Customer Terms and Conditions
At Bugbounter, trust is our #1 value and we take the protection of our customers’ and researchers’ data very seriously.
1-You ARE safe with us!
The Bugbounter team acknowledges the needs and concerns of customers’ security vulnerability testing. As a result, we manage your bug bounty programs over our platform responsibly by helping you to publish it effectively, monitor it 7/24 and carefully match the researcher community for the testing of your site, applications and/or devices.
Bugbounter is committed to engaging your bounty with the most reliable & skilled security researchers and white hat hackers to search, send and verify any potential vulnerabilities that are operated through the platform over blockchain ledgers. Any local information upon resolution of the vulnerability report will immediately be purged.
2-You NEED to provide a safe harbor!
You pledge not to initiate legal action against RESEARCHERS (vulnerability security researchers & white hat hackers) as with good will for penetrating or attempting to penetrate your systems as published at the bounties if you adhere to this policy.
If you acknowledge that researchers follow our guidelines neither you nor your third-parties will pursue or support any legal action related to your research.
3-Researchers WILL play the game by the rules!
The following conduct is expressly prohibited while searching for vulnerabilities:
- Performing actions that may negatively affect customers’ or its users’ operation (e.g. Spam, Brute Force, Denial of Service…)
- Copying, saving, transferring, storing data or information that belongs to you
- Leaving a backdoor after they’ve proved a penetration
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that belongs to you (without explicit permission of the owner)
- Conducting any kind of physical or electronic attack on customers’ personnel, property or data centers
- Social engineering any customer’s service desk, employee or contractor
- Conduct vulnerability testing & attacks to out-of-scope resources
- Negotiating the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public
- Posting the vulnerability information or customer data to the Dark Web where there’s a thriving market for data and remote access
- Publicly expose the flaw to embarrass a company, allowing other hackers to exploit the information
- Violating any laws or breaching any agreements in order to discover vulnerabilities
4-Sympathize researchers IF they make a mistake inadvertently!
Researchers will contact us (and we will contact you) immediately if they inadvertently encounter your data. You shall not take a legal action for an inadvertent mistake.
5-Please BE responsive!
We asked researchers not to share or publicize your verified vulnerability with/to third parties with impatience. Before making any information about it public you need to agree with the researchers on a reasonable time for a validated issue:
- Until it is fixed or,
- Until a timeframe after first submission (defined by Customer) or,
- Until after giving the organization X days of notice (defined by Researcher) or,
- Until a mutually agreed deadline
6-You CAN update your bounty at any time!
Once your bounty is published on our platform you may not change the reward currency. This is the only restricted parameter in your bounty definition.
All other parameters of the bounty are allowed for an update after you suspend the bounty. During the suspend period researchers can not view the bounty. However, any report submitted prior to your suspension will be processed until resolution within the definitions at the time of submitting. In order to value the work of researchers, Bugbounter reserves a duration of 24hrs if they had done their research and about to send a report. Thus they are allowed to send their report within 24hrs even though the bounty is suspended.
7-You ARE committed to release the earned rewards!
Every validated report entry will be posted on a blockchain ledger. This is to protect you from making double payments and to manage the objections from researchers transparently and effectively.
- Your bounty will be published on the platform as soon as the full budget amount is transferred to our account. Your budget will be kept in a reserved account for your bounty until it is totally utilized, or you choose to suspend the bounty.
- As soon as you confirm a validated report, earned reward will be paid to the researcher and the platform fee will be transferred to Bugbounter.
- Validator fees will be transferred to respective validators regardless of a report’s acceptance.
- If your bounty budget decreases to a reserve amount (i.e. possible rewards to be paid for the submitted reports in progress + validation fees + Bugbounter fees), then Bugbounter will send you a notification to either increase the budget or decide to end the bounty. Until you transfer an additional budget, your bounty will be held in suspend mode.
- You may at any time, choose to end your bounty. In such case, the remaining budget after resolution of all reports under progress, will be transferred back to you.