Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Terms of use

Running a Security Program


Last update on 9th of January, 2019

IMPORTANT - READ BEFORE USING THE SITE OR SERVICES FOR RUNNING A SECURITY PROGRAM.

BY CLICKING TO SIGN IN ON-LINE TO USE THE COBALT SITE AND SERVICES AND BY USING THE SITE AND SERVICES FOR RUNNING A SECURITY PROGRAM, PROGRAM OWNER (“YOU” OR “YOUR”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS (“GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE TO RUN A SECURITY PROGRAM AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE SECURITY RESEARCHER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO USE THE SITE OR SERVICE TO RUN A SECURITY PROGRAM.

These Supplemental Terms form a part of the General Terms and you agree that you are a Member of the Site and Services and you therefore have already agreed to and accepted the General Terms and Privacy Policy for being a Member on the Site and Services. Terms not otherwise defined herein, shall have the meaning set forth in the General Terms.

Eligibility

To submit a Security Program, you must either be must be the owner of the Application(s)/Network(s) you list as in scope of the test or have obtained all necessary legal permissions and licenses from the owner to list them and have them tested. You also need to ensure that you have obtained all necessary legal permissions and licenses from any third party service providers applicable to the scope that may be tested pursuant to the terms and conditions of an agreement with such third party, including, but not limited to, a hosting agreement. If you are acting within the scope of your employment, as an employee, contractor, or agent of another party, you warrant that such party has full knowledge of your actions and has consented thereto, including the cost of the activities and that you have the authority to bind such entity to these Supplemental Terms. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.

Security Program Time Period

The Security Program initiates when the it is listed on the Cobalt Security Program list on the Site and Services and has the status Live.

The Security Program will run until a written deadline agreed between you (The Program Owner) and Cobalt. This deadline will be listed on the Security Program.

It is important to note that

  • Security Researchers can only engage in testing on programs that are in status Live and the Security Researchers have been invited to.
  • When a program is past the test deadline, security researchers are not allowed to engage in test activities other than re-testing / Patch verification specifically requested by you Program Owner and/or your Program Collaborators.

Security Program Responsibilities and Liabilities

  • You agree that (i) your creation of the Security Program will not breach any agreements you have entered into with any third parties, (ii) you have all of the necessary right, title and interest to grant the license rights provided by you pursuant to the General Terms and Supplemental Terms, and (iii) you are and will remain in compliance with all Applicable Laws, Tax requirements, and rules and regulations.
  • You agree that you authorize Cobalt to list your program on the Site and Services.
  • You agree that you authorize invited Cobalt Core Security Researchers to perform tests on the Application(s)/Network(s) mentioned in scope in the Security Program.
  • You agree to take the full liability and responsibility if you invite Security Researchers who are not Cobalt Core Security Researchers to see your Security Program and/or Engage in testing of the scope of the security program.
  • You agree that the scope, rules and all other information on the Security Program combined with our Supplemental Terms for Engaging in Testing is the entire scope, rules and information which you expect the Security Researchers to follow if engaging in activities related to your Security Program.
  • You agree that Cobalt only provides a best practice set of rules as an example and that you as a Program Owner are fully responsible and liable for the coverage of the scope and the rules written in the Security Program.
  • You agree that you are responsible for contacting and getting, if needed, acceptance from any and all related third parties who potentially will be impacted by the activities related to the Security Program. This includes but is not limited to hosting providers.
  • You agree that you understand when you initiate the Security Program you will start receiving Vulnerability Report Submissions on the Site and Services. This means that Cobalt will store these Vulnerability Reports on the Site and Services, any vulnerability/Bug submitted against your Security Program will only be visible to you (Program Owner), Program Collaborators, the Security Researchers participating in the Program and Authorized staff at Cobalt.
  • In the event your program has responsible disclosure you agree that you are responsible for informing the Security Researchers on when he/she can disclose a given vulnerability to the public.
  • As Aligned with the General terms Limitation of Liability section you as the Program Owner understand and agree that the nature of penetration testing may cause harm or disruption to Application and/or networks and that neither Cobalt and that neither Cobalt nor the security researchers shall have any liability of any kind arising out of such testing activities unless the security researcher has committed gross negligence or committed willful misconduct in performance of such testing.

Intellectual Property Rights

See the General Terms for information around Ownership and License grants.

Privacy

You agree and understand that personal data entered during the registration, including name, mailing address, phone number, and email address may be processed, stored, shared and otherwise used solely for the purposes and within the context of the Security Program. This data will also be transferred into the United States. By entering, entrants agree to the transmission, processing, sharing and storage of this personal data in the United States. You also understand this data may be used by Cobalt in order to verify your identity and telephone number in the event of a submission. You have the right to access, review, rectify or cancel any personal data held by Cobalt in connection with the Security Program by writing to Cobalt at privacy@cobalt.io. If you do not provide the data required at registration, your submission will be ineligible. Otherwise, all personal information that is collected from you is subject to Cobalt’s Privacy Policy.

For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:

  • the data controller is Cobalt and the data recipients is Cobalt
  • your data is collected for purposes of administration of the promotion and for marketing purposes
  • you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to Cobalt at privacy@cobalt.io
  • your personal data will be transferred to the U.S.

Publicity

By starting a program, you agree to Cobalt’s use of the information you give in the program for advertising and promotional purposes without additional compensation, unless prohibited by law.

Warranty and Indemnification

You, as Program Owner, represent and warrant that you own or have all necessary right, title and interest in the Application(s)/Network(s) in scope for the Security Program and that the Security Program material and Application(s)/Network(s) submitted by you or on your behalf do not infringe upon or violate any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations, defame any person or violate their rights of publicity or privacy or otherwise violate any Applicable Law.

To the maximum extent permitted by law, you hereby agree to indemnify and hold harmless Cobalt at all times from and against any liability, claims, demands, losses, damages, costs and expenses (including reasonable attorney’s fees) arising out of or relating to (i) your improper or unlawful use of the Site or Services; (ii) your failure to properly perform your obligations under the Terms; (iii) your negligence or willful misconduct; (iv) your breach of your representations and warranties set forth in the Terms or; (v) your violation of Applicable Law; (vi) any misrepresentation made by you in connection with the Site and Services; (vii) any error made by you in the collection, processing, or retention of submission information or in the printing, offering or announcement of any reward or winners; and (viii) your breach, default or violation of the General Terms, Supplemental Terms or Security Program Rules (collectively as “Indemnified Claims”). You hereby agree to defend Cobalt, at your expense, from and against any and all claims, actions, suits or proceedings brought by a third party arising out or relating to the Indemnified Claims.

Elimination

Any false information provided within the context of the Security Program by your concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms and conditions or the like may result in the immediate elimination of the Security Program.

Network Malfunction

Cobalt does not give a guarantee against any malfunction of the entire Security Program Site or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed Vulnerability Report submissions due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit the period a program is listed on the Site.

Right to Cancel, Modify or Disqualify

If for any reason the Security Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Security Program, Cobalt reserves the right at its sole discretion to cancel, terminate, modify or suspend the Security Program. Cobalt further reserves the right to disqualify any Member who tampers with the submission process or any other part of the Security Program or Security Program Site. Any attempt by a Member to deliberately damage any web site, including the Program Site, or undermine the legitimate operation of the Program is a violation of criminal and civil laws and should such an attempt be made, Cobalt reserves the right to seek damages from you to the fullest extent under Applicable law.

Recommendation

Cobalt recommends that you obtain appropriate insurance and backup for your Application(s)/Network(s) and its content. Please review any insurance policy that you may have for your Application(s)/Network(s) and its content carefully, and in particular please make sure that you are familiar with and understand any exclusions to, and any deductibles that may apply for, such insurance policy.

Complete Agreement and Order of Precedence

All of the terms set forth in the General Terms shall apply to these Supplemental Terms including without limitation confidentiality, liability, controlling law and jurisdiction, dispute resolution and arbitration and costs. In the event of a conflict between the General Terms and these Supplemental Terms, the Supplemental Terms shall apply.