Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

Terms of use

Engaging in testing

Last update on 4th of April, 2018

Binding Agreement

In order to engage in any test activity on the application(s)/network(s) listed in scope for the Security Program, you must agree to these terms and conditions. You agree that engaging in test activities on the application(s)/network(s) in scope for the Security Program and submission of a Vulnerability Report in the Security Program constitutes agreement to these Terms and conditions. If you do not agree to these terms you may NOT engage on any test activity on the application(s)/network(s) in scope for the Security Program or submit a Vulnerability Report to the Security Program. These terms form a binding legal agreement between you, the Program Owner and Cobalt (Hereafter "CB") with respect to the Security Program.

By agreeing to these terms and conditions you also agree that you are a Member of the Site and Services and you therefore already agree to and have accepted the General Terms and Privacy Policy for being a Member on the Site and Services. The meaning of abbreviations used in these terms are listed in the General Terms. All the mentioned terms are found at


In order to enter in test activities related to the Security Program you must adhere to the rules for who can participate set by the Program Owner in the Program Rules. If you are entering as part of a company or on behalf of your employer, these rules are binding on you, individually, and/or your employer. If you are acting within the scope of your employment, as an employee, contractor, or agent of another party, you warrant that such party has full knowledge of your actions and has consented thereto, including your potential receipt of payment. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.

Payments are not given to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.

Security Program Time Period

The Security Program initiates when the it is listed on the CB Security Program list on the Site and Services and have the status Live.

The Security Program will be open for testing on CB until a deadline agreed between the Program Owner and CB or until the Program Owner chooses to close the Security Program. In case of a Security Program closure there might be some lead time until the Security Program is not open on the Sites and Services anymore.

It is important to notice that

  • When a program is not on the Security Program list, security researchers are not allowed to engage in test activities on the former scope of the Security Program which was once there

How to Engage in a Test for a Security Program

Go to the Security Program details. Read the instructions, questionnaire and Program Rules for engaging in the test and for submitting a Vulnerability Report.

Responsibilities and Liabilities

  • You agree that you are only allowed to participate in a program if you have gone through background checks, signed NDA and been invited to a program.
  • You agree that you have read the scope, rules and all other information on the Security Program.
  • As an entrant onboarded to the Security Program and Cobalt Core, CB assumes the full liability of any damage you perform on the Program Owner’s applications, data and systems.
  • You agree that CB can take legal recourse against you for any losses, including loss in sales, loss of integrity or loss of reputation, caused to the Program Owner’s applications, data and systems, as a result of illegal activities performed by you or your failure to comply with the Program Rules and these terms and conditions.
  • You agree to take the full risk, liability and responsibility of management and cost in case of any required legal actions against you in relation to any illegal activities performed by you on the applications, data and systems based on the Security Program listed on the Site and Services. This includes but is not limited to the following activities: disruption, damaging or stealing of/from the data, applications and systems.
  • You understand that CB only provides a best practice set of rules as an example and that it is the Program Owner who is fully responsible and liable for the coverage of the scope and the Program Rules written in the Security Program.

Vulnerability Report Requirements

The Vulnerability Report submission must meet the criterias set by the Program Owner in the Program Rules listed on the program site on the Site and Services. Furthermore finding vulnerabilities using any of the following type of methods are not allowed under any circumstance

  • Spam-based
  • Social Engineering

Payment Management

As part of engaging in a test you will receive a payment from CB. You will be informed about the size of this payment as well as the related work expected for the given payment before the test begins and you will not receive additional payment beside from this amount unless CB agrees to it. Payments will be paid a period (Determined by CB) after the test has been completed.


You agree that you are solely responsible for determining your applicable Tax reporting requirements in consultation with your tax advisors. CB cannot and does not offer Tax-related advice to any Members of the Site and Services. Additionally, note that each Security Researcher is responsible for determining local indirect Taxes. Where applicable, or based upon request from a Security Researcher, CB may issue a valid VAT invoice to such Security Researcher.

General Conditions

All Country, federal, state, provincial and local laws and regulations apply. CB reserves the right to disqualify any entrant from the Program if, in CB’s sole discretion, it reasonably believe that you have attempted to undermine the legitimate operation of the Program by cheating, deception, or other unfair playing practices or annoys, abuses, threatens or harasses any other users, CB, or the program owner.

Intellectual Property Rights

As between CB, the program owner and the entrant (you), entrant retains ownership of all intellectual and industrial property rights (including moral rights) in and to the Vulnerability Report submission. As a condition of submission, the entrant grant CB and Program Owner and its subsidiaries, agents and partner companies, a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create a derivative work from, and publicly display the vulnerability for the purposes of allowing CB and the Program Owner to evaluate the vulnerability for purposes of the Program and in connection with advertising and promotion via communication to the public or other groups, including, but not limited to, the right to make screenshots, animations and Bug clips available for promotional purposes.


You agree and understand that personal data entered during the registration, including name, mailing address, phone number, and email address may be processed, stored, shared and otherwise used for the purposes and within the context of the Security Program. This data will also be transferred into the United States. By entering, entrants agree to the transmission, processing, sharing and storage of this personal data in the United States. Participants also understand this data may be used by CB in order to verify an entrant’s identity and telephone number in the event of a submission. Participants have the right to access, review, rectify or cancel any personal data held by CB in connection with the Security Program by writing to CB at the address listed above. If a participant does not provide the data required at registration, that participant’s submission will be ineligible. Otherwise, all personal information that is collected from the entrant is subject to CB’s Privacy Policy, located at

For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:

  • the data controller is CB and the data recipients is CB
  • your data is collected for purposes of administration of the promotion and for marketing purposes;
  • you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to CB
  • your personal data will be transferred to the U.S.


By participating in a Security Program, entrant agrees to CB and the Program Owner use of his or her name and Vulnerability Report for advertising and promotional purposes without additional compensation, unless prohibited by law.

Warranty and Indemnification

You warrant that the Vulnerability Reports you submit are your own original work and you are the sole and exclusive owner and rights holder of the submitted Vulnerability Report and you have the right to submit the Vulnerability Report in the Security Program and grant all required licenses. you agree not to submit any Vulnerability Report that (1) infringes any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation,copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations; or (2) otherwise violates the applicable state, federal, provincial or local law. To the maximum extent permitted by law, each entrant indemnifies and agrees to keep indemnified CB at all times from and against any liability, claims, demands, losses, damages, costs and expenses resulting from any act, default or omission of the entrant and/or a breach of any warranty set forth herein. To the maximum extent permitted by law, each entrant agrees to defend, indemnify and hold harmless CB from and against any and all claims, actions, suits or proceedings, as well as any and all losses, liabilities, damages, costs and expenses (including reasonable attorneys fees) arising out of or accruing from:

  • Any Vulnerability Report or other material uploaded or otherwise provided by the entrant that infringes any copyright, trademark, trade secret, trade dress, patent or other intellectual property right of any person or defames any person or violates their rights of publicity or privacy,
  • Any misrepresentation made by the entrant in connection with the Program;
  • Any non-compliance by the entrant with these terms;
  • Claims brought by persons or entities other than the parties to these terms arising from or related to the entrant’s involvement with the Security Program;
  • Any malfunction or other problem with the Site and Services;
  • Any error in the collection, processing, or retention of submission information;


Any false information provided within the context of the Security Program by any entrant concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms or the like may result in the immediate elimination of the entrant from the Security Program.


CB and the Program Owners are not responsible for any malfunction of the entire Site and Services or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed vulnerability reports due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit an entrant’s ability to participate.

Right to Cancel, Modify or Disqualify

If for any reason the Security Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Security Program, CB reserves the right at its sole discretion to cancel, terminate, modify or suspend the Security Program. CB further reserves the right to disqualify any entrant who tampers with the submission process or any other part of the Security Program or the Site and Services. Any attempt by an entrant to deliberately damage the Site and Services or undermine the legitimate operation of the Security Program is a violation of criminal and civil laws and should such an attempt be made, CB reserves the right to seek damages from any such entrant to the fullest extent of the applicable law.

Not and offer or contract of employment

Under no circumstances shall the invitation to a test, or anything in these terms and conditions be construed as an offer or contract of employment with either CB, or the program owner. You acknowledge that you have engaged in testing voluntarily and not in confidence or in trust. You acknowledge that no confidential, fiduciary, agency or other relationship or implied-in-fact contract now exists between you and CB or the program owners and that no such relationship is established by your submission of a vulnerability report under these terms and conditions.

Controlling Law and Jurisdiction

These Terms will be interpreted in accordance with the laws of the State of California and the United States of America, without regard to its conflict-of-law provisions. You and we agree to submit to the personal jurisdiction of a state court located in San Francisco County, San Francisco, California or a United States District Court, Northern District of California located in San Francisco, California for any actions for which the parties retain the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights, as set forth in the Dispute Resolution provision below.

Dispute Resolution

You and CB agree that any dispute, claim or controversy arising out of or relating to these Terms or the breach, termination, enforcement, interpretation or validity thereof, or to the use of the Services or use of the Site or Application (collectively, "Disputes") will be settled by binding arbitration , except that each party retains the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights. You acknowledge and agree that you and CB are each waiving the right to a trial by jury or to participate as a plaintiff or class member in any purported class action or representative proceeding. Further, unless both you and CB otherwise agree in writing, the arbitrator may not consolidate more than one person's claims, and may not otherwise preside over any form of any class or representative proceeding. If this specific paragraph is held unenforceable, then the entirety of this "Dispute Resolution" section will be deemed void. Except as provided in the preceding sentence, this "Dispute Resolution" section will survive any termination of these Terms.

Arbitration Rules and Governing Law. The arbitration will be administered by the American Arbitration Association ("AAA") in accordance with the Commercial Arbitration Rules and the Supplementary Procedures for Consumer Related Disputes (the "AAA Rules") then in effect, except as modified by this "Dispute Resolution" section. (The AAA Rules are available at or by calling the AAA at 1-800-778-7879.) The Federal Arbitration Act will govern the interpretation and enforcement of this section.

Arbitration Process. A party who desires to initiate arbitration must provide the other party with a written Demand for Arbitration as specified in the AAA Rules. (The AAA provides a form Demand for Arbitration at and a separate form for California residents at The arbitrator will be either a retired judge or an attorney licensed to practice law in the state of California and will be selected by the parties from the AAA’s roster of consumer dispute arbitrators. If the parties are unable to agree upon an arbitrator within seven (7) days of delivery of the Demand for Arbitration, then the AAA will appoint the arbitrator in accordance with the AAA Rules.

Arbitration Location and Procedure. Unless you and CB otherwise agree, the arbitration will be conducted in the county where you reside. If your claim does not exceed $10,000, then the arbitration will be conducted solely on the basis of documents you and CB submit to the arbitrator, unless you request a hearing or the arbitrator determines that a hearing is necessary. If your claim exceeds $10,000, your right to a hearing will be determined by the AAA Rules. Subject to the AAA Rules, the arbitrator will have the discretion to direct a reasonable exchange of information by the parties, consistent with the expedited nature of the arbitration.

Arbitrator’s Decision. The arbitrator will render an award within the time frame specified in the AAA Rules. The arbitrator’s decision will include the essential findings and conclusions upon which the arbitrator based the award. Judgment on the arbitration award may be entered in any court having jurisdiction thereof. The arbitrator’s award damages must be consistent with the terms of the "Limitation of Liability" section above as to the types and the amounts of damages for which a party may be held liable. The arbitrator may award declaratory or injunctive relief only in favor of the claimant and only to the extent necessary to provide relief warranted by the claimant’s individual claim. If you prevail in arbitration you will be entitled to an award of attorneys’ fees and expenses, to the extent provided under applicable law. CB will not seek, and hereby waives all rights it may have under applicable law to recover, attorneys’ fees and expenses if it prevails in arbitration.

Fees. Your responsibility to pay any AAA filing, administrative and arbitrator fees will be solely as set forth in the AAA Rules. However, if your claim for damages does not exceed $75,000, CB will pay all such fees unless the arbitrator finds that either the substance of your claim or the relief sought in your Demand for Arbitration was frivolous or was brought for an improper purpose (as measured by the standards set forth in Federal Rule of Civil Procedure 11(b)).

Changes. Notwithstanding the provisions of the "Modification" section above, if CB changes this "Dispute Resolution" section after the date you first accepted these Terms (or accepted any subsequent changes to these Terms), you may reject any such change by sending us written notice (including by email to within 30 days of the date such change became effective, as indicated in the "Last Updated Date" above or in the date of Cobalt’s email to you notifying you of such change. By rejecting any change, you are agreeing that you will arbitrate any Dispute between you and CB in accordance with the provisions of this "Dispute Resolution" section as of the date you first accepted these Terms (or accepted any subsequent changes to these Terms).

Final Comment

The failure of CB to enforce any right or provision of these Terms will not constitute a waiver of future enforcement of that right or provision. The waiver of any such right or provision will be effective only if in writing and signed by a duly authorized representative of CB. Except as expressly set forth in these Terms, the exercise by either party of any of its remedies under these Terms will be without prejudice to its other remedies under these Terms or otherwise. If for any reason an arbitrator or a court of competent jurisdiction finds any provision of these Terms invalid or unenforceable, that provision will be enforced to the maximum extent permissible and the other provisions of these Terms will remain in full force and effect.