TERMS AND CONDITIONS
These terms & conditions (“T&C” or “Agreement”) are set to define the contractual relations between BugBounter (BugBounter OÜ, Estonia) and the customer (“Customer”) using the www.bugbounter.com (“Platform”) and all pages, sub domains, applications and contents reachable within/through the Platform. By using the Platform, the Customer agree to be bound this Agreement.
BugBounter reserves the right to make changes to the Agreement any time. Customer will be notified from such change and the new version of the Agreement will be published on the platform during login. It’s on Customers responsibility to check the updates/e-mails and stop using the Platform in case disagrees to the changes. Continuing using the Platform means that Customers agreed on the final release of the Agreement.
This Agreement becomes effective and executed between BugBounter and the Customer, whenever Customer creates his/her/its account on the Platform and stays effective as long as the account is not deactivated or terminated.
Platform/BugBounter: refers to the registered trademark owned by BugBounter, served over www.bugbounter.com, where xxx represents all the subdomains of the platform. This is a platform with the function of putting Customers’ vulnerability testing needs in contact with Researchers.
Researcher: refers to a natural person participating in a vulnerability testing program. The Researcher carries out tests on a system as part of a testing program. This person is an IT security researcher. The researcher can act on a non-professional or professional basis, individually or on behalf of a company.
Validator: refers to an expert who is capable of validating a reported vulnerability. He/she can be either among vetted and selected Researchers, or a Customer employee, or an IT vendor cybersecurity team or BugBounter staff.
Supreme Validator: refers to a cybersecurity expert who is required to resolve discrepancies/disputes between Researcher, Validator and/or Customer.
Customer: refers to a natural or legal person using the Platform to have tests carried out on their system in accordance with the vulnerability testing program defined.
T&C/Agreement: refers to the whole or partial content of this document, namely the Terms and Conditions or Agreement
2. ABOUT THE PLATFORM
BugBounter is a platform that brings Customers and Researchers together in order for Customers to receive testing services against cyber security vulnerabilities.
Platform provides several products / use cases where the process is explained below for each of them separately.
2.a. Bug Bounty Programs
A Customer declares some or all of their software and hardware systems to be tested. The conditions of testing including the rewards schema is declared by the Customer. Customer also decides how the reported vulnerabilities will be validated. Customer sets the monetary rewards based on four severance levels (critical, high, medium and low). Highest severance level Critical, is set to the highest reward. Rewards can be in one of the allowed currencies and Customer should pay the whole budget in advance to BugBounter and BugBounter transfers approved rewards to Researchers, while the Bug Bounty program is published
2.b. Vulnerability Disclosure Programs
A Customer declares some or all of their software and hardware systems to be tested but no pre-defined reward schema is declared. Rewards could be monetary, gifts, gift cards and/or recognition statements (such as hall of fame, leaderboard, badges, letters, social media announcements etc) Company decides on the minimum and maximum monetary reward.
3. REGISTRATION PROCESSES
Membership to the Platform is free of charge. Customer should create his/her/its own account through the registration page available on the Platform. Accepting this Agreement is a precondition for completing the registration. Customer (in case of real person) should minimum be 18 years old, otherwise they should get the consent of his/her parents. Username and password should not be shared and should be kept confidential by the Customer. Customer is directly responsible for the misuse of his/her/its account by other people due to his/her own fault. Usage rights, username and password related to membership cannot be transferred to others.
Once the registration process is completed, the registering user has the privilege to assign other company users with admin and/or validation and/or monitoring rights.
The Customer guarantees that the information provided during the registration is accurate, truthful and up to date, and agrees to update this information whenever necessary. If the information provided is proven to be incorrect, incomplete or obsolete, BugBounter reserves the right to refuse registration and/or suspend or ban the account (subject to Termination clause of this Agreement) and/or prevent the Customer to receive the report.
4. PROTECTION OF PERSONAL/COMMERCIAL DATA
When creating an account, personal/commercial data provided by the Customer through online forms is needed for registration and use of the Platform. This data is collected and processed by BugBounter, as data controller, in accordance with regulations applicable to personal data protection.
Within the framework of executing these T&Cs, Customer’s personal data (if any) is processed for the purposes of:
Within the framework of the execution of these T&Cs, Customer’s personal data (if any) is kept for the entire duration of account opening and is deleted at the end of the period of limitation for criminal prosecution (6 years) after closure of the account.
Personal/commercial data relating to the invoicing mandate is kept for 10 years.
For business communications, the email address is kept for a maximum of three years from last contact with the Customer. The Customer may withdraw his/her consent at any time.
Personal data needed for the management of disputes is kept until all remedies have been exhausted.
Customers’ personal or commercial data is communicated to authorized staff of BugBounter and legal authorities in case it’s officially asked for any investigation by the authorities.
Customers have the following rights:
right of access, rectification and erasure of data directly on their account and in accordance with the terms provided for by the regulation;
Requests concerning these rights may be exercised by email to the following address: privacy@BugBounter.com specifying the object of the request (right concerned) and attaching proof of identity and/or of the appointed representative if applicable.
DPO contact details: privacy@BugBounter.com
5. OBLIGATIONS OF THE CUSTOMER
The Platform does not endorse any Researcher. Platform is not responsible for any damage or harm resulting from a Customer’s communications or interactions with Researcher or other customers, either through the services or otherwise. Any reputation ranking or description of any Researcher as part of the services is not intended by the Platform as an endorsement of any type.
Any use or reliance of Researcher submissions that Customer receives is at Customer’s own risk. The Platform does not endorse, represent, or guarantee the completeness, truthfulness, accuracy, or reliability of any Researcher Submission unless validated by the registered platform validators. The Platform will not be liable for any errors or omissions in any Researcher submission, or any loss or damage of any kind, incurred as a result of the use of any Researcher submission.
Researchers are not employees, contractors, or agents of the Platform, but are independent third parties who want to participate in programs and connect with Customers’ vulnerability testing programs through the Platform. Unless otherwise expressly agreed to in writing by the Platform, the Customer agrees that any legal remedy that the Customer seeks to obtain for actions or omissions of a Researcher regarding the Customer’s program or Researcher’s submissions will be limited to a claim against the particular Researcher. Any contract or other interaction between a Customer and a Researcher, will be between the Customer and the Researcher. The Platform is not a party to such contracts and disclaims all liability arising from or related to such contracts.
6. REWARDS, FEES AND TAXES
The rewards and fees are defined by the Customers using the platform and BugBounter has no responsibility nor power to decide the amount and type of the reward and fee. BugBounter will only guarantee the Researcher and the Validator for the Bounty that, in case a Report provided by the Researcher is approved by a Validator (Customer decides the type of the Validator as either Customer itself or vetted Validators in the platform) and in case of objection by the Company, Supreme Validator(s) decided that the Reward is due, BugBounter will transfer this reward to the Researcher and the validation fee to the Validator. To achieve that guarantee BugBounter, will require Customers to deposit / block a budget and the Platform will not allow submission of new reports unless and until the budget is enough to cover all validation pending reports.
Packaging and logistics of any gift type rewards are under Customer’s responsibility.
Platform service fee is 20% of the monetary equivalent of the rewards. Once a reward is transferred to Researcher, the platform service fee is transferred to Bugbounter account.
Bugbounter may provide additional services in return of various monthly subscription fees. Whether to subscribe in any platform services is under Customer’s request.
In accordance with this Agreement, the Researcher and the Customer expressly acknowledge that they are solely liable for finding out about legal, taxation and social security obligations and subscribing to and complying with such obligations. The Researcher and the Customer are required to make any declarations required by the competent tax authorities and social security organizations, in accordance with his/her status and country of residence and BugBounter will not be reliable for any violation causes by the Researcher or the Customer
Platform is obliged to issue an invoice for the amount of total budget and Customer is obliged to transfer the full budget amount so that the Bounty Program would be published on Platform. If Customer claims to end the program before the budget is totally spent, then Platform is obliged to transfer the remaining budget to the Customer after receiving a return invoice.
7. FORCE MAJEURE
BugBounter shall not be held liable for any delays in executing his/her obligations or any failure to execute his/her obligations resulting from these Terms and Conditions of use where the circumstances concerned relate to a force majeure event. In addition to those usually cited by Estonian case law, the following cases are expressly regarded as force majeure or acts of God: Total or partial strike, lock-out, riot, civil disorder, insurgency, civil or foreign war, nuclear risk, embargo, confiscation or destruction by any public authority, bad weather, epidemic, pandemic, blockage of means of transportation or supply for any reason whatsoever, earthquake, fire, storm, flooding, water damage, government or legal restrictions, legal or regulatory reforms to forms of marketing, malicious vulnerability testing program not recognized by a CERT, blocking of electronic communications, including electronic communications networks, as well as any calling into question of cryptographic techniques used by BugBounter.
All cases of force majeure affecting the execution of obligations resulting from these T&Cs and in particular access or use of services by the Customer will suspend execution of these T&Cs as soon as the event occurs.
It is expressly agreed between the Parties that the implementation of palliative means by BugBounter during the occurrence of a force majeure event may not result in BugBounter being held liable or paying compensation, without prejudice to Article 12 “Limitation of Liability”.
8. INTELLECTUAL PROPERTY RIGHTS
The intellectual property rights of the Platform (including all accessible information, in the form of text, photos, images, sound, data, databases, including software and other underlying technology) belong to BugBounter.
Customer is only granted to use the Platform subject to restrictions stated in this Agreement and/or published within the Platform.
The Customer may not under any circumstances store, reproduce, represent, amend, lease, send, publish, re-publish or adapt on any medium of any kind, by any means, or use in any way, elements of the Platform without the prior written authorization of BugBounter, except his/her rewards, recognitions, hall of fame, leaderboard subject to either his/her personal use or publicly announced
Each is and shall remain owner of their distinctive signs, namely trademarks, company names and other, trading names, banners and domain names. The reproduction, imitation or display, in whole or in part, of trademarks, drawings and models belonging to BugBounter is strictly prohibited without its prior written agreement.
BugBounter reserves the right to interrupt temporarily all or part of the service as well as the Researcher's account, Validator’s account, Supreme Validator’s account and/or Customer Account for reasons relating to the security of the service, the security of the Customer, the security of the Researcher or a violation or suspected violation by the Researcher of one of his/her obligations, in particular those set out in the T&CS.
BugBounter also reserves the right to unilaterally end the contractual relationship resulting from the T&Cs if the Customer commits any serious and/or repeated failings to meet of one of his/her/its obligations as stated in the T&Cs. This termination shall be in the form of a notification in accordance with Article 13. It shall be as of right, immediately and without prejudice to any damages or interest claimed by BugBounter.
10. CONFIDENTIALITY -- END OF THE CONTRACT
The Customer is required to keep confidential all the information that he/she/it has regarding the Researcher and the Platform.
This undertaking shall last for the entire duration of the Contract and continue beyond the ending of the Contract
After their involvement in the bug bounty program or vulnerability disclosure program, all information relating to use of the service within the framework of a vulnerability testing program, namely information of any kind including that of a personal nature as well as reports prepared by Researchers, shall be deleted in full from the Researcher's databases and systems in accordance with legal requirements, such as in particular in accordance with the Law on Confidence in the Digital Economy and its limitation periods.
Subject to the express prior written agreement of the Customer, the Researcher may make reports public.
11. SERVICE RESPONSIBILITY, NO WARRANTY AND INDEPENDENCE OF THE RELATIONSHIP
BugBounter does not guarantee that there will be harmony between the Researcher and the Customer or that the Researcher will be capable of completing the work on time and in accordance with the Customer’s requirements.
Freedom of choice regarding the services to be received or given through the Platform over the www.bugbounter.com website belongs to the Customer and the Researcher.
BugBounter does not certify or recommend the Researcher or their services, nor does it guarantee the performance or the result or quality of the services provided. BugBounter may rank, grade and categorize Researchers among some of the algorithms in the system, such as vetting level, demographics, reporting quality, noise, misuse of objections, responsiveness, abilities, member ratings and member comments, and highlight some Researchers because they are highly capable, cooperative, liked, preferred or satisfied. However, this shall not be considered as BugBounter’s approval or guarantee.
Bugbounter makes the best effort but does not give any guarantees as to the ability of the website and/or services to respond to the specific expectations or needs of all Customers. Similarly, Bugbounter makes the best effort but is not able to guarantee that no errors or other issues with bounty operation or use will occur in the course of using the website and/or services.
BugBounter does not provide any guarantees regarding the reliability of the Researcher, their appropriateness and/or competence to provide the relevant service, their delivery or timely delivery of the services, whether the services provided are safe and error-free, the adequacy or reliability of the results obtained from the use of the service, or the quality of the service to meet the expectations. BugBounter only interviews with the relevant Researchers who are voluntary in participating the two step vetting process regarding the invitational bug bounty programs conducted by the Customer and, as necessary, tries to make visual calls, ID checks, background checks and reference checks with the information provided by that Researchers. Even if verified by BugBounter, reference checks do not determine the future behavior of a Researcher.
The accuracy of the information or statements specified by the Researcher is guaranteed by him/her and BugBounter has no responsibility other than banning such imposter persons.
There is no relationship of (a) employment, (b) part-time employment, (c) consultancy, (d) subcontracting, (e) joint venture or (f) agency between Researcher and BugBounter.
12. LIMITATION OF LIABILITY
Platform is not responsible for the actions, negligence and behavior of any third party, Platform users, advertisers and / or sponsors regarding the use of the Platform or the website, as long as it is legally permitted under applicable law.
Platform is not responsible for any data loss arising from the operation of the Platform or the application of its conditions.
Platform takes reasonable precautions for protection. However, Platform does not accept liability for any consequences that may arise due to attacks on the computer network and the existing database information in this network, as a result of which user information comes into the possession of malicious users. Although BugBounter does not have any responsibility, it will make every effort to ensure the correct and complete performance of the services provided by the Researcher.
It is under Customer and Researcher responsibility to use the website and/or services with good intention and obligation to laws. Bugbounter acts only as intermediary between the Customer and the Researcher: it cannot be held liable in the event of damage caused by a Customer or Researcher to another Customer or Researcher, particularly within the framework of carrying out program and delivering incorrect or misleading information to the Customer or to the Researcher.
The Platform may contain links or references to other websites that are not under the control of the Platform. Platform is not responsible for the content of these sites or any other links they contain.
Bugbounter is not responsible under any circumstances for any damages such as: financial damage, commercial damage, loss of clientele, any disruption to business, loss of profits, loss of brand image, loss of Bug Bounty program, suffered by the Researcher that may result from the inexecution of these Terms & Conditions, which are deemed by express agreement to be consequential losses.
All notifications must be in writing, by the e-mail given by the Customer while registering the Platform or by the pop-ups published on the platform during login.
14. SUBCONTRACTING - ASSIGNMENT
Platform reserves the right to subcontract all or some of the services covered by these T&Cs to any company of its choosing.
Platform reserves the right to assign the contract to any third party of its choice. In any case, the Platform will inform Customer by email at the address stated at the time of registering in the event of the assignment or change of subcontracting.
15. APPLICABLE LAW
In the event of any legal dispute relating to the interpretation, formation, validity or execution of these T&Cs, BugBounter and the Customer expressly acknowledge that only Estonian law is applicable.
If no amicable arrangement is reached, in the event of a dispute relating to the interpretation, formation or execution of these T&Cs and if no amicable agreement or settlement is reached, BugBounter and the Customer shall grant express and exclusive competence to the competent courts of the Tallinn Appeal Court, notwithstanding multiple defendants or applications for interim measures or introduction of third parties or protective measures. If this stage is not respected, which remains the responsibility of the Researcher, BugBounter cannot be held liable in this regard.