Last update on 9th of January, 2019
IMPORTANT - READ BEFORE USING THE SITE OR SERVICES TO ENGAGE IN A TEST AS A SECURITY RESEARCHER.
BY CLICKING TO SIGN IN ONLINE TO USE THE COBALT SITE AND SERVICES AND USING THE SITE AND SERVICES TO ENGAGE IN A TEST AND/OR SUBMIT A VULNERABILITY REPORT, SECURITY RESEARCHER (“YOU” OR “YOUR”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS (“GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE TO ENGAGE IN A TEST AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE PROGRAM OWNER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO ENGAGE IN ANY TEST ACTIVITY ON THE APPLICATION(S)/NETWORK(S) IN SCOPE FOR THE SECURITY PROGRAM OR SUBMIT A VULNERABILITY REPORT TO THE SECURITY PROGRAM.
In order to engage in test activities as a Security Researcher related to the Security Program you must adhere to the rules for who can participate as set by the Program Owner in the Program Rules. If you are acting within the scope of your employment, as an employee, contractor, or agent (each a “Representative”) of another party, and you are entering into the Terms on behalf of such contracting party, you warrant that such party has full knowledge of your actions and has consented thereto, including your potential receipt of payment, and that you have the authority to bind such entity to these Supplemental Terms. You acknowledge and agree that each Representative of the contracting party who will act as Security Researcher must register individually as a Member of the Service and submit to the required Background Checks (as defined in the General Terms) and other required vetting requirements as determined by Cobalt in its sole discretion. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.
Payments are not given to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.
Security Program Time Period
The Security Program initiates when it is listed on the Cobalt Security Program list on the Site and Services and has the status Live.
The Security Program will be open for testing on Cobalt until a deadline agreed between the Program Owner and Cobalt. This deadline will be listed on the Security Program.
It is important to note that
- When a program is past the test deadline, security researchers are not allowed to engage in test activities other than re-testing / Patch verification specifically requested by the Program Owner and/or Program Collaborators.
How to Engage in a Test for a Security Program
Go to the Security Program details. Read the instructions, questionnaire and Program Rules for engaging in the test and for submitting a Vulnerability Report.
Responsibilities and Liabilities
- You agree that, unless explicitly approved in writing by the Program Owner and Cobalt, you are only allowed to participate in a Security Program if you are a Cobalt Core Security Researcher who have gone through background checks, signed the Cobalt NDA and been invited to a particular Security Program.
- You agree that you are responsible for reading and complying with the scope, rules and all other information on the Security Program.
- You agree to take professional precautions when Engaging in a test and that you may not perform testing that can result in disruption of an Application/Network (Such as DDoS) unless explicitly approved as part of the Security Program Rules.
- You agree that you are liable and responsible for your negligent, wrongful or improper conduct in connection with your use of the Site and/or Service or the performance of testing activities as further described in the indemnity section of these Supplemental Terms.
- You understand that Cobalt only provides a best practice set of rules as an example and that it is the Program Owner who is fully responsible and liable for the coverage of the scope and compliance with the Program Rules written in the Security Program.
- You agree that the Vulnerability Report submission must meet the criteria set by the Program Owner in the Program Rules listed on the Security Program site on the Site and Services.
- You agree that finding vulnerabilities using any of the following type of methods are not allowed under any circumstance
- Social Engineering
As part of engaging in a test you will receive a payment from Cobalt. You will be informed about the size of this payment as well as the related work expected for the given payment before the test begins and you will not receive additional payment other than the stated amount unless Cobalt agrees to it. Payments will be paid within a period (Determined by Cobalt) after the test has been completed.
You agree that you are solely responsible for determining your applicable Tax reporting requirements in consultation with your tax advisors. Cobalt cannot and does not offer Tax-related advice to any Members of the Site and Services. Additionally, note that each Security Researcher is responsible for determining local indirect Taxes. Where applicable, or based upon request from a Security Researcher, Cobalt may issue a valid VAT invoice to such Security Researcher.
You shall comply with all Applicable Laws in connection with the performance of testing activities. Cobalt reserves the right to disqualify you from the Program if, in Cobalt’s sole discretion, it reasonably believe that you have attempted to undermine the legitimate operation of the Program by cheating, deception, or other unfair practices or annoy, abuse, threaten or harass any other users, Cobalt, or the Program Owner.
Intellectual Property Rights
See the General Terms for terms around Ownership and License grants related to Vulnerability Reports and Related Methods and Techniques.
For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:
- the data controller is Cobalt and the data recipients is Cobalt
- your data is collected for purposes of administration of the promotion and for marketing purposes
- you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to Cobalt at email@example.com
- your personal data will be transferred to the U.S.
By participating in a Security Program, you agree to Cobalt and the Program Owner's use of your name and Vulnerability Report for advertising and promotional purposes without additional compensation, unless prohibited by law.
Warranty and Indemnification
You represent and warrant that (i) the Vulnerability Reports you submit are your own original work and you are the sole and exclusive owner and holder of all right, title and interest to the submitted Vulnerability Report; (ii) you have the right to submit the Vulnerability Report in the Security Program and grant all required licenses provided for in the General Terms and these Supplemental Terms; and (iii) the Vulnerability Report submitted by you does not infringe upon or violate any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations otherwise violate the Applicable Law.
To the maximum extent permitted by law, you hereby agree to indemnify and hold harmless Cobalt at all times from and against any liability, claims, demands, losses, damages, costs and expenses (including reasonable attorneys’ fees) arising out of or relating to (i) your improper or unlawful use of the Site or Services; (ii) your failure to properly perform your obligations under the Terms; (iii) your fraudulent, negligent or willful misconduct in connection with your use of the Site or Services or the performance of your testing activities or other obligations under the Terms; (iv) your breach of your representations and warranties under the Terms; (v) your failure to properly perform your obligations under the Terms; (vi) your violation of Applicable Law; (vii) any misrepresentation made by you in connection with the Site and Services; (viii) any error made by you in the collection, processing, or retention of submission information through the Site or Service including as may be contained in a Vulnerability Report; and (ix) your default, breach or violation of the General Terms, Supplemental Terms or Security Program Rules (collectively as “Indemnified Claims”) .
You hereby agree to defend Cobalt, at your expense, from and against any and all claims, actions, suits or proceedings brought by a third party or a Program Owner arising out of or relating to the Indemnified Claims.
Any false information provided within the context of the Security Program by you concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms or the like may result in the immediate elimination from the Security Program and in such event you shall not be entitled to any payment for any services rendered.
Cobalt and the Program Owners are not responsible for any malfunction of the entire Site and Services or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed vulnerability reports due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit your ability to participate.
Right to Cancel, Modify or Disqualify
If for any reason the Security Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Security Program, Cobalt reserves the right at its sole discretion to cancel, terminate, modify or suspend the Security Program. Cobalt further reserves the right to disqualify any entrant who tampers with the submission process or any other part of the Security Program or the Site and Services. Any attempt by you to deliberately damage the Site and Services or undermine the legitimate operation of the Security Program is a violation of criminal and civil laws and should such an attempt be made, Cobalt reserves the right to seek damages from you to the fullest extent under applicable law.
Not an offer or contract of employment
Under no circumstances shall the invitation to a test, or anything in these Supplemental Terms be construed as an offer or contract of employment with either Cobalt, or the Program Owner. You acknowledge that you have engaged in testing voluntarily and not in confidence or in trust. You acknowledge that no confidential, fiduciary, agency or other relationship or implied-in-fact contract now exists between you and Cobalt or the Program Owners and that no such relationship is established by your submission of a vulnerability report under these Supplemental Terms.
Complete Agreement and Order of Precedence
All of the terms set forth in the General Terms shall apply to these Supplemental Terms including without limitation confidentiality, liability, controlling law and jurisdiction, dispute resolution and arbitration and costs. In the event of a conflict between the General Terms and these Supplemental Terms, the Supplemental Terms shall apply.