GObugfree Terms of use
Version: 1.5
Valid from: 11 February 2022
1. Definitions
- A Bug Bounty Program is a company-driven initiative to identify, fix and disclose software bugs and security vulnerabilities (hereinafter Vulnerabilities) by offering financial rewards to the discoverers.
- The GObugfree Platform (hereinafter:Platform) is a platform operated by GObugfree AG (Platform Operator), which offers its customers (Customers) to run a bug bounty program.
- A Customer is a company who uses the Platform's offer to find vulnerabilities in its software and to fix them before they become publicly known.
- Friendly Hackers are security experts who participate in a bug bounty program and are rewarded for finding bugs in the Customers' software.
2. Description of the platform
Many companies cannot afford independently organized bug bounty programs or platforms due to the technical, organizational and legal effort involved. This is where the GObugfree Platform comes in: The platform enables the customer to create and manage an individual bug bounty program via the GObugfree platform and offers both the friendly hackers and the customers legal protection in the form of a "legal safe harbor". As long as the Friendly Hackers stay within the framework set by the Customers, they are not liable to prosecution because the Customers have given their prior consent to such hacking activities. Any vulnerabilities are reported by the Friendly Hackers exclusively via the GObugfree Platform. The platform ensures the secure storage of this information and checks reported vulnerabilities for verifiability and novelty. It then categorizes verifiable vulnerabilities that are not already known in terms of their severity and criticality. Depending on the severity of a vulnerability ("bug"), it then awards a reward ("bounty") and transfers the corresponding amount of money to the Friendly Hacker's account. The categories of vulnerabilities and the associated rewards can be viewed on the platform's website for registered Friendly Hackers, with the rewards being determined by the customers for the respective bug bounty program.
3. Services of the platform
The Platform offers Customers a bug bounty platform through which the Customer can operate its individual bug bounty program. This includes the following services, unless otherwise specified in the selected service type of the platform:
- Verification of the Friendly Hackers' identity according to the various identity verification levels.
- Assurance that only those Friendly Hackers participate in a bug bounty program who have accepted the general and per Customer individual terms of use and rules for Friendly Hackers.
- Review of vulnerabilities reported by Friendly Hackers for novelty and verifiability.
- Review of the severity classification of new and verifiable vulnerabilities initially determined by the Friendly Hacker.
- Providing a discussion platform between the Customer and the Friendly Hacker for queries regarding reported vulnerabilities.
- Securely storing information about vulnerabilities until they are fixed.
- Information about vulnerabilities already found for Friendly Hackers participating in the bug bounty program concerned (to exclude multiple reports).
- Payment of rewards for new and verifiable vulnerabilities according to the customer's individual bounty list.
- If uncertainties arise during the validation of a vulnerability, the platform contacts the customer. The customer can then provide helpful information for the validation. In case of doubt, the platform decides on the basis of the information provided by Friendly Hacker and the customer. The decision must be justified by the platform.
4. Duties of the Friendly Hackers
- In order to participate in a bug bounty program via the platform, Friendly Hackers must register with at least their first and last name, postal address, email address and telephone number and accept these Terms of Use. A minimum age of 18 years applies. By accepting the Terms of Use, Friendly Hackers assure to be at least 18 years old. In order to receive a reward, they must also provide a bank account in their name (IBAN plus name and postal address). In addition, they must accept the individual terms and conditions of each bug bounty program in which they wish to participate. These may prohibit further hacking methods in addition to the unauthorized hacking methods listed below and may also impose other conditions that go beyond these terms of use.
- The Friendly Hackers are responsible for their account and must in particular ensure that the access data is inaccessible to third parties. By accepting the Terms of Use, Friendly Hackers consent to the disclosure of their contact information to the customers of the bug bounty programs in which they participate.
- By accepting these Terms of Use, Friendly Hackers commits to documenting information about found vulnerabilities exclusively via the platform's designated reporting form and not in other places. They also agree to keep the vulnerability found secret for 90 days after reporting it on the platform. Finally, they undertake to upload to the platform data from the customers to which they have gained access as part of a bug bounty program and to subsequently delete any local copies and not to disseminate them further.
- By accepting the terms of use, Friendly Hackers undertakes to refrain from methods that have a negative impact on the tested applications or their users. Among others these are:
- Social engineering
- Spamming
- Phishing
- Denial of service attacks or other bruteforce attacks
- Physical attacks
- In addition to the improper hacking methods listed in Section 4.4, the Friendly Hackers are required to immediately discontinue vulnerability hunting if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.
5. Duties of the customers
- When setting up a bug bounty program via the platform, customers must define the scope of the program. The scope defines for which services of the customer the bug bounty program should apply. In particular, they can include or exclude certain domains and/or subdirectories from the scope. The additional information required for the scope can be found in the corresponding form.
- By accepting the Terms of Use, Customers consent to the use of hacking methods by Friendly Hackers on their designated websites and software. Excluded are the methods listed in section 4.4 and in the bug bounty program. Due to the consent of the customers, the criminal liability criterion of unauthorized obtaining/unauthorized use and thus the criminal liability of the Friendly Hackers with regard to the criminal offenses in Art. 143 Swiss Criminal Code (Unauthorised obtaining of data) and Art. 143 bis Swiss Criminal Code (Unauthorised access to a data processing system) does not apply.
- Customers undertake to pay the prices according to the price list for the services of the platform as well as a sum chosen by them, which will be used as a bounty in the event of the discovery of new and traceable vulnerabilities for the payment of Friendly Hackers. The fee for the platform's services and the sum designated for rewards must be transferred to the platform operator prior to the start of a bug bounty program or pledged, e.g., in the form of a Purchase Order (PO). The reward for the Friendly Hacker including the handling fee of the platform must be transferred within 15 days after definite confirmation of the bug. An advance payment of the sums provided annually for rewards is also possible..
- The bug bounty program started by a Customer will run until it is paused or stopped by the Customer. Customers agree to pay Bounties for Bugs found during an ongoing (i.e. not paused or stopped) Bug Bounty Program.
6. Evaluation and payment of bounties
- The bugs reported by Friendly Hackers via the platform will be evaluated by the platform operator within 10 days with regard to their novelty and verifiability and, if they are new and verifiable, confirmed in a category and thus in a reward according to the bounty list of the respective bug bounty program. If feedback from the customer is required, it may take longer to process the submitted bug.
- Unless otherwise defined in the bug bounty program, the rating is verified by means of the Common Vulnerability Scoring System (CVSS):
- low: 0.1 – 3.9
- medium: 4.0 – 6.9
- high: 7.0 – 8.9
- critical: 9.0 - 10
- The reward for finding and reporting a new and verifiable bug will be transferred to the bank account of the Friendly Hacker concerned specified during registration within 40 days after definite confirmation of the bug.
- Multiple vulnerabilities caused by one underlying problem are rewarded with one premium.
- The platform is entitled to reject reported bugs if they are not new and/or not verifiable. Thereby any claim for compensation is forfeited.
- The following vulnerabilities and forms of documentation are generally not sought and are rejected:
- Best practices that do not lead to a directly exploitable vulnerability (e.g., missing security headers).
- Vulnerabilities due to third-party software libraries for which the vulnerabilities are already known.
- Documentations of automatic tools without additional explanations.
7. Contract term
- The contract between the platform and the Friendly Hackers comes into effect with the registration of an account and the acceptance of the terms of use. The contract can be terminated by the Friendly Hackers at any time by deleting the Account. The contract can also be terminated by the platform at any time without giving reasons and the account access of the Friendly Hacker can be deactivated.
- The contract between the platform and the Customers is concluded upon registration of an Account and acceptance of the Terms of Use. The contract may be terminated by the Customers at any time by deleting the Account. The contract can also be terminated by the platform without giving reasons at the end of the term. In the event of termination of the contract between the platform and the customers, any credit balance will be refunded.
8. Liability
- The Customers are solely responsible for any damage that occurs within the scope of the hacking permitted by the Scope. Civil or criminal action against Friendly Hacker or the platform is excluded in this case.
- If a Friendly Hacker does not adhere to the specified scope and damage occurs as a result, the Friendly Hacker alone is responsible for this. If there is evidence of a justified suspicion that the Customers have exceeded the scope, the platform will block the account of the offending Friendly Hacker(s). Any further liability of the platform is excluded.
- The platform shall ensure a safe storage of the information about found vulnerabilities according to the state of the art. In the event that third parties are able to access such information despite the protective measures taken and damage occurs as a result, the Platform's liability is excluded..
- The platform shall ensure the best possible availability. The platform shall not be liable for any damage resulting from an unavailability of the platform..
- Friendly Hackers are responsible for correctly declaring their earnings (rewards for found bugs) according to the law applicable to them. The platform excludes any liability due to incorrect declaration of earnings by the Friendly Hackers. For Friendly Hackers residing in Switzerland, the lack of economic and work-organizational dependence means that there is no dependent employment and thus no obligation to pay social security contributions.
9. Final provisions
- The platform is entitled to have all or individual services, which it is obligated to provide in accordance with these Terms of Use, provided by subcontractors also abroad.
- Communications from the Platform to Customers and Friendly Hackers shall be made by secure e-mail or via the Platform.
- The Platform may amend these Terms of Use. The version of the Terms of Use available online shall apply in each case.
- Contracts between the Platform and the Friendly Hackers or between the Platform and the Customers shall be governed exclusively by Swiss law. The contracts between the Platform and Friendly Hackers, or between the Platform and the Customers, shall be governed exclusively by Swiss substantive law, excluding international conventions, including the United Nations Convention on Contracts for the International Sale of Goods of April 11, 1980 (CISG) and the conflict of laws rules.
- The exclusive place of jurisdiction is Zurich.