Request a Demo Contact Us
Bugcrowd Acquires Informer to Enhance Offerings Across Attack Surface Management and Penetration Testing
Learn More

Service Provider Agreement

This Service Provider Agreement (the “Agreement”) sets forth terms under which the service provider (“Service Provider”) shall, at the request of Bugcrowd Inc. (“Bugcrowd”) provide professional services either directly to Bugcrowd or to customers of Bugcrowd on Bugcrowd’s behalf.


Confidential Information” means all information which is identified or treated by Bugcrowd or any of Bugcrowd’s clients or customers as confidential or which by reason of its character or the circumstances or manner of its disclosure is evidently confidential including, without limitation, all Deliverables, all information designated by Bugcrowd as confidential, all information or data concerning or related to Bugcrowd’s products (including the discovery, invention, research, improvement, development, manufacture, or sale thereof), processes, or general business operations (including sales, costs, profits, pricing methods, organization, and employee and customer lists), and any information of the foregoing nature received from Bugcrowd related to Bugcrowd’s customers or clients, which, if not otherwise described above, is of such a nature that a reasonable person would believe it to be confidential or proprietary.
Deliverables” means the tangible and intangible results of the Services, including, but not limited to, any report, software, code, documents, materials, models, designs, drawings, processes, formulae, inventions, methodologies know-how, Confidential Information or other work performed, made, created, devised, developed or discovered by Service Provider in connection with this Agreement (and whether or not made or discovered during the course of Service Provider’s performance of Service Provider’s duties under this Agreement) either alone or with any other person in connection with or relating to the business of Bugcrowd or capable of being used or adapted for use therein or in connection therewith.
Intellectual Property Rights” means any and all existing and future intellectual or industrial property rights in and to any Deliverables (whether registered or unregistered) including all existing and future patents, copyrights, design rights, database rights, trade marks, semi-conductor topography rights, plant varieties rights, Internet rights/domain names, know how and any and all applications for any of the foregoing and any and all rights to apply for any of the foregoing in and to any Deliverables.
Open Source Software” means any “open source” code (as defined by the Open Source Initiative), “free” code (as defined by the Free Software Foundation), community source code, including any libraries or code licensed under the General Public License, or any other software that is generally made available for free on the Internet in source code form.
Pre-Existing Intellectual Property” means any proprietary methodologies, tools, models, software, procedures, documentation, know-how, processes, trade secrets, inventions, or works of authorship that have already been conceived or developed by Service Provider before Service Provider renders any Services under this Agreement.

Third Party Materials” means any code, libraries, programs, software, documentation or other intellectual property of any type which is not created solely by Service Provider.


Service Provider shall provide professional services (“Services”) to Bugcrowd as described on one or more Statements of Work signed by Service Provider and Bugcrowd, which reference this Agreement (“SOW” or “Statement of Work”). Service Provider shall perform Services in a prompt manner and provide each Deliverable no later than the delivery dates specified in the applicable SOW. At the direction of Bugcrowd, Service Provider shall provide Services directly to Bugcrowd or to customers of Bugcrowd on Bugcrowd’s behalf. The parties may execute additional Statements of Work describing Services, which will become part of this Agreement upon execution by Service Provider and Bugcrowd.


Service Provider may not subcontract the Services without the prior express written consent of Bugcrowd.


Bugcrowd shall have the right to modify, reject, cancel or terminate any SOW and any related plans, schedules or work in process with written notice to Service Provider. In the event Bugcrowd terminates a Statement of Work other than for Service Provider’s material breach pursuant to Section 9 (Term and Termination) prior to completion of Services, Bugcrowd shall pay Service Provider the fees due under the SOW with respect to Services completed as of the date of termination.


5.1 Third Party Materials. Service Provider shall not incorporate any Third Party Materials into a Deliverable, furnish any Third Party Materials into a Deliverable, furnish any Third Party Materials in conjunction with a Deliverable, or develop a Deliverable in a manner that requires Bugcrowd to use any Third Party Materials in order to use such Deliverable, unless Service Provider (i) has specifically identified such Third Party Materials in the applicable SOW or otherwise obtained Bugcrowd’s prior written consent and (ii) has obtained a license for Bugcrowd’s (and Bugcrowd’s licensees’) benefit which is as extensive as the license set forth in Section 7.5(b) below (“Third Party Materials License”).
5.2 Use Of Open Source. The obligations set forth in Section 5.1 with respect to Third Party Materials apply to any use of Open Source Software in connection with any Deliverable (excluding the obligation to obtain a Third Party Materials License unless otherwise specified in the applicable SOW). If Bugcrowd approves use by Service Provider of any Open Source Software in connection with a Deliverable, Service Provider shall include documentation with each such Deliverable identifying any and all Open Source Software that is included in such Deliverable and provide Bugcrowd a copy of the applicable license prior to inclusion.
5.3. Types of Open Source Never Allowed. Notwithstanding the foregoing, Service Provider shall not provide as part of any Deliverable, or otherwise use in connection with the Services, any software which contains any Open Source Software which is licensed under the “General Public License,” “LGPL,” “AGPL,” or any other license which could (i) compromise or interfere in any way with Bugcrowd’s intellectual property rights or (ii) require Bugcrowd to publicly release, distribute or license the source code to any Deliverable, to any Bugcrowd software, or to any of Bugcrowd’s customers’ or clients’ software, (iii) require that any disclosure, distribution or license of any Deliverable, any Bugcrowd software, or any of Bugcrowd’s customers’ or clients’ software be at no charge, or (iv) require that any other licensee of any Deliverable, any Bugcrowd software, or any of Bugcrowd’s customers’ or clients’ software be permitted to modify, make derivative works of, reverse-engineer or redistribute such Deliverable or software.


6.1 Service Provider’s Representations and Warranties. Service Provider hereby represents and warrants that:
(a) Due Authority. Service Provider has full right and power to enter into and perform this Agreement without the consent of any third party, and its performance under this Agreement will not conflict with any other obligation Service Provider may have to any other party.
(b) Standard of Performance. Service Provider will perform the Services in a timely, professional and workmanlike manner and with a degree of quality equal to or higher than applicable industry standards for similar services. In addition, all Services and each Deliverable shall conform in all material respects with the description set forth in the SOW.
(c) Anti-Racism. Service Provider has internal policies and procedures in place to foster a diverse and inclusive work environment, including anti-discrimination, anti-racism, equal opportunity and sexual harassment policies. Service Provider’s violation of these policies and procedures, or any act by Service Provider that constitutes racism, discrimination or sexual harassment, shall constitute a material breach of this Agreement subject to immediate termination of the Agreement by Bugcrowd in Bugcrowd’s sole discretion.
(d) No Harmful Code. The Services and all Deliverables shall be free of any: (i) viruses, worms, time bombs, Trojan horses or other harmful, malicious or destructive code; (ii) software disabling devices, time-out devices, counter devices and devices intended to collect data regarding usage of the software without the knowledge of Bugcrowd and (iii) Open Source Software, except as expressly authorized by Bugcrowd in writing in accordance with Section 5 (Third Party Materials and Open Source Software).
(e) Intellectual Property Rights. Each Deliverable is and will be an original work of Service Provider except for any Third Party Materials and Pre-Existing Intellectual Property incorporated therein as approved under Section 5 (Third Party Materials and Open Source Software) or 7.5 (Pre-Existing Intellectual Property), as applicable. Neither the Deliverables nor any element thereof will (i) infringe the intellectual property rights of any third party or (ii) be subject to any restrictions or to any mortgages, liens, pledges, security interests, encumbrances or encroachments.
(f) No Employment, Agency or Partnership. Service Provider warrants and represents to Bugcrowd that Service Provider is an independent contractor. Service Provider shall perform services on behalf of Bugcrowd in the capacity of independent contractor, and not as an employee, worker, partner, agent or joint venture partner of Bugcrowd. Service Provider shall not have any right or power whatsoever to contract on behalf of Bugcrowd in any way in relation to third parties and will not hold Service Provider out as having such authority unless specifically authorized to do so. Service Provider is supplying the Services to Bugcrowd as part of Service Provider’s business undertaking. Bugcrowd is Service Provider’s client for these purposes.
6.2 Remedy of Defects. Service Provider shall, without charge, correct any non-conformity, defect or malfunction in any Deliverable reported by Bugcrowd within thirty (30) days of receipt of notice from Bugcrowd, or if Service Provider is unable to make the Deliverable operate as warranted within such 30-day period, then Bugcrowd may terminate immediately the applicable SOW, and Service Provider shall refund to Bugcrowd all fees paid for such defective Services within 10 days of termination. The remedies set forth in this Section 6.2 shall be non-exclusive.


7.1 Creation of Deliverables. Service Provider may make or create Deliverables during the term of any SOW or this Agreement.
7.2 Disclosure and Ownership of Deliverables. Service Provider must immediately disclose to Bugcrowd all Deliverables and all Intellectual Property Rights. Both the Deliverables and the Intellectual Property Rights will belong to and be the absolute property of Bugcrowd or any other person Bugcrowd may nominate. Service Provider hereby assigns and agrees to assign all Intellectual Property Rights and any other rights, title and interest in and to the Deliverables to Bugcrowd.
7.3 Protection, Registration and Vesting of Deliverables. Service Provider shall immediately on request by Bugcrowd (during Service Provider’s engagement or after its termination) and at the expense of Bugcrowd:
(a) apply or join with Bugcrowd in applying for any Intellectual Property Rights or other protection or registration (“Protection”) in the U.S. and in any other part of the world for, or in relation to, any Deliverables;
(b) execute all instruments and do all things necessary for vesting all Intellectual Property Rights or Protection when obtained and all right, title and interest to and in the same absolutely and as sole beneficial owner in Bugcrowd or other person as Bugcrowd may nominate; and
(c) sign and execute any documents and do any acts reasonably required by Bugcrowd in connection with any proceedings in respect of any applications and any publication or application for revocation of any Intellectual Property Rights or Protection.
7.4 Power of Attorney. Service Provider hereby irrevocably appoints Bugcrowd to be Service Provider’s attorney and in Service Provider’s name and on Service Provider’s behalf to execute any such act and to sign all deeds and documents and generally to use Service Provider’s name for the purpose of giving to Bugcrowd the full benefit of this section. Service Provider agrees that, with respect to any third parties, a certificate signed by any duly authorised officer of Bugcrowd that any act or deed or document falls within the authority hereby conferred shall be conclusive evidence that this is the case.
7.5 Pre-Existing Intellectual Property.
(a) Pre-Approval. Service Provider shall not use any Pre-Existing Intellectual Property in connection with this Agreement unless Service Provider (i) has specifically identified such Pre-Existing Intellectual Property in the applicable SOW and (ii) has the right to use such Pre-Existing Intellectual Property for Bugcrowd (and Bugcrowd’s licensees’) benefit and to issue the licenses set forth in this section.
(b) License. If Service Provider incorporates any Pre-Existing Intellectual Property into a Deliverable or furnishes any Pre- Existing Intellectual Property in conjunction with a Deliverable, Service Provider hereby grants Bugcrowd a non-exclusive, royalty-free, irrevocable, worldwide, perpetual license to: (i) make, have made, sell, use, execute, reproduce, modify, adapt, display, perform, distribute, make derivative works of, import, and disclose the Pre-Existing Intellectual Property or products and services using the Pre-Existing Intellectual Property in conjunction with the use of the Deliverable and (ii) authorize or sublicense others from time to time to do any or all of the foregoing.


In exchange for Service Provider’s obligations under this Agreement, Bugcrowd shall pay Service Provider the fees set forth in the applicable SOW. All payments are due in U.S. dollars within the later of sixty (60) days of Bugcrowd’s receipt of an undisputed invoice, and, if applicable (in cases where Service Provider is performing Services on behalf of an Bugcrowd customer), ten (10) days of receipt of payment of such Services from Bugcrowd’s customer. Service Provider shall not invoice Bugcrowd until Bugcrowd’s acceptance of the Services or Deliverables (as applicable) is received in accordance with the payment schedule set forth in the applicable SOW. Bugcrowd shall not reimburse Service Provider for any expenses unless such expenses are specified in the applicable SOW. When specified in the applicable SOW, Bugcrowd will pay actual and reasonable, pre-approved travel and related expenses incurred by Service Provider in performing the Services, but only in accordance with Bugcrowd’s then-current travel and expense policies. Service Provider acknowledges that this Section 8 sets forth the only compensation which Service Provider is entitled to receive in exchange for the Services and that Service Provider shall not be entitled to any other payments, reimbursements, royalties or consideration of any kind.


This Agreement remains in effect until terminated in accordance with this Section 9. Either party may terminate this Agreement if the other party: (a) fails to cure any material breach of this Agreement within 30 days after written notice of such breach; (b) ceases operation without a successor; or (c) seeks protection under any bankruptcy, receivership, trust deed, creditors arrangement, composition or comparable proceeding, or if any such proceeding is instituted against such party (and not dismissed within 60 days thereafter). Bugcrowd may terminate this Agreement at any time for any reason and without warning. Should Bugcrowd exercise this right, it shall pay Service Provider up until the day of termination. All of the provisions of this Agreement shall survive any termination or expiration except Sections 2 (Services), 3 (No Subcontractor), 4 (Changes) and 8 (Payment) (except that Section 8 shall survive with respect to payments earned prior to termination).


10.1 Obligation to Pay Tax. Service Provider shall be solely responsible and liable for any employment related taxes, social security payments, insurance premiums or other employment benefits or contributions required by law respecting Service Provider’s performance of the Services or receipt of the fee by Service Provider, or both (including any interest or penalties incurred in respect of such payments).
10.2 Tax Indemnity. Service Provider shall indemnify and keep indemnified Bugcrowd for all time on demand from and against any and all costs, claims, penalties, liabilities and expenses incurred in respect of income tax, social security or other contributions due by Service Provider in relation to the provision of the Services.
10.3 Deductions. Without prejudice to the indemnity in Section 10.2, if for any reason, Bugcrowd shall become liable to pay, or shall pay, any taxes or other payments referred to in Section 10.1, Bugcrowd shall be entitled to deduct from any amounts payable to Service Provider all amounts so paid or required to be paid by it in that respect.
10.4 No Eligibility for Benefits. Neither Service Provider nor any of Service Provider’s employees or subcontractors will be eligible for any benefits (including, without limitation, stock options, health insurance or retirement benefits) normally provided by Bugcrowd to its employees.
10.5 Background Checks. Service Provider represents and warrants that it conducts industry-standard background checks on all of its personnel, including, without limitation, criminal background checks, social security traces and past employment verification. Service Provider shall conduct any additional background checks, at its expense, that may be required by either Bugcrowd or an Bugcrowd customer or client.


Other than in the performance of the Agreement, neither Service Provider nor Service Provider’s agents, employees, or subcontractors shall use or disclose to any person or entity any Confidential Information of Bugcrowd (whether in written, oral, electronic or other form), which is obtained from Bugcrowd or otherwise prepared or discovered either in the performance of this Agreement, through access to Systems (as defined below), or while on Bugcrowd’s premises. The provisions of this section relating to use and disclosure shall not apply to any information that: (i) is rightfully known to Service Provider prior to disclosure by Bugcrowd, (ii) is rightfully obtained by Service Provider from any third party without restrictions on disclosure, (iii) is or becomes available to the public without restrictions; or (iv) is disclosed by Service Provider with the prior written approval of Bugcrowd. Service Provider warrants and represents that each employee, agent, or subcontractor who performs work under this Agreement has been informed of the obligations contained herein and has agreed to be bound by them. This obligations set forth in this section shall survive any expiration of termination of this Agreement.


12.1 Access to Bugcrowd’s Systems. Access, if any, to Bugcrowd’s computer, telecommunication or other information systems (including computers, networks, voice mail, etc.) or those of any Bugcrowd client or customer (“Systems”) is granted solely to facilitate the business relationship described in this Agreement, and is limited to those specific Systems, time periods, and personnel designated by Bugcrowd. Access is subject to business control and all applicable policies, laws and regulations. Service Provider will abide by all information protection or data privacy policies of Bugcrowd or customers of Bugcrowd, and all applicable laws and regulations. Any access to or use of any Systems except as expressly authorized is expressly prohibited. Without limiting the foregoing, Service Provider warrants that it has adequate security measures in place to comply with the above obligations and to ensure that access granted hereunder will not impair the integrity and availability of Systems. In particular, Service Provider represents and warrants that it has administrative, technical, and physical safeguards consistent with industry standards to monitor its own systems and protect any Bugcrowd data or Bugcrowd customer or client data against anticipated threats or hazards regarding: security, confidentiality, or integrity; unauthorized or accidental destruction, loss, alteration, or use; and unauthorized access or acquisition. Upon reasonable notice, Bugcrowd may audit Service Provider to verify Service Provider’s compliance with these obligations.
12.2 Access to Bugcrowd’s Software. Solely to the extent Bugcrowd determines it is necessary for Service Provider to have access to certain Bugcrowd software or tools (“Bugcrowd Software”) in order to perform the Services, subject to the terms and conditions of this Agreement, Bugcrowd grants to Service Provider a non-exclusive, non-transferable, non-sublicensable, royalty-free license, to use the Bugcrowd Software solely for the performance of the Services. Service Provider will not use any of the trade secrets, algorithms, inventions, or technology revealed or embodied by the Bugcrowd Software except as necessary to perform the Services. No right is granted by this Agreement for the use of the Bugcrowd Software directly or indirectly by others. Service Provider may not sublicense or otherwise transfer, by contract, operation of law, or otherwise, any of the rights granted to Service Provider herein. All rights not expressly licensed herein are reserved to Bugcrowd and its suppliers.


Service Provider will defend, indemnify and hold harmless Bugcrowd, their officers, directors, employees, sublicensees, customers and agents from any and all direct or indirect claims, losses, liabilities, damages, expenses and costs (including legal fees and court costs) arising from or relating to: (i) any breach or alleged breach of any representation, warranty or other provision of this Agreement by Service Provider, and (ii) any infringement or alleged infringement by Service Provider, the Services or any Deliverable of any third-party intellectual property rights; (iii) any act, neglect or default of Service Provider or any person authorised by Service Provider to act on Service Provider’s behalf, including any personal injury or property damage (a “Claim”). Bugcrowd shall give Service Provider written notice of any such Claim and Bugcrowd has the right to participate in the defense of any such Claim at its expense. In no event shall Service Provider settle any Claim without Bugcrowd’s written consent (which consent shall not be unreasonably withheld). From the date of written notice from Bugcrowd to Service Provider of an such Claim, Bugcrowd shall have the right to withhold from any payments due Service Provider under this agreement the amount of any defense costs, plus additional reasonable amounts as security for Service Provider’s obligations under this section.





Service Provider is solely responsible for maintaining such adequate health, automobile, workers’ compensation, unemployment compensation, disability, liability, and any other type of insurance required by law or as is common practice in Service Provider’s business including a comprehensive policy of insurance to cover Service Provider’s liability in respect of any act, omission or default for which Service Provider may himself become liable, or become liable to indemnify the Company under this Agreement (including insurance to cover third party, employer’s and professional liability claims). Upon request, Service Provider shall provide Bugcrowd with certificates of insurance or evidence of coverage before commencing performance under this Agreement. Service Provider shall acquire additional insurance, at its expense, if so required by either Bugcrowd or an Bugcrowd customer or client. Service Provider shall provide adequate coverage for any Bugcrowd property under the care, custody or control of Service Provider or Service Provider’s personnel.


Each party shall perform all of its obligations under this Agreement in compliance at all times with all applicable laws. Contractor shall additionally comply with all regulations, policies and guidelines of Bugcrowd and Bugcrowd customers or clients.

Service Provider represents and warrants that it will comply with all laws and regulations applicable to the access and processing of personally identifiable information and/or data, such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s Standard Contractual Clauses regarding the transfer of personal data to processors. To the extent Service Provider has access to or otherwise processes any personally identifiable information and/or data, by performing any Services for Bugcrowd that are subject to this Agreement, Service Provider hereby agrees to be bound by the Data Processing Addendum at the following link:


Neither party shall publicize or disclose the existence or terms of this Agreement to any third party without the prior written consent of the other, except as may be required by law. In particular, no press releases shall be made without the mutual written consent of each party.


Service Provider will keep and maintain complete and accurate records in connection with its performance of the Services and all fees charged to Bugcrowd under this Agreement and will retain these records for at least three (3) years after the amounts documented in these records become due. Bugcrowd may audit such records during regular business hours upon reasonable advance notice and subject to reasonable confidentiality procedures not more than twice per year.

19. NOTICE UNDER 18 U.S.C. § 1833(b).

18 U.S.C. § 1833(b) states “[a]n individual shall not be held criminally or civilly liable under any Federal or State trade secret law for the disclosure of a trade secret that—(A) is made—(i) in confidence to a Federal, State, or local government official, either directly or indirectly, or to an attorney; and (ii) solely for the purpose of reporting or investigating a suspected violation of law; or (B) is made in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal”; and “[a]n individual who files a lawsuit for retaliation by an employer for reporting a suspected violation of law may disclose the trade secret to the attorney of the individual and use the trade secret information in the court proceeding, if the individual—(A) files any document containing the trade secret under seal; and (B) does not disclose the trade secret, except pursuant to court order.” Nothing in this Agreement is intended to conflict with 18 U.S.C. § 1833(b).


Neither party may assign this Agreement without the prior written consent of the other party and any attempt to do so will be void. Notwithstanding the foregoing, Bugcrowd may assign this Agreement to an entity in connection with a reorganization, merger, consolidation, acquisition, or other restructuring involving all or part of the voting securities or assets of Bugcrowd upon written notice to Service Provider. Any notice or consent under this Agreement will be in writing to the address or email address specified below within the signature block in the accompanying SOW. Terms and conditions of this agreement are subject to change without prior notice and are effective upon any such update. For the duration of this agreement and for thirty-six (36) months after, Service Provider will not hire any persons employed by Bugcrowd, whether or not such resource had direct interaction with Service Provider under this Agreement. Service Provider agrees that for the term of this Agreement, and any other related definitive agreements that may be entered into by and between the parties (e.g., statements of work), and for a period of two (2) years thereafter, Service Provider shall not, directly or indirectly, bid for, offer, sell or otherwise provide any services or products that directly compete with Bugcrowd’s then-existing services or products, to any customer for which Bugcrowd and Service Provider have offered to deliver or have jointly delivered services. This restriction includes, but is not limited to any employee, subcontractor, or agent of Bugcrowd. No provision of this Agreement will be waived by any act, omission or knowledge of a party or its agents or employees except by an instrument in writing expressly waiving such provision and signed by a duly authorized officer of the waiving party. Service Provider will abide by all policies and guidelines of Bugcrowd and customers of Bugcrowd. Service Provider hereby acknowledges that from time to time, Bugcrowd is required to ensure that all subcontractors engaged by Bugcrowd, including Service Provider, are bound by the same or substantially similar terms as Bugcrowd under the terms and conditions to which Bugcrowd has agreed with Bugcrowd’s customers (referred to herein as the “Prime Agreement Terms”), and therefore Services Provider hereby understands and agrees to be bound by any such Prime Agreement Terms. It is Service Provider’s responsibility to request a copy of any such applicable Prime Agreement Terms, and absent any such request Bugcrowd is under the assumption that Service Provider is aware of and agrees to be bound by such Prime Agreement Terms. If any provision of this Agreement is adjudged by any court of competent jurisdiction to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that this Agreement will otherwise remain in full force and effect. This Agreement is governed by and to be construed in accordance with California law. Each party hereby submits to the exclusive jurisdiction of the San Francisco County courts as regards any claim, dispute or matter arising out of or in connection with this Agreement and its implementation and effect. Any waivers or amendments shall be effective only if made in writing signed by a representative of the respective parties. Both parties agree that this Agreement is the complete and exclusive statement of the mutual understanding of the parties, and supersedes and cancels all previous written and oral agreements and communications relating to the subject matter of this Agreement. In the event that Bugcrowd loans Service Provider any equipment during the course of its engagement, Service Provider shall be responsible for returning it in the same condition in which Service Provider received it. Such equipment will be loaned as is with all faults. Bugcrowd reserves the right to charge Service Provider for any damage it finds, beyond the normal wear and tear.