues and minimize system abuse.

Report now and claim a cash reward & certification. 

Abuse risk & process gaps

Cash & certification

Improve safety

Abuse risk & process gaps

Cash & Certification

Improve safety

Program details

Program duration

18th May 2022 to 27th May 2022.

 

Important dates

Event

Timeline

First response

2 workdays

Initial evaluation

5 workdays

Processing of qualified reports

10 workdays

Final decision

By 3rd June 2022

 
*Workday refers to 5 working days in a week i.e. Monday to Friday
 

Severity

Reward

Low

INR 4000

Medium

INR 15,000

High

INR 60,000

Critical

INR 2,25,000

 

Payments

  • A participant who successfully finds safety issues that meet the Program rules (as outlined in the T&C), may be entitled to receive a reward from Chegg India.
  • Reward payments to experts will be remitted in your June 2022 payroll.   
  • The payment of rewards might attract tax obligations and will be paid after deduction of such taxes if any. Participants in this Program are responsible for any tax liability associated with payment of the reward under this Program.
  • Chegg India reserves the right, in its sole discretion, to prospectively modify its payment rates at any time by giving written notice. By continuing to upload reports, participants agree to be bound by the modified payment rates.

For more details, please read through the terms and conditions.

Goals of the Program

Through this Program, Chegg India aims to minimize system abuse by helping the Chegg’s Expert Trust & Safety team (the “Safety Team”) in identifying safety issues that are broadly classified into two categories:

  1. Abuse risk

An “abuse risk” can be defined as a product feature that can cause unexpected damage to a user or platform when leveraged in an unexpected manner. Abuse risks arise when a product doesn’t have sufficient guardrails in place to protect its features from being (mis)used in a malicious way.

For example, wrongfully being able to upload answers.

  1. Process gaps

A “process gap” can be defined as a process flaw that can cause unexpected financial loss or compliance risk when leveraged in an unexpected manner. Process gaps arise when there are disjointed systems supported by manual steps leading to (mis)use by the expert community.

For example, Q&A and TBS expert PII DB are segregated.

Participants

Invited employees that are exposed to expert touchpoints & are Indian nationals.

Timeline of the Program

This Program is effective from 18th May 2022 to 27th May 2022.

  • First response (including acknowledgment of submission of a report by a participant) will be provided in 2 workdays (Mon-Fri) by Expert Management Team.
  • Initial qualifying evaluation shall be completed in 5 workdays (Mon-Fri) from first response by Expert Management Team.
  • Qualified reports will be processed in 10 workdays (Mon-Fri) for presentation to the Council (described below).
  • The Council will decide the reward based on the severity and other factors of each qualified report by 3rd June 2022.

 

GENERAL TERMS:

These terms of the Program must be agreed upon by participants (“participant” or “you”).

Disclosure Policy

A participant must not disclose their findings (even resolved ones) to anyone outside the Safety Team without explicit approval from the Safety Team.

Program Rules
  • Safety issues that were previously known to Chegg India or the Safety Team are not eligible for a reward payment. The Safety Team will attempt to inform the participant of its prior knowledge of the safety issue within two (2) workdays (Mon-Fri).
  • The Program shall be run on a first-in-first-out (FIFO) basis, so the second entry of the same issue will be treated as a known issue and therefor ineligible for rewards.
  • A participant must not violate the privacy of others, disrupt our systems, destroy data, interrupt, or degrade Chegg’s services, and/or harm the user experience.
  • A participant must cease testing immediately if they gain unauthorized access to Chegg data or systems.
  • A participant must use his/her own account and not a third party’s account.
  • Social engineering (e.g., phishing, vishing, smishing) is prohibited.
  • A participant must ensure that they have specific and direct knowledge regarding the abuse/safety that they are reporting.
  • A participant must not violate any applicable law or regulation, including laws prohibiting unauthorized access to information.
Submitting reports
  • A participant may submit their report here: https://www.cheggindia.com/etsr-employees.
  • A participant must provide detailed reports with reproducible steps.
  • A participant must submit one abuse risk per report, unless they need to chain them to provide impact. A participant may combine reports if the same or similar root cause affects multiple endpoints, subdomains, or assets. Chegg India reserves the right to determine, in its sole discretion, that multiple reports pertain to a single safety issue, and are therefore, only eligible for a single payment.
  • A participant must not submit false information knowingly.
Sensitive and Personal Information
  • A participant must never attempt to access anyone else’s data or personal information including by exploiting a vulnerability. Such activity is unauthorized and will immediately disqualify any report from payment eligibility and may even result in other severe actions, such as termination of employment, and legal action.
  • If during testing, a participant interacts with or otherwise obtains access to data or personal information of others, they must:
  • Stop testing immediately and cease any activity that involves the data or personal information or the vulnerability.
  • Alert the Safety Team immediately and support investigation and mitigation efforts.
  • Not save, copy, store, transfer, disclose, or otherwise retain the data or personal information, except to support the Safety team’s investigation and mitigation efforts.
Requirement for Data Abuse Prevention Reports:

A report must describe:

  • the nature and scope of the Chegg data being abused.
  • proof of the abuse being reported; and
  • any information that participant has about the reason or purpose for the abuse conduct.

A single report should include all instances of abusive conduct that relate to it.

Domains in Scope
Out-of-scope Domains
Out-of-scope Issues

When reporting safety issues please consider (1) attack scenario/exploitability, and (2) its security impact. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Unauthenticated/logout/login CSRF.
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Any activity that could lead to the disruption of our service (DoS).
Severity & Reward Council (“Council”)
One nominated team member from each of the following teams will be a member of the Council:
  • Data analytics
  • Inhouse Subject Matter Expert
  • Content Support
  • Engineering
  • Product Management
  • Expert Trust & Safety Team
  • The Council will decide the reward for qualified abuse risk and process gap items reported. Whether a specific report merits a reward is entirely at Council’s discretion, based on impact, quality of the report and other factors.
Limitations
  • To be eligible for a reward, a participant must not breach any applicable laws or regulations, including laws and regulations prohibiting unauthorised access to user data.
  • If a participant is unsure about any actions or if they are considering conduct that is not addressed by this policy, they must contact the Safety Team before proceeding.
  • Violations of this policy can lead to severe actions, including termination of employment, and/or legal action.
Payments
  • A participant who successfully finds safety issues that meet the Program rules listed above and provide sufficient reports and documentation as requested by Chegg India, may be entitled to receive a reward from Chegg India.
  • Chegg India reserves the right, in its sole discretion, to prospectively modify its payment rates at any time by giving written notice. By continuing to upload reports, participants agree to be bound by the modified payment rates.
  • Chegg India reserves the right to void, withhold, invalidate, or reverse in whole or in part any payment in the event of participant’s violation of these terms, suspected activity, or failure to supply required documentation that is complete and accurate.
  • Reward payments will be remitted in your June 2022 payroll pay-out.   
  • The payment of rewards might attract tax obligations and will be paid after deduction of such taxes if any. Participants in this Program are responsible for any tax liability associated with payment of the reward under this Program.
Submission License

Chegg India is not claiming any ownership rights to your submission. However, by providing any submission to Chegg India, you:

  • grant Chegg India the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your submission: (i) to use, review, assess, test, and otherwise analyse your submission; and (ii) to reproduce, modify, distribute, display, and perform publicly, and commercialize and create derivative works of your submission and all its content, in whole or in part;
  • agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
  • understand that you are not guaranteed any compensation or credit for use of your submission; and
  • represent and warrant that your submission is your own work, that you haven’t used information owned by another person or entity, and that you have the legal right to provide the submission to Chegg India.

Chegg India reserves the right to alter the terms and conditions of this Program, including modifying its timeline at any point of time at its sole discretion.

This Program is effective from 18th May 2022 to 27th May 2022.

Invited employees that are exposed to expert touchpoints & are Indian nationals.

Safety issues are broadly classified as:

  • Abuse risk

An “abuse risk” can be defined as a product feature that can cause unexpected damage to a user or platform when leveraged in an unexpected manner. Abuse risks arise when a product doesn’t have sufficient guardrails in place to protect its features from being (mis)used in a malicious way.

For example, wrongfully being able to upload answers.

  • Process gaps

A “process gap” can be defined as a process flaw that can cause unexpected financial loss or compliance risk when leveraged in an unexpected manner. Process gaps arise when there are disjointed systems supported by manual steps leading to (mis)use by the expert community.

For example, Q&A and TBS expert PII DB are segregated.

The severity of an issue is decided by the ETSR council based on impact, quality of reporting and other factors. The decision of the council shall stand final in this regard. For more details, please refer to the terms and conditions. 

No, known issues are not rewarded. In case a reported issue is a known issue, the reporter shall be notified through an email within 2 working days. 

No. You may report as many issues as you deem appropriate.