Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Terms of use

Running a Security Program

Last update on 4th of April, 2018

Binding Agreement

Read these terms and conditions prior to submission of the Security Program to ensure you on behalf of your business understand and agree that a submission of a Security Program constitutes agreement to these terms and conditions. These terms and conditions form a binding legal agreement between you and Cobalt (hereafter referred to as "CB").

By agreeing to these terms and conditions you also agree that you are a Member of the Site and Services and you therefore already agree to and have accepted the General Terms and Privacy Policy for being a Member on the Site and Services. The meaning of abbreviation used in these terms are listed in the General Terms. All the mentioned terms are found at


To submit a Security Program, you must either be the owner of the application(s)/network(s) you list as in scope of the test or have written approval from the owner to list them. You also need to ensure that the scope may be tested pursuant to the terms and conditions of an agreement with a third party, including, but not limited to, a hosting agreement. If you are entering as part of a company or on behalf of your employer, these rules are binding on you, individually, and/or your employer. If you are acting within the scope of your employment, as an employee, contractor, or agent of another party, you warrant that such party has full knowledge of your actions and has consented thereto, including the cost of the activities. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.

Security Program Time Period

The Security Program initiates when the it is listed on the CB Security Program list on the Site and Services and have the status Live.

The Security Program will run until a written deadline agreed between you (The Program Owner) and CB or until you decide to close it.

It is important to notice that

  • Security Researchers can only engage in testing on programs there are in status Live and the Security Researchers have been invited to.

Security Program Responsibilities and Liabilities

  • You agree that your creation of the Security Program (i) will not breach any agreements you have entered into with any third parties and (ii) will be in compliance with all applicable laws, Tax requirements, and rules and regulations.
  • You agree that you authorize CB to list your program on the Site and Services.
  • You agree that you authorize Security Researchers to perform tests on the application(s),network(s) mentioned in scope in the Security Program.
  • You agree that the scope, rules and all other information on the Security Program is the entire scope, rules and information which you expect the security researchers to follow if engaging in activities related to your Security Program.
  • You agree that CB only provides a best practice set of rules as an example and that you as a Program Owner is fully responsible and liable for the coverage of the scope and the rules written in the Security Program and in the Terms.
  • You agree that CB is only liable and responsible for any loss in relation your Security Program, direct or indirect, if caused by the security researchers failure to comply with the Program Rules and CB’s terms and conditions or if arising from illegal activities. This includes, but is not limited to loss of sales, loss of integrity, increased cost of hosting, hosting/hardware damage cost and/or cost of lost data.
  • You agree to take the full risk, liability and responsibility of management and cost in case of any required legal actions against Security Researchers or others who have engaged in activities on your applications and systems based on your Security Program listing and performed illegal activities. This includes but is not limited to the following activities: disruption, damaging or stealing of/from your application(s), data and systems.
  • You agree that you are responsible for contacting and getting, if needed, acceptance from any and all related 3rd parties who potentially will be impacted by the activities related to the program. This includes but is not limited to hosting providers.

Security Program Management

  • You agree that you understand when you initiate the Security Program you will start receiving Vulnerability Report Submissions on the Site and Services. This means that CB will store these vulnerability reports on the Site and Services, any vulnerability/Bug submitted against your Security Program will only be visible to you (Program Owner), Program Collaborators, the Security Researchers participating in the Program and Authorized staff at CB.
  • In case your program have responsible disclosure you agree that you are responsible for informing the security researchers on when he/she can disclose a given vulnerability to the public. CB provides a workflow for this via the Site and Services.


You agree and understand that personal data entered during the registration, including name, mailing address, phone number, and email address may be processed, stored, shared and otherwise used for the purposes and within the context of the Security Program. This data will also be transferred into the United States. By entering, entrants agree to the transmission, processing, sharing and storage of this personal data in the United States. Participants also understand this data may be used by CB in order to verify an entrant’s identity and telephone number in the event of a submission. Participants have the right to access, review, rectify or cancel any personal data held by CB in connection with the Security Program by writing to CB at the address listed above. If a participant does not provide the data required at registration, that participant’s submission will be ineligible. Otherwise, all personal information that is collected from the entrant is subject to CB’s Privacy Policy, located at

For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:

  • the data controller is CB and the data recipients is CB
  • your data is collected for purposes of administration of the promotion and for marketing purposes;
  • you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to CB
  • your personal data will be transferred to the U.S.


By starting a program, you agree to CB’s use of the information you give in the program for advertising and promotional purposes without additional compensation, unless prohibited by law.

Waranty and Indemnification

Program Owners warrant that the application(s)/network(s) in scope for the Security Program are their own or that you have received written approval from the owner of the application(s)/network(s) to list them in scope. You agree not to submit any program that:

  • Infringes any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations
  • Violates the applicable country, state, federal, provincial or local law

To the maximum extent permitted by law, each entrant indemnifies and agrees to keep indemnified CB at all times from and against any liability, claims, demands, losses, damages, costs and expenses resulting from any act, default or omission of the entrant and/or a breach of any warranty set forth herein. To the maximum extent permitted by law, each entrant agrees to defend, indemnify and hold harmless CB from and against any and all claims, actions, suits or proceedings, as well as any and all losses, liabilities, damages, costs and expenses (including reasonable attorneys fees) arising out of or accruing from:

  • Any Security Program or other material uploaded or otherwise provided by the entrant that infringes any copyright, trademark, trade secret, trade dress, patent or other intellectual property right of any person or defames any person or violates their rights of publicity or privacy
  • Any misrepresentation made by the entrant in connection with the Site and Services
  • Any non-compliance by the entrant with these Terms
  • Claims brought by persons or entities other than the parties to these Terms arising from or related to the entrant’s involvement with the Site and Services
  • Any malfunction or other problem with the Site and Services
  • Any error in the collection, processing, or retention of submission information; or (g) any typographical or other error in the printing, offering or announcement of any reward or winners.


Any false information provided within the context of the Security Program by your concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms and conditions or the like may result in the immediate elimination of the Security Program.

Network Malfunction

CB does not give a guarantee against any malfunction of the entire Security Program Site or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed Vulnerability Report submissions due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit the period a program is listed on the site.

Right to Cancel, Modify or Disqualify

If for any reason the Security Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Security Program, CB reserves the right at its sole discretion to cancel, terminate, modify or suspend the Security Program. CB further reserves the right to disqualify any Member who tampers with the submission process or any other part of the Security Program or Security Program Site. Any attempt by a Member to deliberately damage any web site, including the Program Site, or undermine the legitimate operation of the Program is a violation of criminal and civil laws and should such an attempt be made, CB reserves the right to seek damages from any such entrant to the fullest extent of the applicable law.


CB recommends that you obtain appropriate insurance and backup for your application(s)/network(s) and its content. Please review any insurance policy that you may have for your application(s)/network(s) and its content carefully, and in particular please make sure that you are familiar with and understand any exclusions to, and any deductibles that may apply for, such insurance policy.

Controlling Law and Jurisdiction

These Terms will be interpreted in accordance with the laws of the State of California and the United States of America, without regard to its conflict-of-law provisions. You and we agree to submit to the personal jurisdiction of a state court located in San Francisco County, San Francisco, California or a United States District Court, Northern District of California located in San Francisco, California for any actions for which the parties retain the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights, as set forth in the Dispute Resolution provision below.

Dispute Resolution

You and CB agree that any dispute, claim or controversy arising out of or relating to these Terms or the breach, termination, enforcement, interpretation or validity thereof, or to the use of the Services or use of the Site or Application (collectively, "Disputes") will be settled by binding arbitration , except that each party retains the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights. You acknowledge and agree that you and CB are each waiving the right to a trial by jury or to participate as a plaintiff or class member in any purported class action or representative proceeding. Further, unless both you and CB otherwise agree in writing, the arbitrator may not consolidate more than one person's claims, and may not otherwise preside over any form of any class or representative proceeding. If this specific paragraph is held unenforceable, then the entirety of this "Dispute Resolution" section will be deemed void. Except as provided in the preceding sentence, this "Dispute Resolution" section will survive any termination of these Terms.

Arbitration Rules and Governing Law. The arbitration will be administered by the American Arbitration Association ("AAA") in accordance with the Commercial Arbitration Rules and the Supplementary Procedures for Consumer Related Disputes (the "AAA Rules") then in effect, except as modified by this "Dispute Resolution" section. (The AAA Rules are available at or by calling the AAA at 1-800-778-7879.) The Federal Arbitration Act will govern the interpretation and enforcement of this section.

Arbitration Process. A party who desires to initiate arbitration must provide the other party with a written Demand for Arbitration as specified in the AAA Rules. (The AAA provides a form Demand for Arbitration at and a separate form for California residents at The arbitrator will be either a retired judge or an attorney licensed to practice law in the state of California and will be selected by the parties from the AAA’s roster of consumer dispute arbitrators. If the parties are unable to agree upon an arbitrator within seven (7) days of delivery of the Demand for Arbitration, then the AAA will appoint the arbitrator in accordance with the AAA Rules.

Arbitration Location and Procedure. Unless you and CB otherwise agree, the arbitration will be conducted in the county where you reside. If your claim does not exceed $10,000, then the arbitration will be conducted solely on the basis of documents you and CB submit to the arbitrator, unless you request a hearing or the arbitrator determines that a hearing is necessary. If your claim exceeds $10,000, your right to a hearing will be determined by the AAA Rules. Subject to the AAA Rules, the arbitrator will have the discretion to direct a reasonable exchange of information by the parties, consistent with the expedited nature of the arbitration.

Arbitrator’s Decision. The arbitrator will render an award within the time frame specified in the AAA Rules. The arbitrator’s decision will include the essential findings and conclusions upon which the arbitrator based the award. Judgment on the arbitration award may be entered in any court having jurisdiction thereof. The arbitrator’s award damages must be consistent with the terms of the "Limitation of Liability" section above as to the types and the amounts of damages for which a party may be held liable. The arbitrator may award declaratory or injunctive relief only in favor of the claimant and only to the extent necessary to provide relief warranted by the claimant’s individual claim. If you prevail in arbitration you will be entitled to an award of attorney's’ fees and expenses, to the extent provided under applicable law. CB will not seek, and hereby waives all rights it may have under applicable law to recover, attorneys’ fees and expenses if it prevails in arbitration.

Fees. Your responsibility to pay any AAA filing, administrative and arbitrator fees will be solely as set forth in the AAA Rules. However, if your claim for damages does not exceed $75,000, CB will pay all such fees unless the arbitrator finds that either the substance of your claim or the relief sought in your Demand for Arbitration was frivolous or was brought for an improper purpose (as measured by the standards set forth in Federal Rule of Civil Procedure 11(b)).

Changes. Notwithstanding the provisions of the "Modification" section above, if CB changes this "Dispute Resolution" section after the date you first accepted these Terms (or accepted any subsequent changes to these Terms), you may reject any such change by sending us written notice (including by email to within 30 days of the date such change became effective, as indicated in the "Last Updated Date" above or in the date of Cobalt’s email to you notifying you of such change. By rejecting any change, you are agreeing that you will arbitrate any Dispute between you and CB in accordance with the provisions of this "Dispute Resolution" section as of the date you first accepted these Terms (or accepted any subsequent changes to these Terms).

Final Comment

The failure of CB to enforce any right or provision of these Terms will not constitute a waiver of future enforcement of that right or provision. The waiver of any such right or provision will be effective only if in writing and signed by a duly authorized representative of CB. Except as expressly set forth in these Terms, the exercise by either party of any of its remedies under these Terms will be without prejudice to its other remedies under these Terms or otherwise. If for any reason an arbitrator or a court of competent jurisdiction finds any provision of these Terms invalid or unenforceable, that provision will be enforced to the maximum extent permissible and the other provisions of these Terms will remain in full force and effect.