Customer Terms and Conditions
Bugcrowd offers an online, web-based, platform-as-a-service to provide crowdsourced security testing services for the enterprise through its proprietary, web-based, vulnerability reporting and disclosure platform known as the “Crowdcontrol Platform” and access to the community of independent Security Researchers. This Master Customer Agreement (the “Agreement”) sets forth the terms under which Bugcrowd shall provide the customer (“Customer”) identified on the order form or other quotation, ordering document or other purchase order referencing this Agreement (an “Order”) with such services and software, and is effective on the date listed on the order form (the “Effective Date”). By executing an Order that references this Agreement, the person so executing the Order agrees to this Agreement on behalf of the Customer and represents that he or she has the authority to bind such Customer to this Agreement. Continued use of the Hosted Service (as defined below) constitutes deemed acceptance of this Agreement. The parties agree as follows:
Capitalized terms will have the meaning set forth in this Section 1 or as otherwise defined in this Agreement.
1.1 “Bounty” means the Testing Services (as defined in Section 1.7 below) for specific software described in a Program Brief.
1.2 “Crowdsourced Security Program” means a bug bounty program, vulnerability disclosure program, next-generation penetration test program or such other on-demand or annual program offered by Bugcrowd as described in an Order placed pursuant to Section 2.1. The Security Researchers that participate in each Crowdsourced Security Program will be governed by the then-current Standard Disclosure Terms, available at https://www.bugcrowd.com/resources/standard-disclosure-terms as modified or supplemented by additional terms in the applicable Program Brief.
1.3 “Customer Data” means all product, technical support, and other information with respect to the business of Customer, as provided to, generated by, or obtained by Bugcrowd during the Term of this Agreement.
1.4 “Hosted Service” means the Crowdcontrol Platform ordered by Customer pursuant to an Order, and any other software, end user documentation, and any information (other than Testing Results) made available to Customer by Bugcrowd in connection with the performance of the Testing Services, including any and all updates thereto
1.5 “Program Brief” means the description of each Crowdsourced Security Program provided to Security Researchers
1.6 “Security Researchers” are the independent contractors who perform Testing Services, and refers to two distinct groups of program participants: Group A are independent contractors who perform Vulnerability Testing and have gone through Bugcrowd’s vetting processes and are the only Security Researchers invited to private engagements. Group B are the general population, who have access to any public program promoted by Bugcrowd.
1.7 “Services” means the services to be performed by Bugcrowd under this Agreement and the Testing Services. “Testing Services” means the services performed by Security Researchers and includes, but is not limited to, the vulnerability testing services and next generation penetration testing services performed by Security Researchers pursuant to Crowdsourced Security Programs ordered by Customer.
1.8 “Target Systems” are the applications and systems that are the subject of the Testing Services.
1.9 “Testing Results” means information about vulnerabilities discovered on the Target Systems that is submitted to the Hosted Service as part of the Testing Services, including without limitation vulnerabilities identified by Security Researchers and submitted to the Hosted Service, confirmation of vulnerabilities and assessment of eligibility for Rewards by Bugcrowd and any additional materials to be provided by Bugcrowd as specified in the applicable Order, expressly excluding (a) any underlying templates incorporated in the Testing Results by Bugcrowd, (b) metadata related to the Testing Results (i.e. reports, substate information and comments made available to Customer in the Hosted Services) and (c) De-Identified Testing Results. “De-Identified Testing Results” means Testing Results that have been anonymized and are not identifiable to Customer or any individual, and presented in a manner from which the identity of Customer or any individual may not be derived.
2.1 Provision of Hosted Services. Bugcrowd will make the Hosted Services available to Customer for use pursuant to this Agreement and the applicable Orders during the Term. In addition, Bugcrowd will maintain a security program designed to maintain the security and integrity of the Hosted Service and the Testing Results in accordance with then-current industry standards, and use commercially reasonable efforts to make the Hosted Service available 24 hours a day, 7 days a week, excluding (i) scheduled maintenance (of which Bugcrowd provides reasonable advance notice via the Hosted Service); and (ii) downtime caused by a force majeure event (subject to Section 11) or other circumstances beyond Bugcrowd’s reasonable control. Customer may use the Hosted Services for the sole purpose of receiving the Testing Services specified in the applicable Order, and subject to the restrictions set forth in Section 2.2.
2.2 Restrictions. Customer shall not (a) sell, resell, rent, lease, transfer, assign, reproduce, distribute, host or otherwise commercially exploit any portion of the Hosted Service or use the Hosted Service for the benefit of any third party; (b) modify, translate, adapt, merge, make derivative works of, disassemble, decompile, reverse compile or reverse engineer the Hosted Service, or attempt to discover the source code of the underlying software of the Hosted Service, except to the extent the foregoing restrictions are expressly prohibited by applicable law; (c) circumvent or disable any digital rights management, usage rules, or other security features of the Hosted Service, or otherwise attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Hosted Service or the data contained therein; (d) access or use the Hosted Service in order to build a similar or competitive website, application, or service; (e) copy, reproduce, distribute, republish, download, display, post or transmit in any form by any means any part of the Hosted Service; and (f) remove or destroy any copyright or other proprietary notices contained on or in the Hosted Service. Customer shall use the Hosted Service only in compliance with all applicable laws. Customer is responsible for all activities conducted under its logins on the Hosted Service, and for its compliance with this Agreement. Customer shall be responsible for the security of all passwords and other access protocols required to access the Hosted Service. Customer shall promptly notify Bugcrowd if Customer’s passwords or access protocols are lost, stolen, disclosed to an unauthorized third party, or otherwise compromised.
2.3 Order. Each Crowdsourced Security Program that Customer orders during the Term will be described in a Bugcrowd quotation or similar purchase order from Customer (each, an “Order”), which will become effective (a) when signed by both parties; or (b) upon the issuance of a Customer purchase order that references the Bugcrowd Order (it being understood that Customer’s issuance of such a purchase order constitutes Customer’s agreement with the terms of the Bugcrowd Order). Each Crowdsourced Security Program will commence on a date mutually agreed upon by Bugcrowd and Customer. All Orders placed on an annual basis will auto-renew for additional year-long terms at then-current pricing unless otherwise stated in the Order or unless either party notifies the other party of its intention to terminate the Order no later than sixty (60) days before the end of the then-current year’s term. All other Orders (meaning On Demand Orders or other Orders not placed on an annual basis) will expire upon completion of the Crowdsourced Security Program or upon termination or expiration of the Crowdsourced Security Program pursuant to this Agreement.
2.4 Performance of Testing Services. Promptly upon execution of an Order Bugcrowd will identify to Customer a relationship manager to assist in the success of the Crowdsourced Security Programs (the “Bugcrowd Relationship Manager”), and Customer will identify to Bugcrowd a project manager to manage Customer’s Crowdsourced Security Programs and the Bugcrowd relationship (“Customer Project Manager”). The Bugcrowd Relationship Manager and Customer Project Manager will prepare a mutually agreed Program Brief for each Crowdsourced Security Program. Bugcrowd will communicate the Crowdsourced Security Programs, including Program Briefs, to Security Researchers so that they may perform the Testing Services. Security Researchers will report vulnerabilities to Bugcrowd through the Hosted Service and Customer may access the information reported through the Hosted Service for the duration of the applicable Crowdsourced Security Program. Bugcrowd makes the Program Brief(s) available to applicable Security Researchers, and reviews the vulnerability information submitted by the Security Researchers to validate the reported vulnerabilities, confirms whether the reported vulnerabilities are within the scope of the Program Brief, provides Customer with instructions to reproduce the validated vulnerabilities, and assesses whether payment of Rewards are due on any validated vulnerabilities in accordance with the terms of the applicable Program Brief. Testing Services must be utilized within the term set forth in the applicable Order or shall be forfeited.
2.6 Payment of Rewards to Security Researchers. Unless otherwise set forth in the applicable Order, Bugcrowd will periodically make available to Customer through the Hosted Service reports that identify Bugcrowd’s recommendation of appropriate payments of Rewards to Security Researchers consistent with the applicable Program Brief (each, a “Report”). Unless otherwise specified in the applicable Order, Bugcrowd will notify Customer electronically through the Hosted Service when a Report is available for review by Customer. Upon notification of the availability of each Report, Customer will have five (5) business days to review and approve or reject such recommendations (the “Approval Period”). Customer may reasonably reject Bugcrowd’s recommendation if the applicable Testing Results are outside the scope of the Crowdsourced Security Program, or if the vulnerability reproduction instructions provided by Bugcrowd are not sufficient to reproduce the vulnerabilities provided by the applicable Security Researcher. If, within the Approval Period, Customer rejects a Bugcrowd recommendation on one of the bases set forth above, Customer shall provide Bugcrowd with written notice (the “Customer Notice”), which shall include the reasons for such rejection, and Bugcrowd will promptly research the issue and submit a revised Report, which shall be deemed approved unless Customer rejects as above. Customer’s failure to provide a Customer Notice within the Approval Period shall be deemed to be approval of Bugcrowd’s recommendations in the applicable Report. Promptly following approval or deemed approval of Bugcrowd’s recommendation, Bugcrowd will make payment of the approved Reward to the applicable Security Researcher. All Rewards paid to Security Researchers must be made in connection with a Crowdsourced Security Program.
3. INDEPENDENT CONTRACTOR RELATIONSHIP.
Bugcrowd uses its technology to connect Customer with Security Researchers; however, Bugcrowd does not control or supervise the Security Researchers. The Security Researchers are not employees, agents, personnel, or subcontractors of Bugcrowd and are not authorized to act on behalf of Bugcrowd. Customer acknowledges and agrees that a Security Researcher’s relationship to Bugcrowd is that of an independent contractor. Nothing in this Agreement is intended or should be construed to create a partnership, joint venture, or employer-employee relationship between Security Researchers and Bugcrowd or between Customer and any of Bugcrowd’s employees, agents, or contractors.
Customer shall pay Bugcrowd fees for each Crowdsourced Security Program as specified in the applicable Order (the “Fees”) within thirty (30) days of its receipt of invoice. Unless otherwise stated in the Order, all Fees shall be invoiced upon execution of the Order. The Fees will include a pooled amount for rewards to be paid to Security Researchers (the “Rewards”) as set forth in the applicable Order (the “Rewards Pool”). In the event that the Rewards Pool is exhausted prior to completion of the Crowdsourced Security Program, Customer may replenish the Rewards Pool. Any portion of the Rewards Pool that remains unused as of the termination of this Agreement shall be credited to Customer for use pursuant to a subsequent Order, or returned, at Customer’s option. Customer will be responsible for all taxes, withholdings, duties and levies in connection with the Services (excluding taxes based on the net income of Bugcrowd). Any late payments shall be subject to interest of 1.5% per month of the amount due, or the maximum amount allowed by law, whichever is less. In the event Customer’s account is more than thirty (30) days overdue on payment for any reason, Bugcrowd shall have the right to suspend the Services and Customer’s use of the Hosted Service without further notice to Customer, until Customer has paid in full the balance owed, plus any interest due. Customer agrees that if a price discount is indicated in any Order, Customer will participate in joint marketing activities with Bugcrowd (customer case study, press release, blog, social posts, or other marketing communications that showcase Company’s success with Bugcrowd, with the form and language agreed on by the parties, and Customer grants Bugcrowd the right to reference Customer and a license to use Customer’s logo in connection therewith).
“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and which is disclosed pursuant to this Agreement. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party. The Customer Data shall be deemed Customer Confidential Information. The Testing Results shall be deemed the Confidential Information of both parties and nothing in this Agreement shall be deemed to limit or restrict Customer’s rights in or to the Testing Results, except that neither party may disclose the Testing Results to a third party without the express written consent of the other party. The following shall be deemed Bugcrowd Confidential Information: documentation and pricing set forth in an Order; information relating to the identity of the Security Researchers; and metadata related to the Testing Results. Except as required to achieve the purpose of this Agreement, each receiving party agrees not to use the other party’s Confidential Information and to prevent disclosure of the other party’s Confidential Information to any third party for three (3) years after the date of disclosure or, in the case of the Customer Data, until such time as such Customer Data ceases to be confidential. The receiving party may disclose Confidential Information if required by a governmental agency or applicable law, provided that it gives the disclosing party reasonable advance written notice sufficient to permit it to contest such disclosure. Except as specifically set forth above, this Agreement does not transfer from either party any rights in any Confidential Information and all right, title and interest in and to Confidential Information will remain solely with the disclosing party.
6.1 Ownership. Subject to the rights expressly granted to Customer in this Agreement, as between Bugcrowd and Customer, Bugcrowd reserves all right, title and interest in and to the Hosted Service, and all modifications and improvements to it, including all related intellectual property rights. No rights are granted to Customer other than as expressly set forth in this Agreement. Subject to the rights expressly granted to Bugcrowd and the Security Researchers in this Agreement or the applicable Program Brief, Customer reserves all right, title and interest in and to the Target Systems, and all modifications and improvements thereto, including all related Intellectual Property Rights. No rights are granted to Bugcrowd other than as expressly set forth in this Agreement or the applicable Program Brief. Bugcrowd shall limit its use, disclosure and reproduction of the Testing Results to use, disclosure and reproduction reasonably required to perform the Testing Services and make the Testing Results available to Customer through the Hosted Service. Customer shall limit its use, disclosure and reproduction of the Testing Results solely for its internal business purposes in connection with the Crowdsourced Security Program. Customer agrees that nothing in this Agreement shall be deemed to limit or restrict Bugcrowd’s rights in or to the De-Identified Results. Bugcrowd shall have a non-exclusive, perpetual, irrevocable, worldwide, transferable, sublicenseable, fully-paid right to reproduce, create derivative works of, distribute, publicly perform, publicly display, digitally transmit, and otherwise use the De-Identified Results and derivative works thereof for any purpose. Bugcrowd shall have a royalty-free, worldwide, transferable, sublicenseable, irrevocable, perpetual license to use or incorporate into its services any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or its authorized users relating to the features, functionality or operation of the Hosted Services or the Testing Services (“Suggestions”). For clarity, Suggestions shall not include any Testing Results and do not grant Bugcrowd rights under any Customer patents or copyrights, and Bugcrowd’s use of Suggestions shall not identify Customer or any authorized users as the source of such Suggestions.
6.2 Intellectual Property Rights. “Intellectual Property Rights” means, on a worldwide basis, all patents (including originals, divisionals, continuations, continuations-in-part, extensions, foreign applications, utility models and re-issues), patent applications, copyrights (including all registrations and applications therefore), trade secrets, service marks, trademarks, trade names, trade dress, trademark applications and other proprietary and intellectual property rights, including moral rights.
7. BUGCROWD REPRESENTATIONS AND WARRANTIES.
7.1 General. Bugcrowd makes the following representations, warranties, and covenants: (a) it will use commercially reasonable efforts to ensure that the Services are performed in a professional and workmanlike manner consistent with industry standards; (b) it has full right, power, and authority to enter into and perform this Agreement; and (c) it will comply with all applicable laws, regulations, and ordinances applicable to Bugcrowd’s performance under this Agreement.
BUGCROWD DOES NOT WARRANT THAT THE TESTING SERVICES WILL IDENTIFY ALL VULNERABILITIES OR THAT THE RESULTS OF THE HOSTED SERVICE AND TESTING SERVICES WILL ENSURE SECURITY OF CUSTOMER’S APPLICATIONS OR SYSTEMS. BUGCROWD DOES NOT WARRANT THAT THE HOSTED SERVICE WILL PERFORM ERROR-FREE OR WITHOUT INTERRUPTION. EXCEPT AS EXPRESSLY WARRANTED IN THIS SECTION 7, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE HOSTED SERVICE AND TESTING SERVICES ARE PROVIDED “AS IS,” AND BUGCROWD DISCLAIMS ALL OTHER WARRANTIES EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
Bugcrowd will defend at its own expense any action against Customer brought by a third party to the extent that the action is based upon a claim that the Hosted Service infringes any U.S. patent or copyrights or misappropriates any trade secrets, and Bugcrowd will pay those costs and damages finally awarded against Customer in any such action that are attributable to such claim or those costs and damages agreed to in a settlement of such action. The foregoing obligations are conditioned on Customer notifying Bugcrowd promptly in writing of such action, Customer giving Bugcrowd sole control of the defense and any related settlement negotiations, and Customer assisting, at Bugcrowd’s request and expense, in such defense. If the Hosted Service becomes, or in Bugcrowd’s opinion is likely to become, the subject of an infringement claim, Bugcrowd may, at its option and expense, either (a) procure for Customer the right to continue using the Hosted Service, (b) replace or modify the Hosted Service so that it becomes non-infringing, or (c) terminate the Agreement and provide Customer with a refund of any prepaid, unused Fees. Notwithstanding the foregoing, Bugcrowd will have no obligation under this Section or otherwise with respect to any infringement claim based upon (i) any use of the Hosted Service not in accordance with this Agreement; (ii) any use of the Hosted Service in combination with products, equipment, software or data not supplied by Bugcrowd; or (iii) any modification of the Hosted Service by any person other than Bugcrowd. This Section states Bugcrowd’s entire liability and Customer’s sole and exclusive remedy for infringement claims and actions.
Customer will defend, at its own expense, any action against Bugcrowd brought by a third party (including government bodies and regulatory authorities) to the extent that the action is based upon a claim that access to the Target Systems and/or data contained within the Target Systems by Bugcrowd or Security Researchers in performance of the Testing Services was not authorized, and Customer will indemnify and hold harmless Bugcrowd against those costs and damages finally awarded against Bugcrowd in any such action that are specifically attributable to such claim, or those costs and damages agreed to in a settlement of such action signed by Customer.
9. LIMITATION OF LIABILITY.
EXCEPT FOR OBLIGATIONS UNDER SECTIONS 5 (CONFIDENTIALITY), SECTION 8 (INDEMNIFICATION) AND AMOUNTS OWED FOR SERVICES, EACH PARTY’S MAXIMUM AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL AMOUNT PAID TO BUGCROWD FOR HOSTED SERVICES WITHIN 12 MONTHS PRECEDING THE EVENT OR ACTION GIVING RISE TO LIABILITY. NEITHER PARTY SHALL BE LIABLE FOR ANY LOST PROFITS, LOSS OF BUSINESS, LOSS OF USE OR LOSS OF DATA, DELAY OR INTERRUPTION OF BUSINESS, OR LOST GOODWILL; FOR ANY COST OF PROCUREMENT OF SUBSTITUTE GOODS, SOFTWARE OR SERVICES; OR FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL OR PUNITIVE DAMAGES; IN EACH CASE ARISING OUT OF OR RELATING TO THE AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
10. TERM AND TERMINATION.
This Agreement will commence on the Effective Date and will continue until terminated by either party in accordance with the terms of this Agreement (the “Term”). Either party may terminate this Agreement or any Order immediately upon written notice to the other party (the “defaulting party”) if the defaulting party has materially breached a provision of this Agreement or any Order, and that breach remains uncured for thirty (30) days after the defaulting party receives notice of that breach.
10.1 Effects of Termination.
Upon termination or expiration of this Agreement or the applicable Order, Customer will cease use of the Hosted Service. Sections 1 (Definitions), 3 (Independent Contractor Relationship), 4 (Fees), 5 (Confidentiality), 6 (Ownership), 7 (Bugcrowd Representations and Warranties), 8 (Indemnification), 9 (Limitation of Liability), 10.1 (Effects of Termination) and 11 (General Provisions) will survive any termination or expiration of this Agreement.
11. GENERAL PROVISIONS
Any action arising out of or related to this Agreement shall be governed by California law and controlling U.S. federal law, and the choice of law rules of any jurisdiction shall not apply.Each party agrees to the exclusive personal jurisdiction and venue of the state and federal courts located in San Francisco County, California. If any provision of this Agreement is held to be invalid or unenforceable, the other provisions of this Agreement will be unimpaired, and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law. Neither this Agreement nor any rights under it may be assigned by a party without the other party’s express prior written consent, except that the Agreement may be assigned in connection with the merger or sale of substantially all of such party’s stock or assets or some other acquisition transaction. Any attempted assignment in violation of the foregoing will be null and void. Neither party shall be liable under this Agreement for failure or delay in performance caused by a Force Majeure Event, except for payment obligations. If a Force Majeure Event occurs, the party affected shall use commercially reasonable efforts to resume the performance excused by the Force Majeure Event. “Force Majeure Event” means any event beyond the reasonable control of the party affected by such event, which event causes a party to delay or fail to perform under this Agreement. Customer may not use, export, import, or transfer the Hosted Service or Testing Results except in strict accordance with all applicable laws, including but not limited to all U.S. export laws and regulations. In the event of any conflict between this Agreement and an accepted Order, this Agreement will control unless the Order expressly modifies the terms of this Agreement with respect to the Crowdsourced Security Program described in that Order. All waivers must be in writing and signed by the party to be charged. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. This Agreement is the final, complete, and exclusive agreement of the parties and supersedes and merges all prior or contemporaneous communications and understandings between the parties. Bugcrowd may modify, amend or update this Agreement at any time without notice. With the exception of Orders, the terms of any purchase order or similar document submitted by Customer to Bugcrowd will have no force or effect.