Bug Bounty Program Terms And Conditions
Last Updated: 2024-03-28
Suspended from: 2024-07-01
1. Introduction
1.1. The Bug Bounty Program (the “Program”) – the program implemented by Kevin EU, UAB (the “Company”), which applies to persons who have discovered a vulnerability in the Company’s Information and Communication Technology (ICT) systems, reported it to the Company, and potentially are eligible for a reward regarding these Terms and Conditions.
1.2. The scope of the Program includes any service run by *.kevin.eu and *.getkevin.eu.
1.3. The Terms and Conditions are prepared in accordance with the Company’s Program, which is established to adhere to the principle of the Company to be transparent and demonstrate its determination to ensure the security of the Company's systems and data for the benefit of its clients and customers.
2. Terms and Definitions
(a) Researcher – a natural person (not a company) who participates in the Program and has discovered a vulnerability within the Company’s ICT infrastructure or its web services, reported it to the Company in a defined way and is eligible for a reward.
(b) Bug – an error, malfunction, misconfiguration, flaw in software code, or other disruption in the programs or systems of the Company, which may affect the Company or any other system related to the Company, which is controlled or managed by the Company.
(c) Confidential information – any information related to the Company System or clients of the Company obtained by participating or intending to participate in the Program.
(d) Client – a natural or legal person who has an agreement with the Company and uses the Company’s services.
(e) Company – Kevin EU, UAB and other legal persons engaged in providing services and authorised to operate on behalf of the Company.
(f) Company System – internet-faced web solutions developed by the Company and used to provide the services of the Company.
(g) Sanctioned persons, Sanctioned countries – persons or countries subjected to sanctions (restrictions of the state) by the European Union, the Office of Foreign Assets Control (OFAC) of the USA, or other relevant organisations.
3. General Terms
3.1. This document sets general terms and conditions (the "Terms") on participating in the Company’s Program and forms a legally binding contract between the Company and the independent Researcher wishing to participate in this Program.
3.2. By submitting the report to the Company, the Researcher hereby confirms that they have read and agreed to the present Terms.
3.3. In its sole discretion, the Company may modify these Terms at any time and restrict, suspend, terminate, or otherwise change any aspect of this Program and/or the fulfilment of any reward payment at any time.
Eligibility of the Researcher
3.4. To participate in the Program, the Researcher shall comply with the following eligibility requirements:
3.4.1. The Researcher shall be at least 14 (fourteen) years old. If the Researcher is at least 14 (fourteen) years old but is considered a minor in their place of residence, he/she must obtain consent from their parents or legal guardians before enrolling in the Program. The Company has the right to demand the Researcher to provide written (also notarised) permission of the Researcher's representatives (parents or legal guardians). If the Researcher fails to provide written consent within the set time, the Company shall terminate their participation in the Program;
3.4.2. The Researcher shall adhere to regulatory legislation;
3.4.3. The Researcher cannot represent the legal entity (a company or any other registered legal body);
3.4.4. When acting as a Researcher, they shall not violate any other agreement (i.e., employment agreement) to which they may be a party. The Company is not liable for any breach of such third-party agreement by the Researcher and disclaims any knowledge of or responsibility for the Researcher’s conduct;
3.4.5. The Researcher cannot be a Company's employee, contractor or representative, or an immediate family member of a Company's employee, contractor or representative, during the term of engagement with the Company and for twelve (12) months following the termination of such employment;
3.4.6. The Researcher cannot be a Sanctioned person or reside in Sanctioned countries.
3.5. If the Company determines that the Researcher has breached at least one of the criteria set out in paragraph 3.4., the Researcher shall be removed from the Program and not be entitled to a reward.
Obligations of the Researcher
3.6. The Researcher is obligated to adhere to the Confidentiality requirements – all information obtained using, participating, or intending to participate in the Program belongs to the Company and shall be deemed Confidential. The communication (e.g., emails) between parties, i.e., the Researcher and the Company, is Confidential. Therefore, it is forbidden to disclose Confidential information to other parties, disseminate or publish. Disclosure of Confidential information will be considered a serious violation of the confidentiality agreement set by the Terms, so the Company reserves the right to take legal action on the improper use or disclosure of the information related to the Program or otherwise disseminate such information.
3.7. The Researcher shall only use their own data during participation in the Program. It is forbidden to seek rewards by re-using someone else's research data.
3.8. The Researcher is prohibited from:
3.8.1. carrying out attacks which may harm or otherwise influence the reliability or integrity of the data or services of the Company or may impact the Company's clients, including DoS, social engineering, spam, etc.;
3.8.2. using bug research methods that may result in customer service degradation;
3.8.3. getting or using data of Company Clients obtained through participation in the Program;
3.8.4. performing actions that would allow the Researcher or any other third person to access, store, erase, or influence the data of the Company or its Clients in different ways;
3.8.5. disrupting clients' activity, exploiting a Bug in pursuit of their own benefits, or violating legal requirements.
Reporting of vulnerability and reward payment
3.9. The Researcher shall report a security vulnerability to the Company by email at security@kevin.eu with a description of the probable impact and a detailed way to reproduce the visibility of the Bug in software or systems misconfiguration. The report shall include:
(a) Full description of the reported vulnerability, including the exploitability and impact;
(b) Documented all steps required to reproduce the exploit of the vulnerability;
(c) URL(s)/application(s) affected in the submission (even if you provided us with a code snippet/video as well);
(d) IPs that were used while testing;
(e) All of the files that were attempted to upload;
(f) The complete Proof of Concept (including video, where applicable) for the submission;
(g) All the attack logs are attached to the submission.
3.10. Only Bugs acknowledged by the Company are rewarded. A reward to the Researcher is given in proportion to the severity of the Bug. The Company utilises many security controls and takes preventive security measures in various layers of its infrastructure. Therefore, the Researcher does not know these controls, and their Bug severity assessment may be incorrect.
3.11. The Company reserves the right to make its sole decision whether the Bug is severe enough to be eligible for the reward, on the level of the severity of the reported Bug and the exact reward amount. In some cases, when, for example, the reported Bug is not fully qualified as its severity is, in fact, lower than the Researcher declared, the Company might like to send a gift to the Researcher.
3.12. A reward is paid only for a Bug reported to the Company for the first time (a Bug was not known to the Company earlier). When two or more persons report a Bug within 24 hours, the reward is split between these persons.
3.13. After the Company proposes the reward, the Researcher shall indicate they accept it. A reward is paid in the currency of the euro into the Researcher’s account on PayPal only. The Researcher should log in to their PayPal account and issue an electronic PayPal invoice to invoice@kevin.eu. The reward can be settled only into the Researcher's natural person PayPal account and cannot be paid to any other third-party payment account, except in cases indicated in paragraph 3.15. herein. The Researcher is responsible for providing all relevant data (payment details) to the Company for reward payment initiation.
3.14 The Company is not responsible for the Researcher's inability to accept or receive a reward for any reason. The Company cannot issue a reward to the Researcher who violates a material term of these Terms, including being on a sanctions list or residing in countries on a sanctions list.
3.15. At the Researcher's written request, a reward may be donated to the Red Cross or UNICEF.
3.16. The Researcher is responsible for paying all the taxes (including PayPal fees) that may be applicable in their country of residence from the reward paid out for participation in the Program.
Personal data processing
3.17. The Researcher agrees to provide the Company (if asked for) with their personal and contact details (name, surname, personal identification number, citizenship, residential address, and bank account details) for the Company to pay the reward for their participation in the Program and perform other legal obligations.
3.18. The Researcher agrees that the Company will process the provided data to communicate in between and pay a reward if the Bug is acknowledged. The Company ensures the security of the data obtained through the Researcher's participation in the Program. The personal data will be used to the extent required to implement the present Terms. The personal data referred to in paragraph 3.17. may not be disclosed without the Researcher's consent, except in cases established by law or these Terms.
3.19. The retention period for the Researcher's data is 10 (ten) years unless legal acts require a more extended retention period. Upon expiration of the Researcher's data retention period, the Company shall erase the data.
3.20. The Company has the right to transfer information about the Researcher and their activities to public administration authorities (e.g., for tax purposes) if such obligation is determined by law.
Indemnity and limitation of liability
3.21. The Researcher will be liable for and indemnify the Company, its subcontractors, and their respective directors, officers, and representatives against any losses which the Company may incur that arise from the Researcher’s breach of these Terms, including losses arising from the Researcher’s gross negligence, wilful misconduct and breach of law.
3.22. Considering the voluntary nature of the Program, in no event will the Company be liable for any loss of use, revenue, profit or loss of data or for any consequential, incidental, indirect, exemplary, special, aggravated, or punitive damages, whether arising out of breach of contract, tort (including negligence) or otherwise, regardless of whether such damage was foreseeable and whether or not Company had been advised of the possibility of such damages.
Intellectual property rights
3.23. The Company retains all intellectual property rights in its products, including, without limitation, all source code of the Company and associated related binaries. Nothing herein shall grant the Researcher any right in any part of the products of the Company or any improvement or derivative in any Report the Researcher provides to the Company. The Researcher agrees that to the extent required to abide by these Terms, they will waive any rights that may otherwise accrue to them in any Report and agree that the Company will not be obliged to license back any derivative or improvements in any Report to the Researcher.
Disputes and governing law
3.24. Any obligations arising out of or in connection with the Company's Program and these Terms subject matter will be governed by and construed under the laws of Lithuania, and the courts of Lithuania shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with the Program and Terms.
Changes and termination of Terms
3.25. The Company reserves the right to terminate the Program at any time.
3.26. The Company reserves the right to modify, restrict, suspend, or otherwise change any aspect of the Program and these Terms from time to time, for any reason, including any reason beyond the Company's control, and within its sole discretion.
3.27. The updated Terms will be effective as of the time of posting on the Company’s website. Therefore, if the Researcher disagrees with such an amendment, they must immediately cease participating in the Program.