Researcher Terms and Conditions
These terms & conditions (“T&C” or “Agreement”) are set to define the contractual relations between BugBounter OÜ, Estonia (“BugBounter”) and security researchers (“Researcher”) using the www.bugbounter.com (“Platform”) and all pages, sub domains, applications and contents reachable within/through the Platform. By using the Platform, Researcher agrees to be bound this Agreement.
BugBounter reserves the right to make changes to the Agreement any time. Researcher will be notified from such change and the new version of the Agreement will be published on the platform during login. It’s on Researchers responsibility to check the updates/ e-mails and stop using the Platform in case he/she disagrees to the changes. Continuing using the Platform means that Researchers agreed on the final release of the Agreement.
This Agreement becomes effective and executed between BugBounter and the Researcher, whenever Researcher creates his/her account on the Platform and stays effective as long as the account is not deactivated or terminated.
Platform/BugBounter: refers to the registered trademark owned by BugBounter, served over www.bugbounter.com, and all subdomains of the platform. This is a platform with the function of putting Customers’ vulnerability testing needs in contact with Researchers.
Researcher: refers to a natural person participating in a vulnerability testing program. The Researcher carries out tests on a system as part of a testing program. This person is an IT security researcher. The researcher can act on a non-professional or professional basis, individually or on behalf of a company.
Validator: refers to an expert who is capable of validating a reported vulnerability. He/she can be either among vetted and selected Researchers, or a Customer employee, or an IT vendor cybersecurity team or BugBounter staff.
Supreme Validator: refers to a cybersecurity expert who is required to resolve discrepancies/disputes between Researcher, Validator and/or Customer.
Customer: refers to a natural or legal person using the Platform to have tests carried out on their system in accordance with the vulnerability testing program defined.
T&C/Agreement: refers to the whole or partial content of this document, namely the Terms and Conditions or Agreement.
2. ABOUT THE PLATFORM
BugBounter is a platform that brings Customers and Researchers together in order for Customers to receive testing services against cyber security vulnerabilities.
Platform provides several products / use cases where the process is explained below for each of them separately.
2.a. Bug Bounty Programs
A Customer declares some or all of their software and hardware systems to be tested. The conditions of testing including the rewards schema is declared by the Customer. Customer also decides how the reported vulnerabilities will be validated. Customer sets the monetary rewards based on four severance levels (critical, high, medium and low). Highest severance level Critical, is set to the highest reward. Rewards can be in one of the allowed currencies and Customer should pay the whole budget in advance to BugBounter and BugBounter transfers approved rewards to Researchers, while the Bug Bounty program is published
2.b. Vulnerability Disclosure Programs
A Customer declares some or all of their software and hardware systems to be tested but no pre-defined reward schema is declared. Rewards could be monetary, gifts, gift cards and/or recognition statements (such as hall of fame, leaderboard, badges, letters, social media announcements etc) Company decides on the minimum and maximum monetary reward.
3. REGISTRATION AND VETTING PROCESSES
Membership to the Platform is free of charge. Researcher should create his/her own account through the registration page available on the Platform. Accepting this Agreement is a precondition for completing the registration. Researcher should minimum be 18 years old, otherwise they should get the consent of his/her parents. Username and password should not be shared and should be kept confidential by the Researcher. Researcher is directly responsible for the misuse of his/her account by other people due to his/her own fault. Usage rights, user name and password related to membership cannot be transferred to others. Initial level of registration is “Un-Vetted” account, but there are various vetting levels where each of them have different requirements (see www.bugbounter.com/vetting for details). Researcher can apply for vetting process under profile settings if they want to get invited to special bounty programs
The Researcher may remain anonymous by using a nick name, until he/she is granted a Reward and wants to receive the monetary Reward. Researcher agrees to provide information reasonably requested by BugBounter prior to sending the reward. If Researcher rejects to provide this information to BugBounter within 180 days after BugBounter’s request, any Reward that would otherwise be paid to the Researcher will be transferred to a charity of BugBounter’s choice.
The Researcher guarantees that the information provided during the registration or vetting process or Reward transfer is accurate, truthful and up to date, and agrees to update this information whenever necessary. If the information provided is proven to be incorrect, incomplete or obsolete, BugBounter reserves the right to refuse registration and/or suspend or ban the account (subject to Termination clause of this Agreement) and/or stop the reward transfer. The Researcher is solely liable for the consequences of providing incorrect, incomplete or obsolete information and expressly acknowledges that BugBounter may only be held liable in the event of untruthful statements concerning the Researcher’s identity.
The Researcher expressly acknowledges that there is no direct relationship of dependency or subordination with BugBounter or with a Customer.
4. PROTECTION OF PERSONAL DATA
When creating an account, personal data provided by the Researcher through online forms is needed for registration and use of the Platform. This data is collected and processed by BugBounter, as data controller, in accordance with regulations applicable to personal data protection.
Within the framework of executing these T&Cs, Researchers’ personal data is processed for the purposes of:
- administration and technical and/or commercial management of the Platform
- management of security of the Platform;
- measuring the Platform audience (non-personal website visitor statistics).
Within the framework of the execution of these T&Cs, Researchers’ personal data is kept for the entire duration of account opening and is deleted at the end of the period of limitation for criminal prosecution (6 years) after closure of the account.
Personal data relating to the invoicing mandate is kept for 10 years.
For business communications, the email address is kept for a maximum of 3 years from last contact with the Researcher. The Researcher may withdraw his/her consent at any time.
Personal data needed for the management of disputes is kept until all remedies have been exhausted.
Researchers’ personal data is communicated to authorized staff of BugBounter and legal authorities in case it’s officially asked for any investigation by the authorities.
Subject to the Researcher’s prior and express agreement, the Researcher’s personal data (such as social media account, postal address or email address etc) may be communicated to the Customer by BugBounter in order to process the delivery of Rewards.
Researchers have the following rights:
right of access, rectification and erasure of data directly on their account and in accordance with the terms provided for by the regulation;
- right to withdraw their consent at any time (for sending emails);
- right to restriction of processing in accordance with the terms provided for by the regulation;
- right to data portability in accordance with the terms provided for by the regulation;
- right to submit a complaint to the CNIL;RIA (https://www.ria.ee/en.html)
- right to define directives allowing access to their data in the event of death (the means of exercise of this right are currently awaiting specifications by decree).
Requests concerning these rights may be exercised by email to the following address: [email protected] specifying the object of the request (right concerned) and attaching proof of identity and/or of the appointed representative if applicable.
DPO contact details: [email protected]
5. OBLIGATIONS OF THE RESEARCHER
The Researcher should act in a responsible and lawful manner while he/she discovers and reports vulnerabilities. During this activity the following conduct is expressly prohibited:
- Performing actions that may negatively affect Customers’ or its users’ operation (e.g. Spam, Brute Force, Denial of Service…)
- Copying, saving, transferring, storing data or information that does not belong to you
- Leaving a backdoor after you’ve proved your penetration
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you (without explicit permission of the owner)
- Conducting any kind of physical or electronic attack on Customers’ personnel, property or data centers
- Social engineering any Customer’s service desk, employee or contractor
- Conduct vulnerability testing & attacks to out-of-scope resources
- Negotiating the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public
- Posting the vulnerability information or Customer data to the dark web where there’s a thriving market for data and remote access
- Publicly expose the flaw to embarrass a company, allowing other researchers to exploit the information
- Violating any laws or breaching any agreements in order to discover vulnerabilities
- Encouraging illegal activities or use abusive expressions about someone else, create unfair competition, threatening, obscene, defamatory behavior
- Providing instructive information about illegal activities such as the production or purchase of illegal weapons, violation of someone else’s privacy, or the issuance or creation of computer viruses;
Within the framework of the program, when carrying out tests, the Researcher may, if applicable, access personal data processed by the Customer.
The Researcher guarantees the security and confidentiality of the data accessed and undertakes to take all technical and organizational measures to prevent the destruction, alteration, disclosure or unauthorized access to the data accessed accidentally or unlawfully.
The Researcher undertakes not to use or process any data to which he/she may have access during Tests.
6. REWARDS, FEES AND TAXES
The rewards and fees are defined by the Customers using the platform and BugBounter has no responsibility nor power to decide the amount and type of the reward and fee. BugBounter will only guarantee the Researcher for the Bounty that, in case a report provided by the Researcher is approved by a Validator (Customer decides the type of the Validator as either Customer itself or vetted Validators in the platform) and in case of objection by the Company, Supreme Validator(s) decided that the reward is due, BugBounter will transfer this reward and any earned fees to the Researcher. To achieve that guarantee BugBounter, will require Customers to deposit / block a budget and the Platform will not allow submission of new reports unless and until the budget is enough to cover all validation pending reports. Packaging and logistics of any gift type rewards are under Customer’s responsibility.
BugBounter provides alternative methods (including electronic payment gateways, fintechs and crypto currencies) for transferring those rewards to the Researcher. Researcher may decide which payment methodology to be used and acknowledges that some methods might have associated fees. In case there’s a fee associated, BugBounter will deduct those from the transfer amount. In case the Reward currency is different than the transfer currency Researcher acknowledges that there will be an exchange rate to be applied. BugBounter will make it’s best to do the conversion as close as possible to the market rates at the transfer event but some methods enforce to use service provider’s exchange rates.
The Researcher acknowledges that his/her income generated from his/her activity on the Platform revenue can be subject to taxation or social security charges in accordance with criteria applicable based on BugBounter’s establishment country and/or Researcher’s residence country. Researcher is responsible for any such duties. In case the associated regulations oblige BugBounter to withhold a tax or social security charge, BugBounter will transfer only the remaining amount to the Researcher. In accordance with this Agreement, the Researcher expressly acknowledge that he/she is solely liable for finding out about legal, taxation and social security obligations and subscribing to and complying with such obligations. The Researcher is required to make any declarations required by the competent tax authorities and social security organizations, in accordance with his/her status and country of residence and BugBounter will not be reliable for any violation causes by the Researcher or the Customer
7. LIABILITIES OF THE RESEARCHER
The Researcher is responsible for all direct and indirect damages he/she causes to BugBounter or Customers. The Researcher undertakes to compensate BugBounter or Customers in the event of being ordered to pay damages and interest to BugBounter or Customers as a result of failure to comply with these stipulations or damages caused to others or itself.
Any actions outside the limitations set by the Customer’s vulnerability testing program may result in the Researcher being held liable on a civil or criminal basis.
The Researcher undertakes to keep strictly confidential any Customer information to which he/she may have access during tests, including vulnerabilities and, if applicable, personal or commercial data to which he/she may have access. By default, the Researcher may be held liable on a civil or criminal basis.
Furthermore, the Researcher is responsible for any divulging of vulnerabilities at the end of a vulnerability testing program for which legitimate suspicions may be raised against him/her.
Please be respectful of your testing applications. Only extract the bare minimum of data needed to prove your point. Contact us immediately if you inadvertently encounter user data. Immediately purge any local information upon resolution of your vulnerability report and receiving your reward.
8. FORCE MAJEURE
BugBounter shall not be held liable for any delays in executing his/her obligations or any failure to execute his/her obligations resulting from these Terms and Conditions of use where the circumstances concerned relate to a force majeure event. In addition to those usually cited by Estonian case law, the following cases are expressly regarded as force majeure or acts of God: Total or partial strike, lock-out, riot, civil disorder, insurgency, civil or foreign war, nuclear risk, embargo, confiscation or destruction by any public authority, bad weather, epidemic, pandemic, blockage of means of transportation or supply for any reason whatsoever, earthquake, fire, storm, flooding, water damage, government or legal restrictions, legal or regulatory reforms to forms of marketing, malicious vulnerability testing program not recognized by a CERT, blocking of electronic communications, including electronic communications networks, as well as any calling into question of cryptographic techniques used by BugBounter.
All cases of force majeure affecting the execution of obligations resulting from these T&Cs and in particular access or use of services by the Researcher will suspend execution of these T&Cs as soon as the event occurs.
It is expressly agreed between the Parties that the implementation of palliative means by BugBounter during the occurrence of a force majeure event may not result in BugBounter being held liable or paying compensation, without prejudice to Article 13 ”Limitation of Liability”.
9. INTELLECTUAL PROPERTY RIGHTS
The intellectual property rights of the Platform (including all accessible information, in the form of text, photos, images, sound, data, databases, including software and other underlying technology) belong to BugBounter.
Researcher is only granted to use the Platform subject to restrictions stated in this Agreement and/or published within the Platform.
The Researcher may not under any circumstances store, reproduce, represent, amend, lease, send, publish, re-publish or adapt on any medium of any kind, by any means, or use in any way, elements of the Platform without the prior written authorization of BugBounter, except his/her rewards, recognitions, hall of fame, leaderboard subject to either his/her personal use or publicly announced
Each is and shall remain owner of their distinctive signs, namely trademarks, company names and other, trading names, banners and domain names. The reproduction, imitation or display, in whole or in part, of trademarks, drawings and models belonging to BugBounter is strictly prohibited without its prior written agreement.
The Researcher accepts to transfer intellectual property rights to BugBounter and/or Customer regarding the Reports submitted to the Platform. Those rights include, rights of use, rights to reproduce, rights to represent, disseminate, publish, use, rights to communicate, rights to adapt, translate, rights to amend, improve, correct or change.
BugBounter reserves the right to interrupt temporarily all or part of the service as well as the Researcher’s account, Validator’s account, Supreme Validator’s account and/or Customer Account for reasons relating to the security of the service, the security of the Customer, the security of the Researcher or a violation or suspected violation by the Researcher of one of his/her obligations, in particular those set out in the T&CS.
BugBounter also reserves the right to unilaterally end the contractual relationship resulting from the T&Cs if the Researcher commits any serious and/or repeated failings to meet of one of his/her obligations as stated in the T&Cs. This termination shall be in the form of a notification in accordance with Article 14. It shall be as of right, immediately and without prejudice to any damages or interest claimed by BugBounter.
11. CONFIDENTIALITY — END OF THE CONTRACT
The Researcher is required to keep confidential all information to which he/she has access or may be provided with within the framework of the Agreement. The Customer is also required to keep confidential all the information that he/she has regarding the Researcher and the Platform.
As a result, the Researcher undertakes not to disclose said information to any third parties for any reason whatsoever and regardless of any legal and/or financial ties between the Researcher and the third party.
This undertaking shall last for the entire duration of the Agreement and continue beyond the ending of the Agreement for any reason whatsoever, for the entire time that the confidential information does not fall into the public domain as a result of this information being revealed by the Customer
After their involvement in the bug bounty program or vulnerability disclosure program, all information relating to use of the service within the framework of a vulnerability testing program, namely information of any kind including that of a personal nature as well as reports prepared by Researchers, shall be deleted in full from the Researcher’s databases and systems in accordance with legal requirements, such as in particular in accordance with the Law on Confidence in the Digital Economy and its limitation periods.
Subject to the express prior written agreement of the Customer, the Researcher may make reports public.
12. SERVICE RESPONSIBILITY, NO WARRANTY AND INDEPENDENCE OF THE RELATIONSHIP
BugBounter does not guarantee that there will be harmony between the Researcher and the Customer or that the Researcher will be capable of completing the work on time and in accordance with the Customer’s requirements.
Freedom of choice regarding the services to be received or given through the Platform over the www.bugbounter.com website belongs to the Customer and the Researcher. BugBounter has no sanction.
BugBounter does not certify or recommend the Researcher or their services, nor does it guarantee the performance or the result or quality of the services provided. BugBounter may rank, grade and categorize Researchers among some of the algorithms in the system, such as vetting level, demographics, reporting quality, noise, misuse of objections, responsiveness, abilities, member ratings and member comments, and highlight some Researchers because they are highly capable, cooperative, liked, preferred or satisfied. However, this shall not be considered as BugBounter’s approval or guarantee.
Bugbounter makes the best effort but does not give any guarantees as to the ability of the website and/or services to respond to the specific expectations or needs of all researchers. Similarly, Bugbounter makes the best effort but is not able to guarantee that no errors or other issues with bounty operation or use will occur in the course of using the website and/or services.
The accuracy of the information or statements specified by the Researcher is guaranteed by him/her and BugBounter has no responsibility other than banning such imposter persons.
There is no relationship of (a) employment, (b) part-time employment, (c) consultancy, (d) subcontracting, (e) joint venture or (f) agency between Researcher and BugBounter.
13. LIMITATION OF LIABILITY
Platform is not responsible for the actions, negligence and behavior of any third party, Platform users, advertisers and / or sponsors regarding the use of the Platform or the website, as long as it is legally permitted under applicable law.
Platform is not responsible for any data loss arising from the operation of the Platform or the application of its conditions.
Platform takes reasonable precautions for protection. However, Platform does not accept liability for any consequences that may arise due to attacks on the computer network and the existing database information in this network, as a result of which user information comes into the possession of malicious users. Platform does not accept responsibility for damages that may arise due to the fact that a Customer does not reward the Researcher for the service provided.
Although BugBounter does not have any responsibility, it will make every effort to ensure the correct and complete performance of the services provided by the Researcher. However, in the event that the Researcher causes any damage to the Customer and/or third parties due to the serious negligence or defect, and /or the lawsuits and proceedings in this matter are directed against BugBounter, BugBounter, reserves the right to revocate and/or deduct from the recourse or rights and receivables from BugBounter for the fines and attorney fees, etc.
It is under Customer and Researcher responsibility to use the website and/or services with good intention and obligation to laws. Bugbounter acts only as intermediary between the Customer and the Researcher: it cannot be held liable in the event of damage caused by a Customer or Researcher to another Customer or Researcher, particularly within the framework of carrying out program and delivering incorrect or misleading information to the Customer or to the Researcher.
The Platform may contain links or references to other websites that are not under the control of the Platform. Platform is not responsible for the content of these sites or any other links they contain.
Bugbounter is not responsible under any circumstances for any damages such as: financial damage, commercial damage, loss of clientele, any disruption to business, loss of profits, loss of brand image, loss of Bug Bounty program, suffered by the Researcher that may result from the inexecution of these Terms & Conditions, which are deemed by express agreement to be consequential losses.
All notifications must be in writing, by the e-mail given by the Researcher while registering the Platform or by the pop-ups published on the platform during login.
15. SUBCONTRACTING – ASSIGNMENT
Platform reserves the right to subcontract all or some of the services covered by these T&Cs to any company of its choosing.
Platform reserves the right to assign the contract to any third party of its choice. In any case, the Platform will inform Researcher by email at the address stated at the time of registering in the event of the assignment or change of subcontracting.
16. APPLICABLE LAW
In the event of any legal dispute relating to the interpretation, formation, validity or execution of these T&Cs, BugBounter and the Researchers expressly acknowledge that only Estonian law is applicable.
If no amicable arrangement is reached, in the event of a dispute relating to the interpretation, formation or execution of these T&Cs and if no amicable agreement or settlement is reached, BugBounter and the Researchers shall grant express and exclusive competence to the competent courts of the Tallinn Appeal Court, notwithstanding multiple defendants or applications for interim measures or introduction of third parties or protective measures. If this stage is not respected, which remains the responsibility of the Researcher, BugBounter cannot be held liable in this regard.