Valid from: 11 February 2022
- A Bug Bounty Program is a company-driven initiative to identify, fix and disclose software bugs and security vulnerabilities (hereinafter Vulnerabilities) by offering financial rewards to the discoverers.
- The GObugfree Platform (hereinafter:Platform) is a platform operated by GObugfree AG (Platform Operator), which offers its customers (Customers) to run a bug bounty program.
- A Customer is a company who uses the Platform's offer to find vulnerabilities in its software and to fix them before they become publicly known.
- Friendly Hackers are security experts who participate in a bug bounty program and are rewarded for finding bugs in the Customers' software.
2. Description of the platform
Many companies cannot afford independently organized bug bounty programs or platforms due to the technical, organizational and legal effort involved. This is where the GObugfree Platform comes in: The platform enables the customer to create and manage an individual bug bounty program via the GObugfree platform and offers both the friendly hackers and the customers legal protection in the form of a "legal safe harbor". As long as the Friendly Hackers stay within the framework set by the Customers, they are not liable to prosecution because the Customers have given their prior consent to such hacking activities. Any vulnerabilities are reported by the Friendly Hackers exclusively via the GObugfree Platform. The platform ensures the secure storage of this information and checks reported vulnerabilities for verifiability and novelty. It then categorizes verifiable vulnerabilities that are not already known in terms of their severity and criticality. Depending on the severity of a vulnerability ("bug"), it then awards a reward ("bounty") and transfers the corresponding amount of money to the Friendly Hacker's account. The categories of vulnerabilities and the associated rewards can be viewed on the platform's website for registered Friendly Hackers, with the rewards being determined by the customers for the respective bug bounty program.
3. Services of the platform
The Platform offers Customers a bug bounty platform through which the Customer can operate its individual bug bounty program. This includes the following services, unless otherwise specified in the selected service type of the platform:
- Verification of the Friendly Hackers' identity according to the various identity verification levels.
- Review of vulnerabilities reported by Friendly Hackers for novelty and verifiability.
- Review of the severity classification of new and verifiable vulnerabilities initially determined by the Friendly Hacker.
- Providing a discussion platform between the Customer and the Friendly Hacker for queries regarding reported vulnerabilities.
- Securely storing information about vulnerabilities until they are fixed.
- Information about vulnerabilities already found for Friendly Hackers participating in the bug bounty program concerned (to exclude multiple reports).
- Payment of rewards for new and verifiable vulnerabilities according to the customer's individual bounty list.
- If uncertainties arise during the validation of a vulnerability, the platform contacts the customer. The customer can then provide helpful information for the validation. In case of doubt, the platform decides on the basis of the information provided by Friendly Hacker and the customer. The decision must be justified by the platform.
4. Duties of the Friendly Hackers
- Social engineering
- Denial of service attacks or other bruteforce attacks
- Physical attacks
- In addition to the improper hacking methods listed in Section 4.4, the Friendly Hackers are required to immediately discontinue vulnerability hunting if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform's or Service's operations.
5. Duties of the customers
- When setting up a bug bounty program via the platform, customers must define the scope of the program. The scope defines for which services of the customer the bug bounty program should apply. In particular, they can include or exclude certain domains and/or subdirectories from the scope. The additional information required for the scope can be found in the corresponding form.
- Customers undertake to pay the prices according to the price list for the services of the platform as well as a sum chosen by them, which will be used as a bounty in the event of the discovery of new and traceable vulnerabilities for the payment of Friendly Hackers. The fee for the platform's services and the sum designated for rewards must be transferred to the platform operator prior to the start of a bug bounty program or pledged, e.g., in the form of a Purchase Order (PO). The reward for the Friendly Hacker including the handling fee of the platform must be transferred within 15 days after definite confirmation of the bug. An advance payment of the sums provided annually for rewards is also possible..
- The bug bounty program started by a Customer will run until it is paused or stopped by the Customer. Customers agree to pay Bounties for Bugs found during an ongoing (i.e. not paused or stopped) Bug Bounty Program.
6. Evaluation and payment of bounties
- The bugs reported by Friendly Hackers via the platform will be evaluated by the platform operator within 10 days with regard to their novelty and verifiability and, if they are new and verifiable, confirmed in a category and thus in a reward according to the bounty list of the respective bug bounty program. If feedback from the customer is required, it may take longer to process the submitted bug.
- Unless otherwise defined in the bug bounty program, the rating is verified by means of the Common Vulnerability Scoring System (CVSS):
- low: 0.1 – 3.9
- medium: 4.0 – 6.9
- high: 7.0 – 8.9
- critical: 9.0 - 10
- The reward for finding and reporting a new and verifiable bug will be transferred to the bank account of the Friendly Hacker concerned specified during registration within 40 days after definite confirmation of the bug.
- Multiple vulnerabilities caused by one underlying problem are rewarded with one premium.
- The platform is entitled to reject reported bugs if they are not new and/or not verifiable. Thereby any claim for compensation is forfeited.
- The following vulnerabilities and forms of documentation are generally not sought and are rejected:
- Best practices that do not lead to a directly exploitable vulnerability (e.g., missing security headers).
- Vulnerabilities due to third-party software libraries for which the vulnerabilities are already known.
- Documentations of automatic tools without additional explanations.
7. Contract term
- The Customers are solely responsible for any damage that occurs within the scope of the hacking permitted by the Scope. Civil or criminal action against Friendly Hacker or the platform is excluded in this case.
- If a Friendly Hacker does not adhere to the specified scope and damage occurs as a result, the Friendly Hacker alone is responsible for this. If there is evidence of a justified suspicion that the Customers have exceeded the scope, the platform will block the account of the offending Friendly Hacker(s). Any further liability of the platform is excluded.
- The platform shall ensure a safe storage of the information about found vulnerabilities according to the state of the art. In the event that third parties are able to access such information despite the protective measures taken and damage occurs as a result, the Platform's liability is excluded..
- The platform shall ensure the best possible availability. The platform shall not be liable for any damage resulting from an unavailability of the platform..
- Friendly Hackers are responsible for correctly declaring their earnings (rewards for found bugs) according to the law applicable to them. The platform excludes any liability due to incorrect declaration of earnings by the Friendly Hackers. For Friendly Hackers residing in Switzerland, the lack of economic and work-organizational dependence means that there is no dependent employment and thus no obligation to pay social security contributions.
9. Final provisions
- Communications from the Platform to Customers and Friendly Hackers shall be made by secure e-mail or via the Platform.
- Contracts between the Platform and the Friendly Hackers or between the Platform and the Customers shall be governed exclusively by Swiss law. The contracts between the Platform and Friendly Hackers, or between the Platform and the Customers, shall be governed exclusively by Swiss substantive law, excluding international conventions, including the United Nations Convention on Contracts for the International Sale of Goods of April 11, 1980 (CISG) and the conflict of laws rules.
- The exclusive place of jurisdiction is Zurich.