Building an Impenetrable Shield Together

Strengthening Security Together: The SureDone Approach

You ARE eligible to participate in the Program if you meet all of the following criteria:

– You are 14 years of age or older. If you are at least 14 years old but are considered a minor in your place of residence, you must obtain your parent’s or legal guardian’s permission prior to participating in this Program; and

– You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this Program.

You are NOT eligible to participate in the Program if you meet all of the following criteria:

– You are a resident of any countries under U.S. sanctions;

– You are under the age of 14;

– Your organization does not allow you to participate in these types of programs;

– You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program;

– You are currently an employee of SureDone, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;

– Within the six months prior to providing us your Submission you were an employee of SureDone;

– You currently (or within six months prior providing to us your Submission) perform services for SureDone in an external staff capacity that requires access to the SureDone Network, such as agency temporary worker, vendor employee, business guest, or contractor; or

– You are or were involved in any part of the development, administration, and/or execution of this Program.

It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty. All payments will be made in compliance with local laws, regulations, and ethics rules. SureDone disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.

There may be additional restrictions on your ability to enter depending upon your local law.

In-Scope Systems:

– SureDone production applications and services (app.suredone.com)

– API endpoints and authentication mechanisms (api.suredone.com)

– Web application vulnerabilities – specifically for the SaaS application

– Infrastructure and configuration issues

Out-of-Scope:

– Denial of service attacks

– Physical or social engineering attempts

– No rewards will be given for any vulnerability related to a third party plugin or application on any of our sites (such as chat or CMS) unless it allows for the interception of customer data and has not been disclosed before. We recommend contacting the third party about their bug bounty programs.

– Marketing websites, support websites or any other non-app website – The only rewards for vulnerabilities found on our public website are for those that may allow defacing of our website or collection of visitor information.

– Vulnerability in or related to our e-mail or DNS systems (such as SPF, DMARC, etc.) unless it specifically allows for interception of e-mails (not spoofing) or confidential or proprietary information that would normally be secured to be intercepted.

– Recently reported vulnerabilities (within 30 days)

– Issues requiring extensive user interaction

Please keep in mind that we may have already been informed of various potential security vulnerabilities and may have determined to not fix them at this time. This may be due to them being introduced purposefully for security reasons, not having a significant impact on data security, having other systems in place to detect and mitigate their exploitation, or for other reasons. Upon your submission, we will inform you if we have already received notice of the particular vulnerability. We trust you to be ethical in your discovery. Please trust us to be ethical in informing you of known potential vulnerabilities. We will not pay a bounty on known potential vulnerabities.

If you believe you have identified a Vulnerability that meets the applicable requirements, you may submit it to SureDone in accordance with the following process:

Each Vulnerability submitted to SureDone shall be a “Submission.” Submissions must be sent to product@suredone.com. In the initial email, specify the Vulnerability details, and specific product version numbers you used to validate your research. Please also include as much of the following information as possible:

– Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)

– URL

– Any special configuration required to reproduce the issue

– Step-by-step instructions to reproduce the issue

– Proof-of-concept or exploit code

– Impact of the issue, including how an attacker could exploit the issue

– Depending on the detail of your Submission, SureDone may award a bounty of varying scale. Well-written reports and functional exploits are more likely to result in bounties. Those Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for bounties.

SureDone is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify SureDone at product@suredone.com to ensure your Submission was received.

SureDone is not claiming any ownership rights to your Submission. However, by providing any Submission to SureDone, you:

– Grant SureDone the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission:

(i) to use, review, assess, test, and otherwise analyze your Submission;

(ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and

(iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);

– Agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;

– Understand and acknowledge that SureDone may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;

– Understand that you are not guaranteed any compensation or credit for use of your Submission; and

– Represent and warrant that your Submission is your own work, that you haven’t used information owned by another person or entity, and that you have the legal right to provide the Submission to SureDone.

Protecting customers is SureDone’s highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. SureDone will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

After a Submission is sent to SureDone in accordance with the above, SureDone engineers will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.

SureDone retains sole discretion in determining which Submissions are qualified. If we receive multiple vulnerability reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to SureDone, we may award a differential to the person submitting the duplicate report.

If you report a Vulnerability without a functioning exploit, you may be eligible for a partial Bounty. If you submit the functioning exploit within 90 days of submitting the Vulnerability, we may, in our discretion, provide an additional Bounty payment (but are not obligated to do so).

The decisions made by SureDone regarding Bounties are final and binding.

If we have determined that your Submission is eligible for a Bounty, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Bounty.

If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.

Before receiving a Bounty, you are required to complete and submit an Internal Revenue Service tax form (e.g., Form W-9, W-8BEN, 8233) within 30 calendar days of notification of validation. If you do not complete the required forms as instructed or do not return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until you have completed and submitted the fully executed required documentation.

You will be solely responsible for all applicable taxes related to accepting the payment(s). If you are unable or unwilling to accept your Bounty, we reserve the right to rescind it.

By participating in the Program, you will follow these rules:

– Don’t do anything illegal.

– Don’t engage in any activity that exploits, harms, or threatens to harm children.

– Don’t send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.

– Don’t share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).

– Don’t engage in activity that is false or misleading.

– Don’t engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).

– Don’t infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.

– Don’t help others break these rules.

If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.

SUREDONE, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from SureDone or any affiliates, resellers, distributors, third-party providers, and vendors, direct damages up to $100.00. You can’t recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn’t fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.

We hope we never have a dispute, but if we do, you and we agree to try for 60 days to resolve it informally. If we can’t, you and we agree to binding individual arbitration before the American Arbitration Association (“AAA”) under the Federal Arbitration Act (“FAA”), and not to sue in court in front of a judge or jury. Instead, a neutral arbitrator will decide and the arbitrator’s decision will be final except for a limited right of review under the FAA. Class action lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where someone acts in a representative capacity aren’t allowed. Nor is combining individual proceedings without the consent of all parties.

You and we must file in small claims court or arbitration any claim or dispute (except intellectual property disputes) within one year from when it first could be filed. Otherwise, it’s permanently barred.

If you live in (or, if a business, your principal place of business is in) the United States, the laws of New York govern all claims, regardless of conflict of laws principles, except that the Federal Arbitration Act governs all provisions relating to arbitration. You and we irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in New York County, New York, for all disputes arising out of or relating to these Terms or the Program that are heard in court (excluding arbitration and small claims court).

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.