Effective Date: October 1st, 2023
These are the Bug Bounty Terms and Conditions, hereby referred as https://bugbounty.compass-security.com/bug-bounty-terms-and-conditions/. Compass Security Network Computing AG is the owner of this bug bounty service. The owner and its direct subsidiaries will be referred to hereinafter as “Compass”.
Please read these Bug Bounty Terms and Conditions (the "BBTC") carefully before accessing or participating in bug bounty Programs, the Platform, mailing lists, websites, transactions, or any other services related to bug bounty and made available by Compass, as these terms govern the Users use of our Bug Bounty Program.
A Customer shall refer to an organization who has established a contractual relationship with Compass, as evidenced by a signed agreement, and who has defined the scope and rules of the bug bounty Program in accordance with such agreement.
A Hunter shall refer to an external party who voluntarily engages in vulnerability testing and who is not affiliated with Compass in any way, including as an employee, contractor, or agent.
A User could be either a Customer, Hunter or generic User of the service.
A Program is the scope and rules defined by a Customer and covers assets, systems, and applications that are subject for testing, as well as the specific vulnerabilities and exploits that are eligible for bounties.
The Bounty is the reward or incentive for eligible submissions. The Customer maintains a contract with Compass which defines the guidelines to quantify such rewards.
The BBTC applicable apply as of the respective Effective Date to all Users who register or have registered as a Customer, Hunter or User of the Services and/or use the Compass Portal or Platform. By using the Compass Portal or Platform, Users acknowledge that these BBTCs apply, and that access is granted to the User under the condition that all provisions of these terms are complied with and are accepted by the User.
Inquiries by e-mail can be sent to firstname.lastname@example.org.
Right of Modification
Compass may, at its sole discretion, update, modify, or revise the BBTC, including the general prohibitions outlined herein, at any time without notice. By utilizing the services, the Hunter or Customer acknowledges and agrees to be bound by the most current version of the BBTC. If any provision thereof is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. Failure by Compass to enforce any provision of the BBTC shall not be deemed a waiver of such provision or of the right to enforce such provision. Any waiver of any provision of the BBTC by Compass must be in writing and signed by an authorized representative of Compass.
Use of the Bug Bounty Service
The Portal provides the web presence for the Customer to publish Programs and to offer Bounties to Hunters for submissions within a Program. The Hunter may browse the Programs and get to know rules and scopes. Compass may modify all or any part of the Portal, provided that such changes comply with the terms of the agreement with the Customer and do not substantially diminish the services provided to Customers.
Hunters may access the Platform to report security vulnerabilities and weaknesses identified in relation with Programs. Compass reserves the right to determine the eligibility of reported vulnerabilities and to reward Hunters in accordance with the Program's terms and conditions.
The Platform relies on a third-party ticketing service to manage certain aspects of the Programs. While Compass makes reasonable effort to ensure that this service is reliable and securely integrated, Compass cannot guarantee the availability or accuracy of the third-party ticketing service. Compass expressly disclaims any and all liability for any losses, damages, or other adverse outcomes arising from the use of the third-party ticketing service, including but not limited to, any errors or omissions, delays, interruptions, or other technical issues. By utilizing the Platform, the User acknowledges and agrees that the use of the third-party ticketing service is at the User’s own risk, and that Compass shall not be held responsible for any issues related to the service, including but not limited to, any loss of data, corruption, or other damage. The User is encouraged to review the terms and conditions of the third-party ticketing service before using the Platform.
Programs and Participation
Compass may provide assistance to the Customer in defining a Program, but it is the sole responsibility of the Customer to assure accuracy of such. Compass expressly disclaims any and all liability for any losses, damages, or other adverse outcomes arising from the Customer'’s bug bounty Program, including but not limited to, any errors or omissions in the Program'’s rules, terms, or conditions.
To be allowed to participate a Hunter must possess the legal age according to the jurisdiction he/she is located and the legal capacity to give consent to this BBTC as well as for the specific Programs scope and rules. Moreover, a Hunter hereby assures to be legally allowed to participate in such Program and also confirm not to be a resident or national of any sanctioned country.
Hunters may participate in a Program aiming to contribute to the security of Customers, earning financial rewards for identifying valid and actionable vulnerabilities, and enhancing their reputation in the cybersecurity community.
As a Hunter, you must act professional and respectful when interacting with the Customer'’s systems and infrastructure, and when communicating with Platform representatives. Thus, these terms prohibit abusive language, harassment, reputation-damaging behaviors, sharing inappropriate content, engaging in false or misleading activities, engaging in harmful activities, infringing upon third-party rights, causing harm to Compass or its Customers or assisting others conducting prohibited actions.
Confidentiality, Integrity, Availability
As a User, you must comply with the Program’s rules and guidelines, and ensure that any vulnerability submissions are accurate, complete, and actionable. Your participation may not violate any applicable laws or compromise any data that is not yours. You should not engage in any activities that may cause any harm to the Customer’s systems or data, or to the privacy and security of its clients and employees. Restrict access to data to the absolute minimum required to proof a vulnerability. Take precautions to minimize impact and report any unintended impairments to Compass.
By participating in a Program, Hunters agree to not disclose any information obtained, including information related to vulnerabilities, exploits, or other sensitive data, to any third-parties. Hunters must file all reports exclusively to Compass through the Platform.
Both the Customer and Compass acknowledge and agree that activities conducted by the Hunter that comply with the BBTC as well as with the scope and rules of the relevant Program shall be interpreted as authorized action. Neither the Customer nor Compass will initiate any legal action against the Hunter for such activities. In the event that a third-party initiates legal action against the Hunter for actions conducted in compliance with these BBTC and the relevant Program rules and scopes, the Customer and Compass shall take reasonable effort to inform the relevant authorities that the Hunter’s actions were conducted in accordance with this policy and a Customer’s Program. Compass cannot provide any form of defense, indemnification, or protection against third-party claims or criminal charges if a Hunter acts outside the Program scope and rules.
Eligible bounties will be paid to Hunters who correctly submit non-duplicate, valid and actionable vulnerability reports that comply to the Program's rules and guidelines are accepted by the Platform. Compass reserves the sole right to validate and rerate all submissions and to determine the severity of reported vulnerabilities as well as the Bounty type and amount. Compass is not able to issue Bounties to individuals who are on the Swiss, European, US (or other) sanctions lists. Compass reserves the right to make a transfer of a Bounty subject to a prior and successful KYC-check of the Hunter.
Payments will be wired in the programm currency to the Hunter's designated payment account within 10 business days of the report being confirmed by Compass. Compass reserves the right to withhold payment for bounties that are later found to be invalid or outside the scope of the Program, or for Hunters who are unable or unwilling to receive payment or fail to comply with the Program's rules.
Any fees including but not limited to transaction charges, currency conversion fees, or processing fees, related to the payment of bounties, including compliance with Hunter's local law and tax obligations, will be the sole responsibility of the Hunter. The payment terms and conditions may be updated or revised by Compass any time.
To fully participate in all Platform activities, Hunters must register for a personal account on the Platform by providing an email address and a password for the account. Hunters agree to never divulge or share access or access information to accounts with any third-party for any reason.
Hunters further agree that the Platform may publicly share their nickname connected to their personal account in relation with statistical information such as but not limited to the number of identified bounties, average severity, types of bugs, technologies, quality of reports, timelines.
The Customer acknowledged and agreed that Compass may use their name and/or logo for the purpose of advertising and promoting the bug bounty Program, the services, and Compass. This may include the use of the Customer's name and logo in marketing and promotional materials, including but not limited to, the bug bounty Portal, social media, press releases, and other publications.
To the maximum extent permitted by applicable law, Compass and its affiliates shall not be liable for loss or damage of any kind (including but not limited to loss of profit, loss of use, loss of data or information, or any direct, indirect, incidental or consequential damages) suffered by the User or any other party in connection with or arising out of the use of or access to Compass’s Portal or Platform, or information or content contained therein regardless of the factual grounds or legal basis of such loss or damage, including but not limited to contract, tort (including negligence), indemnity, warranty, strict liability or otherwise. Compass does not warrant that the Compass Portal and Platform run flawlessly without interruptions.
Copyrights and Trademarks
All content (including but not limited to design, text, graphics, images, pictures, logos, icons, software, apps, etc.) as well as all trademarks and tradenames on the Compass websites might be protected by copyright, trademark and / or other intellectual and industrial property rights, and all such rights remain reserved. The Compass website’s individual elements are the exclusive property of Compass and its affiliates. Unless expressly authorized in writing by Compass in advance, the trademarks and content on the Compass websites may only be used for the User’s own, internal documentation purposes concerning Compass, its products, and services — and only with the copyright notices remaining intact. By saving or reproducing software or other data from the Compass websites, the respective terms and conditions are deemed accepted.
The (full or partial) replication, transmission (electronically or by other means), modification, linking, or use of the Compass websites is permitted only with the express prior written authorization of Compass.
Furthermore, it is prohibited, in particular, to use tools (e.g. Spider, Crawler and other automatic tools) designed to systematically and automatically copy, reproduce, broadcast, or otherwise transmit Compass websites content. Compass explicitly reserves the right to take action against the responsible parties, namely to claim compensation for damages.
Referrals and Links
The Compass websites may contain links to websites and other resources of third parties, which are beyond the control of Compass. Compass assumes no responsibility for the suitability, accuracy, completeness, adequacy, legality, or otherwise of the contents of such websites or for any offers and services contained therein. The use of such websites and resources is at the User's own risk.
Compliance and Termination
A contract formed on these BBTC may, unless otherwise provided in the applicable contract, be terminated by either Compass or a Customer if it alleges a material breach and such breach is not cured within thirty (30) days after receipt of written notice of the breach by the non-breaching party.
Compass may, in its sole discretion, terminate or temporarily or permanently suspend access to and use of the Portal, Platform or Program and/or any User or the User’s Account and/or disqualify a Hunter’s submitted vulnerabilities or terminate a Hunter’s participation in the Program, who, in Compass' opinion, does not comply with the BBTC, a contract or Program scopes, the netiquette, rules of engagement guidelines or the law. Other legal action as deemed necessary by Compass remain reserved.
Each User has the option to terminate his or her User Account at any time by notifying Compass, in which case he or she will not be entitled to a refund of any fees, unless otherwise expressly agreed.
Governing Law and Jurisdiction
These BBTC shall be subject to and construed in accordance with Swiss law.
The exclusive place of jurisdiction for disputes arising is Rapperswil-Jona, Canton of St Gallen (Switzerland).