Last modified on June 30th 2021
WhiteHub offers an online, web-based, platform-as-a-service to provide crowdsourced security testing services for the enterprise through its proprietary, web-based, vulnerability reporting and disclosure platform known as the “WhiteHub Platform” and access to the community of independent Security Researchers. This Customer Terms and Conditions serve as a Customer Agreement (the “Agreement”) sets forth the terms under which WhiteHub shall provide the WhiteHub's customer (“Customer”) identified on the Contract, ordering document or other purchase order referencing this Agreement ("Contract”) with such services, and is effective on the date listed on the Contract (the “Effective Date”). By executing a Contract that references this Agreement, the person executing the Contract agrees to this Agreement on behalf of the Customer and represents that he or she has the authority to bind such Customer to this Agreement. Continued use of the Hosted Service (as defined below) constitutes deemed acceptance of this Agreement. The parties agree as follows:
Capitalized terms will have the meaning set forth in this Section 1 or as otherwise defined in this Agreement.
- “Bounty” means the Testing Services (as defined below) for specific software described in a Program Brief.
- “Crowdsourced Security Program” means a bug bounty program, vulnerability disclosure program, next-generation penetration test program or such other on-demand or annual program offered by WhiteHub as described in an Contract placed pursuant to Section 2.1. The Security Researchers that participate in each Crowdsourced Security Program will be governed by the then-current Researcher Terms and Conditions as modified or supplemented by additional terms in the applicable Program Brief.
- “Customer Data” means all product, technical support, and other information with respect to the business of Customer, as provided to, generated by, or obtained by WhiteHub during the Term of this Agreement.
- “Hosted Service” means the WhiteHub Platform ordered by Customer pursuant to an Contract, and any other software, end user documentation, and any information (other than Testing Report) made available to Customer by WhiteHub in connection with the performance of the Testing Services, including any and all updates thereto.
- “Program Brief” means the description of each Crowdsourced Security Program provided to Security Researchers.
- “Sample Test Report” means Testing Report that have been anonymized and are not identifiable to Customer or any individual, and presented in a manner from which the identity of Customer or any individual may not be derived.
- “Security Researchers” are the independent contractors of WhiteHub, who perform Testing Services, and refers to two distinct groups of program participants: "Trusted" are independent contractors of WhiteHub who perform Vulnerability Testing and have gone through WhiteHub’s vetting processes and are the only Security Researchers invited to private engagements. The other Group are the general population, who have access to any public program promoted by WhiteHub.
- “Services” means the services to be performed by WhiteHub under this Agreement and the Testing Services. “Testing Services” means the services performed by Security Researchers and includes, but is not limited to, the vulnerability testing services and next generation penetration testing services performed by Security Researchers pursuant to Crowdsourced Security Programs ordered by Customer.
- “Target Systems” are the applications and systems that are the subject of the Testing Services.
- “Testing Report” means information about vulnerabilities discovered on the Target Systems that is submitted to the Hosted Service as part of the Testing Services, including without limitation vulnerabilities identified by Security Researchers and submitted to the Hosted Service, confirmation of vulnerabilities and assessment of eligibility for Rewards by WhiteHub and any additional materials to be provided by WhiteHub as specified in the applicable Contract, expressly excluding (a) any underlying templates incorporated in the Testing Report by WhiteHub, (b) metadata related to the Testing Report (i.e. reports, substate information and comments made available to Customer in the Hosted Services) and (c) Sample Test Report
2.1 Provision of Hosted Services
WhiteHub will make the Hosted Services available to Customer for use pursuant to this Agreement and the applicable Contracts during the Term. In addition, WhiteHub will maintain a security program designed to maintain the security and integrity of the Hosted Service and the Testing Report in accordance with then-current industry standards, and use commercially reasonable efforts to make the Hosted Service available 24 hours a day, 7 days a week, excluding (i) scheduled maintenance (of which WhiteHub provides reasonable advance notice via the Hosted Service); and (ii) downtime caused by a force majeure event (subject to Section 11) or other circumstances beyond WhiteHub’s reasonable control. Customers may use the Hosted Services for the sole purpose of receiving the Testing Services specified in the applicable Contract, and subject to the restrictions set forth in Section 2.2.
Customer shall not (a) sell, resell, rent, lease, transfer, assign, reproduce, distribute, host or otherwise commercially exploit any portion of the Hosted Service or use the Hosted Service for the benefit of any third party; (b) modify, translate, adapt, merge, make derivative works of, disassemble, decompile, reverse compile or reverse engineer the Hosted Service, or attempt to discover the source code of the underlying software of the Hosted Service, except to the extent the foregoing restrictions are expressly prohibited by applicable law; (c) circumvent or disable any digital rights management, usage rules, or other security features of the Hosted Service, or otherwise attempt to gain unauthorized access to, or disrupt the integrity or performance of, the Hosted Service or the data contained therein; (d) access or use the Hosted Service in order to build a similar or competitive website, application, or service; (e) copy, reproduce, distribute, republish, download, display, post or transmit in any form by any means any part of the Hosted Service; and (f) remove or destroy any copyright or other proprietary notices contained on or in the Hosted Service. Customers shall use the Hosted Service only in compliance with all applicable laws. Customer is responsible for all activities conducted under its logins on the Hosted Service, and for its compliance with this Agreement. Customers shall be responsible for the security of all passwords and other access protocols required to access the Hosted Service. Customer shall promptly notify WhiteHub if Customer’s passwords or access protocols are lost, stolen, disclosed to an unauthorized third party, or otherwise compromised.
Each Crowdsourced Security Program that Customer orders during the Term will be described in a WhiteHub quotation or similar purchase order from Customer (each, an “Contract”), which will become effective (a) when signed by both parties; or (b) upon the issuance of a Customer purchase order that references the WhiteHub Contract (it being understood that Customer’s issuance of such a purchase order constitutes Customer’s agreement with the terms of the Contract). Each Crowdsourced Security Program will commence on a date mutually agreed upon by WhiteHub and Customer. All Contracts placed on an annual basis will auto-renew for additional year-long terms at then-current pricing unless otherwise stated in the Contract or unless either party notifies the other party of its intention to terminate the Contract within sixty (60) days before the end of the then-current year’s terms. All other Contracts (meaning On Demand Contracts or other Contracts not placed on an annual basis) will expire upon completion of the Crowdsourced Security Program or upon termination or expiration of the Crowdsourced Security Program pursuant to this Agreement.
2.4 Performance of Testing Services
Promptly upon execution of an Contract WhiteHub will identify to Customer a relationship manager to assist in the success of the Crowdsourced Security Programs (the “WhiteHub Relationship Manager”), and Customer will identify to WhiteHub a project manager to manage Customer’s Crowdsourced Security Programs and the WhiteHub relationship (“Customer Project Manager”). The WhiteHub Relationship Manager and Customer Project Manager will prepare a mutually agreed Program Brief for each Crowdsourced Security Program. WhiteHub will communicate the Crowdsourced Security Programs, including Program Briefs, to Security Researchers so that they may perform the Testing Services. Security Researchers will report vulnerabilities to WhiteHub through the Hosted Service and Customers may access the information reported through the Hosted Service for the duration of the applicable Crowdsourced Security Program. WhiteHub makes the Program Brief(s) available to applicable Security Researchers, and reviews the vulnerability information submitted by the Security Researchers to validate the reported vulnerabilities, confirms whether the reported vulnerabilities are within the scope of the Program Brief, provides Customer with instructions to reproduce the validated vulnerabilities, and assesses whether payment of Rewards are due on any validated vulnerabilities in accordance with the terms of the applicable Program Brief. Testing Services must be utilized within the term set forth in the applicable Contract or shall be forfeited.
2.5 Customer Authorization
2.6 Payment of Rewards to Security Researchers.
Unless otherwise set forth in the applicable Contract, WhiteHub will periodically make available to Customer through the Hosted Service reports that identify WhiteHub’s recommendation of appropriate payments of Rewards to Security Researchers consistent with the applicable Program Brief (each, a “Report”). Unless otherwise specified in the applicable Contract, WhiteHub will notify Customer electronically through the Hosted Service when a Report is available for review by Customer. Upon notification of the availability of each Report, Customers will have five (5) business days to review and approve or reject such recommendations (the “Approval Period”). Customers may reasonably reject WhiteHub’s recommendation if the applicable Testing Report is outside the scope of the Crowdsourced Security Program, or if the vulnerability reproduction instructions provided by WhiteHub are not sufficient to reproduce the vulnerabilities provided by the applicable Security Researcher. If, within the Approval Period, Customer rejects a WhiteHub recommendation on one of the bases set forth above, Customer shall provide WhiteHub with written notice (the “Customer Notice”), which shall include the reasons for such rejection, and WhiteHub will promptly research the issue and submit a revised Report, which shall be deemed approved unless Customer rejects as above. Customer’s failure to provide a Customer Notice within the Approval Period shall be deemed to be approval of WhiteHub’s recommendations in the applicable Report. Promptly following approval or deemed approval of WhiteHub’s recommendation, WhiteHub will make payment of the approved Reward to the applicable Security Researcher by using Customer’s deposited Rewards Pool. All Rewards paid to Security Researchers must be made in connection with a Crowdsourced Security Program.
3. Independent Contractor Relationship
WhiteHub uses its technology to connect Customers with Security Researchers; however, WhiteHub does not control or supervise the Security Researchers, and the Security Researchers are not employees of WhiteHub. Customer acknowledges and agrees that a Security Researcher’s relationship to WhiteHub is that of an independent contractor. Nothing in this Agreement is intended or should be construed to create a partnership, joint venture, or employer-employee relationship between Security Researchers and WhiteHub or between Customer and any of WhiteHub’s employees, agents, or contractors. Security Researchers are not agents of WhiteHub and are not authorized to act on behalf of WhiteHub.
Customers shall pay WhiteHub fees for each Crowdsourced Security Program as specified in the applicable Contract (the “Fees”) within thirty (30) days of its receipt of invoice. Unless otherwise stated in the Contract, all Fees shall be invoiced upon execution of the Contract. The Fees will include the “Listing fee” - monthly fee as listed in the Contract, and a pooled amount which customers will deposit for rewards to be paid to Security Researchers (the “Rewards”) as set forth in the applicable Contract (the “Rewards Pool”). In the event that the Rewards Pool is exhausted prior to completion of the Crowdsourced Security Program, Customers may replenish the Rewards Pool. Any portion of the Rewards Pool that remains unused as of the termination of this Agreement shall be credited to Customer for use pursuant to a subsequent Contract, or returned, at Customer’s option. Customers will be responsible for all taxes, withholdings, duties and levies in connection with the Services. Any late payments shall be subject to interest of 1.5% per month of the amount due, or the maximum amount allowed by law, whichever is less, plus actual costs of collection. In the event Customer’s account is more than thirty (30) days overdue on payment for any reason, WhiteHub shall have the right to suspend the Services and Customer’s use of the Hosted Service without further notice to Customer, until Customer has paid in full the balance owed, plus any interest due. Customer agrees that if a price discount is indicated in any Contract, Customer will participate in joint marketing activities with WhiteHub (customer case study, press release, blog, social posts, or other marketing communications that showcase Company’s success with WhiteHub, with the form and language agreed on by the parties, and Customer grants WhiteHub the right to reference Customer and a license to use Customer’s logo in connection therewith).
“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and which is disclosed pursuant to this Agreement. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party. The Customer Data shall be deemed Customer Confidential Information. The Testing Report shall be deemed the Confidential Information of both parties and nothing in this Agreement shall be deemed to limit or restrict Customer’s rights in or to the Testing Report, except that neither party may disclose the Testing Report to a third party without the express written consent of the other party. The following shall be deemed WhiteHub Confidential Information: documentation and pricing set forth in an Contract; information relating to the identity of the Security Researchers; and metadata related to the Testing Report. Except as required to achieve the purpose of this Agreement, each receiving party agrees not to use the other party’s Confidential Information and to prevent disclosure of the other party’s Confidential Information to any third party for three (3) years after the date of disclosure or, in the case of the Customer Data, until such time as such Customer Data ceases to be confidential. The receiving party may disclose Confidential Information if required by a governmental agency or applicable law, provided that it gives the disclosing party reasonable advance written notice sufficient to permit it to contest such disclosure. Except as specifically set forth above, this Agreement does not transfer from either party any rights in any Confidential Information and all right, title and interest in and to Confidential Information will remain solely with the disclosing party.
Subject to the rights expressly granted to Customer in this Agreement, as between WhiteHub and Customer, WhiteHub reserves all right, title and interest in and to the Hosted Service, and all modifications and improvements to it, including all related intellectual property rights. No rights are granted to Customers other than as expressly set forth in this Agreement. Subject to the rights expressly granted to WhiteHub and the Security Researchers in this Agreement or the applicable Program Brief, Customer reserves all right, title and interest in and to the Target Systems, and all modifications and improvements thereto, including all related Intellectual Property Rights. No rights are granted to WhiteHub other than as expressly set forth in this Agreement or the applicable Program Brief. WhiteHub shall limit its use, disclosure and reproduction of the Testing Report to use, disclosure and reproduction reasonably required to perform the Testing Services and make the Testing Report available to Customer through the Hosted Service. Customer shall limit its use, disclosure and reproduction of the Testing Report solely for its internal business purposes in connection with the Crowdsourced Security Program. Customer agrees that nothing in this Agreement shall be deemed to limit or restrict WhiteHub’s rights in or to the De-Identified Results. WhiteHub shall have a non-exclusive, perpetual, irrevocable, worldwide, transferable, sublicensable, fully-paid right to reproduce, create derivative works of, distribute, publicly perform, publicly display, digitally transmit, and otherwise use the De-Identified Results and derivative works thereof for any purpose. WhiteHub shall have a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate into its services any suggestions, ideas, enhancement requests, feedback, recommendations or other information provided by Customer or its authorized users relating to the features, functionality or operation of the Hosted Services or the Testing Services (“Suggestions”). For clarity, Suggestions shall not include any Testing Report and do not grant WhiteHub rights under any Customer patents or copyrights, and WhiteHub’s use of Suggestions shall not identify Customer or any authorized users as the source of such Suggestions.
6.2 Intellectual Property Rights
“Intellectual Property Rights” means, on a worldwide basis, all patents (including originals, divisionals, continuations, continuations-in-part, extensions, foreign applications, utility models and re-issues), patent applications, copyrights (including all registrations and applications therefore), trade secrets, service marks, trademarks, trade names, trade dress, trademark applications and other proprietary and intellectual property rights, including moral rights.
7. WhiteHub Representations and Warranties
WhiteHub makes the following representations, warranties, and covenants: (a) it will use commercially reasonable efforts to ensure that the Services are performed in a professional and workmanlike manner consistent with industry standards; (b) it has full right, power, and authority to enter into and perform this Agreement; and (c) it will comply with all applicable laws, regulations, and ordinances applicable to WhiteHub’s performance under this Agreement.
WHITEHUB DOES NOT WARRANT THAT THE TESTING SERVICES WILL IDENTIFY ALL VULNERABILITIES OR THAT THE RESULTS OF THE HOSTED SERVICE AND TESTING SERVICES WILL ENSURE SECURITY OF CUSTOMER’S APPLICATIONS OR SYSTEMS. WHITEHUB DOES NOT WARRANT THAT THE HOSTED SERVICE WILL PERFORM ERROR-FREE OR WITHOUT INTERRUPTION. EXCEPT AS EXPRESSLY WARRANTED IN THIS SECTION 7, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE HOSTED SERVICE AND TESTING SERVICES ARE PROVIDED “AS IS,” AND WHITEHUB DISCLAIMS ALL OTHER WARRANTIES EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF TITLE, MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.
WhiteHub will defend at its own expense any action against Customer brought by a third party to the extent that the action is based upon a claim that the Hosted Service infringes any Vietnam’s patent or copyrights or misappropriate any trade secrets, and WhiteHub will pay those costs and damages finally awarded against Customer in any such action that are attributable to such claim or those costs and damages agreed to in a settlement of such action. The foregoing obligations are conditioned on Customer notifying WhiteHub promptly in writing of such action, Customer giving WhiteHub sole control of the defense and any related settlement negotiations, and Customer assisting, at WhiteHub’s request and expense, in such defense. If the Hosted Service becomes, or in WhiteHub’s opinion is likely to become, the subject of an infringement claim, WhiteHub may, at its option and expense, either (a) procure for Customer the right to continue using the Hosted Service, (b) replace or modify the Hosted Service so that it becomes non-infringing, or (c) terminate the Agreement and provide Customer with a refund of any prepaid, unused Fees. Notwithstanding the foregoing, WhiteHub will have no obligation under this Section or otherwise with respect to any infringement claim based upon (i) any use of the Hosted Service not in accordance with this Agreement; (ii) any use of the Hosted Service in combination with products, equipment, software or data not supplied by WhiteHub; or (iii) any modification of the Hosted Service by any person other than WhiteHub. This Section states WhiteHub’s entire liability and Customer’s sole and exclusive remedy for infringement claims and actions. Customer will defend, at its own expense, any action against WhiteHub brought by a third party (including government bodies and regulatory authorities) to the extent that the action is based upon a claim that access to the Target Systems and/or data contained within the Target Systems by WhiteHub or Security Researchers in performance of the Testing Services was not authorized, and Customer will indemnify and hold harmless WhiteHub against those costs and damages finally awarded against WhiteHub in any such action that are specifically attributable to such claim, or those costs and damages agreed to in a settlement of such action signed by Customer.
9. Limitation of Liability
EXCEPT FOR OBLIGATIONS UNDER SECTIONS 5 (CONFIDENTIALITY), SECTION 8 (INDEMNIFICATION) AND AMOUNTS OWED FOR SERVICES, EACH PARTY’S MAXIMUM AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL AMOUNT PAID TO WHITEHUB FOR HOSTED SERVICES WITHIN 12 MONTHS PRECEDING THE EVENT OR ACTION GIVING RISE TO LIABILITY. NEITHER PARTY SHALL BE LIABLE FOR ANY LOST PROFITS, LOSS OF BUSINESS, LOSS OF USE OR LOSS OF DATA, DELAY OR INTERRUPTION OF BUSINESS, OR LOST GOODWILL; FOR ANY COST OF PROCUREMENT OF SUBSTITUTE GOODS, SOFTWARE OR SERVICES; OR FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL OR PUNITIVE DAMAGES; IN EACH CASE ARISING OUT OF OR RELATING TO THE AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
10. Term and Termination
This Agreement will commence on the Effective Date and will continue until terminated by either party in accordance with the terms of this Agreement (the “Term”). Either party may terminate this Agreement or any Contract immediately upon written notice to the other party (the “defaulting party”) if the defaulting party has materially breached a provision of this Agreement or any Contract, and that breach remains uncured for thirty (30) days after the defaulting party receives notice of that breach.
10.1 Effects of Termination
Upon termination or expiration of this Agreement or the applicable Contract, Customer will cease use of the Hosted Service. Sections 1 (Definitions), 3 (Independent Contractor Relationship), 4 (Fees), 5 (Confidentiality), 6 (Ownership), 7 (WhiteHub Representations and Warranties), 8 (Indemnification), 9 (Limitation of Liability), 10.1 (Effects of Termination) and 11 (General Provisions) will survive any termination or expiration of this Agreement.
11. General Provisions
Any action arising out of or related to this Agreement shall be governed by Vietnamese laws, and the choice of law rules of any jurisdiction shall not apply. Each party agrees to the exclusive personal jurisdiction and venue of the People's Courts located in Hanoi, Vietnam. If any provision of this Agreement is held to be invalid or unenforceable, the other provisions of this Agreement will be unimpaired, and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law. This Agreement may not be assigned by a party without the other party’s express prior written consent, except in connection with the merger or sale of substantially all of such party’s stock or assets or some other acquisition transaction. Any attempted assignment in violation of the foregoing will be null and void. Neither party shall be liable under this Agreement for failure or delay in performance caused by a Force Majeure Event, except for payment obligations. If a Force Majeure Event occurs, the party affected shall use commercially reasonable efforts to resume the performance excused by the Force Majeure Event. “Force Majeure Event” means any event beyond the reasonable control of the party affected by such an event, which causes a party to delay or fail to perform under this Agreement. Customers may not use, export, import, or transfer the Hosted Service or Testing Report except in strict accordance with all applicable laws, including but not limited to all Vietnam export laws and regulations. In the event of any conflict between this Agreement and an accepted Contract, this Agreement will control unless the Contract expressly modifies the terms of this Agreement with respect to the Crowdsourced Security Program described in that Contract. All waivers must be in writing and signed by the party to be charged. Any waiver or failure to enforce any provision of this Agreement on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion. This Agreement is the final, complete, and exclusive agreement of the parties and supersedes and merges all prior or contemporaneous communications and understandings between the parties. WhiteHub may modify, amend or update this Agreement at any time without notice. With the exception of Contracts, the terms of any purchase order or similar document submitted by Customer to WhiteHub will have no force or effect.