Last Update: Jan 24, 2018
This contract and any and all other documents referred to herein sets out the terms under which a Researcher will provide Security Testing Services to Customers (the “Agreement” or “Security Testing Contract”).
Under this Agreement, Customers and Researchers may be identified collectively as “Parties” and severally as “Party”.
This Agreement is in addition to the AGREEMENT GOVERNING THE USE OF THE PLATFORM AND THE PROVISION OF SELF-MANAGED SERVICES.
UpSecurIT is an online platform allowing members of the public (“Researchers” or “Hackers”) to use their technical skills and perform security tests in order to identify and report software vulnerabilities on customers listed programs.
Researchers offer their services directly to users or legal entities willing to undergo vulnerability testing on their IT environments.
By agreeing to these terms and conditions you also agree that you are a User of UpSecurIT Platform and you therefore already agree to and have accepted the AGREEMENT GOVERNING THE USE OF THE PLATFORM AND THE PROVISION OF SELF-MANAGED SERVICES.
All expression not defined in this Contract are listed in the AGREEMENT GOVERNING THE USE OF THE PLATFORM AND THE PROVISION OF SELF-MANAGED SERVICES.
In the event of any conflict between this Agreement and the “AGREEMENT GOVERNING THE USE OF THE PLATFORM AND THE PROVISION OF SELF-MANAGED SERVICES”
the provisions of this Agreement shall prevail unless it is expressly stated otherwise.
All capitalized terms that are not expressly defined in this Agreement should have the meaning given to them in AGREEMENT GOVERNING THE USE OF THE PLATFORM AND THE PROVISION OF SELF-MANAGED SERVICES
If there is any inconsistency between the interpretation of the Italian version and the translated version of these terms, the meaning under the Italian version shall prevail.
Art. 1 Researchers representations and warranties
In order to engage in a Security Test, the Hacker agrees to the following terms:
1. Only perform a vulnerability test within the scope and the limits that a Customer has expressly defined for the listed Program under a Project.
2. Read carefully all instructions and rules set by Customers before engaging in the Security Test and for submitting a Vulnerability Report.
3. Submit a Vulnerability Report that meets the requirements set by Customers;
4. Commit to keep in the strictest confidence any and all Customer information to which they may have had access during testing, including any Vulnerabilities and sensitive data, if any, to which they may have had access.
5. Use Customer information only as required for Security Test performance.
6. Respect Customer intellectual property rights, especially while performing Security Testing Services and without limitation to those related to the software used and Customer licenses.
7. Refrain from redoing any Security Tests outside of the scope defined by the Customer and listed on the Platform once the listing is complete.
8. Refrain from any actions which affect the integrity or availability of the listed IT Environments. If you notice performance degradation in the listed IT Environment, you must immediately suspend the Security test and report to the Customer.
9. Grant Customers a perpetual and irrevocable license of use on the submitted Vulnerability Report.
2 Requirements to qualify for a reward
In order to qualify for a Reward, the Researcher must:
- Be the first person to alert the Customer to a previously unknown flaw or vulnerability;
- Perform Security Tests and create a Vulnerability Report on any flaws and security issues identified;
- Submit a Vulnerability Report within the time frame set by Customers;
- Alert Customer about a flaw or vulnerability which results in a security issue.
- The discovered vulnerability must be critical one in keeping with the criteria set by Customers for the Project.
- Follow the submission process set by the technical team of the Customer.
3. Customer representations and warranties
The Customer is fully responsible and liable for the coverage of the scope and the Application rules written in the Project. In order to have their IT environments regularly audited by independent Hackers, the Customer agrees to:
- set the criteria and time frame for the Vulnerability Report submission;
- Define the exact scope (Project Parameter) of what needs to be tested within the listed IT environment so that Researchers are able to submit an appropriate Vulnerability Report and earn the Reward;
- Not hold the Researcher responsible and indemnify him or her from any third-party claims of the listed IT Environment being in breach of any agreements they may have entered into with that third party or if the listed IT environment is not compliant with the applicable laws;
- If a Reward is offered, paying the Reward to the Researcher that submits a Vulnerability Report once the Vulnerability Report is validated.
- Inform, if needed, any and all related third parties who might potentially be affected by the Security Testing Services performed in the IT environment.
- Provide truthful and accurate feedback to the Researcher who submits a Vulnerability Report;
Customer represents and warrants to be the owner of the IT environments listed on the Platform and that the Application does not infringe any third-party copyrights.
4. Researchers liability
Researchers shall be liable for all losses caused to Customers as a result of their conduct in performing the Security Testing Services. Researchers shall indemnify and not hold Customers responsible for any liability, damage and loss suffered by Customers and arising from or in connection with the fact that a Vulnerability Report infringes on third parties’ intellectual property rights or that the Security Services provided violated any applicable law.
5. Researcher’s Status
Both Researcher and Customer acknowledge that the Researcher is an independent contractor acting on an occasional and non-exclusive basis. No employer-employee relation exists between the Parties.
6. Confidentiality Obligations
For the purposes of this Contract, “Confidential Information” refers to any information, program or data, disclosed in written, graphic, or electronic form by the Client to the Researcher or to which the Researcher may have access to while performing IT Security Services.
All Confidential Information, unless otherwise indicated by the Customer, is confidential and/or proprietary to the Customer, and in no event will the Researcher be allowed to acquire any rights or interest in the Confidential Information, as this will remain the sole and exclusive property of the Customer.
The Researcher agrees that the Confidential Information received will be used solely for the Purpose ofsecurity service testing. The Researcher affirmatively agrees not to disclose any Confidential Information to any third party without the express written consent of the Customer.
The Researcher agrees to maintain the Confidential Information in strict confidence, taking all necessary measures to prevent any disclosure of the same.
Confidentiality obligations will remain in full force and effect for the entire term of this Contract and shall survive the termination of this Contract occurring for whatever reason for as long as the confidential information does not migrate into the public domain following disclosure by the Client.
7. Applicable laws
This Contract and all matters arising out of or relating to it (including non-contractual disputes or claims and their interpretation) shall be governed by the laws of Italy.