Bug Bounty Program Terms And Conditions
Last updated: 2022-03-29
Bug Bounty Program (the “Program”) – the program implemented by Kevin EU, UAB (the “Company”), which applies to persons who have discovered a vulnerability at Company, reported it to Company, and are eligible for a reward regarding these Terms and Conditions. The scope of the Program includes any service run by *.kevin.eu and *.getkevin.eu.
Researcher – a natural person (not a company) who participates in Program and has discovered a vulnerability within Company’s ICT infrastructure or its web services, reported it to the Company in a defined way and is eligible for a reward.
Bug – an error, malfunction, misconfiguration, flaw in software code, or other disruption in the programs or systems of the Company, which may affect the Company or any other system related to the Company, which is controlled or managed by the Company.
Confidential information – any information related to the Company System or clients of the Company, obtained by participating or intending to participate in the Program.
Client – a natural or legal person who has an agreement with the Company and uses Company’s services.
Company – Kevin EU, UAB and other legal persons engaged in providing services and authorised to operate on behalf of the Company.
Company System – internet-faced web solutions developed by the Company and used to provide the services of the Company.
Sanctioned persons, sanctioned countries – persons or countries subjected to sanctions (restrictions of the state) by the European Union, The Office of Foreign Assets Control (OFAC) of the USA, or other relevant organisations.
1. This document sets general terms and conditions (the "Terms") on participating in the Company’s Program and form a legally binding contract between Company and independent Researcher wishing to participate in this Program.
2. By submitting the report to the Company, the Researcher hereby confirms that they have read and agree to the present Terms.
3. In its sole discretion, the Company may modify these Terms at any time and restrict, suspend, terminate, or otherwise change any aspect of this Program and/or the fulfilment of any reward payment at any time.
Eligibility of the Researcher
4. To participate in the Program, the Researcher shall comply with the following eligibility requirements:
4.1 The Researcher shall be at least 14 years old. If the Researcher is at least 14 years old but is considered a minor in their place of residence, he/she must obtain consent from their parents or legal guardians before enrolling in the program. The Company has the right to demand the Researcher to provide written (also notarised) permission of the Researcher's representatives (parents or legal guardians). If the Researcher fails to provide written consent within the set time, Company shall terminate their participation in the Program;
4.2 The Researcher shall adhere to regulatory legislation;
4.3 The Researcher cannot represent the legal entity (a company or any other registered legal body);
4.4 When acting as a Researcher, he/she shall not violate any other agreement (i.e. employment agreement) to which he/she may be a party (the Company is not liable for any breach of such third party agreement by the Researcher and disclaim any knowledge of or responsibility for Researcher’s conduct);
4.5 The Researcher cannot be Company's employee, contractor or representative, or an immediate family member of a Company's employee, contractor or representative, during the term of engagement with the Company and for twelve (12) months following the termination of such employment;
4.6 The Researcher cannot be a Sanctioned person or reside in Sanctioned countries.
5. If the Company determines that the Researcher has breached at least one of the criteria set out in paragraph 3, the Researcher shall be removed from the Program and not be entitled to a reward.
Obligations of the Researcher
6. The Researcher is obligated to adhere to the Confidentiality requirements – all information obtained using, participating, or intending to participate in the Program belongs to the Company and shall be deemed Confidential. The Company reserves the right to take legal action on the use or disclose of the information related to the Program or otherwise disseminate such information.
7. The Researcher shall only use their data during participation in the Program. It is forbidden to seek rewards by re-using someone else's research data.
8. The Researcher is prohibited from:
8.1 carrying out attacks, which may harm or otherwise influence the reliability or integrity of the data or services of the Company or may impact Company's clients including DoS, social engineering, spam, etc.;
8.2 using bug research methods that may result in customer service degradation;
8.3 getting or using data of Company Clients obtained through the participation in the Program;
8.4 performing actions that would allow the Researcher or any other third person to access, store, erase, or influence the data of the Company or its Clients in different ways;
8.5 disrupting clients' activity, exploiting a Bug in pursuit of own benefits, or violating legal requirements.
Reporting of vulnerability and reward payment
9. The Researcher shall report a security vulnerability to the Company by email at firstname.lastname@example.org with a description of the probable impact and a detailed way to reproduce the visibility of the bug in software or systems misconfiguration. The report shall include:
- Full description of the reported vulnerability, including the exploitability and impact;
- Documented all steps required to reproduce the exploit of the vulnerability;
- URL(s)/application(s) affected in the submission (even if you provided us with a code snippet/video as well);
- IPs that were used while testing;
- All of the files that you attempted to upload;
- The complete Proof of Concept for your submission;
- All the attack logs attached to the submission.
10. Only Bugs acknowledged by the Company are rewarded. A reward to the Researcher is given in proportion to the severity of the Bug. The Company utilises many security controls and take preventive security measures in various layers of its infrastructure. Therefore the Researcher does not know these controls, and their severity assessment may be incorrect.
11. The Company reserves the right to make its sole decision whether the Bug is severe enough to be eligible for the reward, on the level of the severity of the reported Bug and the exact reward amount. In some cases when, for example, the reported Bug isn’t fully qualified as its severity is, in fact, lower than the Researcher declared, Company might like to send a gift to Researcher.
12. A reward is paid only for a Bug reported to the Company for the first time (a Bug was not known for the Company earlier). When a Bug is reported by two or more persons within 24 hours, the reward is split between these persons.
13. A reward is paid in the currency of the euro into the Researcher’s referred account on Paypal. The reward can be settled only into the Researcher's natural person Paypal account and cannot be paid to any other third party payment account. The Researcher is responsible for providing a PayPal Invoice with all relevant data (full name, address, ID card number, email address, and payment details) to the Company for reward payment initiation.
14. The Company is not responsible for the Researcher's inability to accept or receive a reward for any reason. The Company cannot issue a reward to the Researcher who violates a material term of these Terms, including being on a sanctions list or residing in countries on a sanctions list.
15. At the Researcher's request, a reward may be donated to the Red Cross or UNICEF.
16. The Researcher is responsible for paying all the taxes (including Paypal fees) that may be applicable in their country of residence from the reward paid out for the participation in the Program.
Personal data processing
17. The Researcher agrees to provide the Company with their personal and contact details (name, surname, personal identification number, citizenship, residential address, bank account details) for Company to pay the reward for their participation in the Program and perform other legal obligations.
18. The Researcher agrees that the Company will process the provided data to communicate in between and pay a reward if the Bug is acknowledged. The Company ensures the security of the data obtained through the Researcher's participation in the Program. The personal data will be used to the extent required to implement the present Terms and Conditions. The personal data referred to in paragraph 17 may not be disclosed without the Researcher's consent, except in cases established by law or these Terms and Conditions.
19. The retention period for the Researcher's data is 10 (ten) years unless legal acts require a more extended retention period. Upon expiration of the Researcher's data retention period, the Company shall erase the data.
20. Company has the right to transfer information about the Researcher and their activities to public administration authorities (e.g. for tax purposes) if such obligation is determined by law.
Indemnity and limitation of liability
21. The Researcher will be liable for and indemnify the Company, its subcontractors, and their respective directors, officers, and representatives against any losses which the Company may incur that arise from the Researcher’s breach of these Terms, including losses arising from the Researcher’s gross negligence, wilful misconduct and breach of law.
22. Considering the voluntary nature of the Program, in no event will Company be liable to you for any loss of use, revenue or profit or loss of data or for any consequential, incidental, indirect, exemplary, special, aggravated, or punitive damages whether arising out of breach of contract, tort (including negligence) or otherwise, regardless of whether such damage was foreseeable and whether or not Company had been advised of the possibility of such damages.
Intellectual property rights
23. We retain all intellectual property rights in our products, including, without limitation, all our source code and associated related binaries. Nothing herein shall grant you any right in any part of our products or any improvement or derivative in any Report you provide us. You agree that to the extent required to abide by these Terms, you will waive any rights that may otherwise accrue to you in any Report and agree that we will not be obliged to license back any derivative or improvements in any Report to you.
Disputes and governing law
24. Any obligations arising out of or in connection with the Company's Program and these Terms its subject matter will be governed by and construed under the laws of Lithuania, and the courts of Lithuania shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Program and Terms.
Changes and termination of Terms
25. The Company reserves the right to terminate the Program at any time. An integral supplement of these Program Terms is the Terms and Scope of Service provided on the Company’s website.
26. The Company reserves the right to modify, restrict, suspend, or otherwise change any aspect of the Program and these Terms from time to time, for any reason, including any reason beyond the Company's control, and within its sole discretion.
27. The updated Terms will be effective as of the time of posting on the Company’s website. Therefore if you do not agree to such an amendment, you must immediately cease your participation in the Program.