Researcher Terms and Conditions

Last modified on June 30th 2021

This web page represents a legal document with terms and conditions applicable to all individuals who have registered usernames (also known as a “ID”) with WHITEHUB PTE. LTD (“WhiteHub”) through the WhiteHub website. In addition, the terms and conditions contained in our Code of Conduct, Disclosure Policy and Terms of Service (along with these Research Terms and Conditions, collectively, the “Researcher Terms”) are incorporated by reference into these Researcher Terms and Conditions. Upon obtaining a username with WhiteHub, you are referred to as a “Researcher” and you are bound by and are obligated to comply with the Researcher Terms.

1. The submission process

If you believe you have discovered a vulnerability, please create a submission for the appropriate program through the WhiteHub platform. Each program has a set of guidelines called the Program Brief. The program brief is maintained by the Program Owner. Terms specified in the program brief supersede these terms.

Each submission will be updated with significant events, including when the issue has been validated, when we need more information from you, or when you have qualified for a reward.

Each submission is evaluated by the Program Owner on the basis of first-to-find. WhiteHub may assist in the evaluation process.

You will qualify for a reward if you were the first person to alert the Program Owner to a previously unknown issue AND the issue triggers a code or configuration change.

2. Standard Program Rules

We are committed to protecting the interests of Security Researchers. The more closely your behavior follows these rules, the more we’ll be able to protect you if a difficult situation escalates.

Rules can vary for each program. Please carefully read the program brief for specific rules. These rules apply to all programs:

• Testing should be performed only on systems listed under the program brief ‘Targets’ section. Any other systems are Out Of Scope.

• Except when otherwise noted in the program brief, you should create accounts for testing purposes.

• Submissions must be made exclusively through WhiteHub to be considered for a reward.

• Communication regarding submissions must remain within WhiteHub and/or official WhiteHub support channels for the duration of the disclosure process.

• Actions which affect the integrity or availability of program targets are prohibited and strictly enforced. If you notice performance degradation on the target systems, you must immediately suspend all use of automated tools.

• Submissions should have an impact on the target’s security posture. Impact means the reported issue affects the target’s users, systems, or data security in a meaningful way. Submitters may be asked to defend the impact in order to qualify for a reward.

• Submissions may be closed if a Researcher is non-responsive to requests for information after 7 days.

• The existence or details of private or invitation-only programs must not be communicated to anyone who is not a WhiteHub employee or an authorized employee of the organization responsible for the program.

• We encourage Researchers to include a video or screenshot Proof-of-Concept in their submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (i.e. YouTube, Imgur, etc.). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password.

• WhiteHub’s Disclosure policies apply to all submissions made through the WhiteHub platform, including Duplicates, Out of Scope, and Not Applicable submissions. Customers may select Nondisclosure, Coordinated Disclosure, or Custom Disclosure policies to be applied to their program brief.

• If a Researcher wants to retain disclosure rights for vulnerabilities that are out of scope for a bounty program, they should report the issue to the Program Owner directly. WhiteHub can assist Researchers in identifying the appropriate email address to contact. Program Owners are encouraged to ensure their program scope includes all critical components they wish to receive vulnerability reports for.

• Violation of a program’s stated disclosure policy may result in enforcement action as outlined in the WhiteHub Terms and Conditions.

You must be at least 18 years old or have reached the age of majority in your jurisdiction of primary residence and citizenship to be eligible to receive any monetary compensation as a Researcher. Additional applicable eligibility requirements are stated in the Terms of Service. Exceptions with respect to a minor’s participation in Vulnerability Disclosure Programs may be considered on a case-by-case basis as between WhiteHub and the applicable minor’s guardian(s).

3. Usernames and Passwords

You will need to set up an account and username in order to be a Researcher. You may not use a third party’s account without permission. When you are setting up your account, you must give us accurate and complete information. This means that you cannot set up an account using a name or contact information that does not apply to you, and you must provide accurate and current information on all registration forms that are part of the Website. You may only set up one account. You have complete responsibility for your account and everything that happens on your account. This means you need to be careful with your password. If you find out that someone is using your account without your permission, you must let us know immediately. You may not transfer your account to someone else. We are not liable for any damages or losses caused by someone using your account without your permission. However, if we (or anyone else) suffer any damage due to the unauthorized use of your account, you may be liable. WhiteHub may deny the use of certain usernames or require certain usernames be changed at WhiteHub’s sole discretion and/or to comply with end customers’ requirements. usernames with offensive or discriminatory words are prohibited.

4. Excluded Submission Types

Some submission types are excluded because they are dangerous to assess, or because they have low security impact to the Program Owner. This section contains issues that WhiteHub does not accept, will be immediately marked as invalid, and are not rewardable.

• Findings from physical testing such as office access (e.g. open doors, tailgating).

• Findings derived primarily from social engineering (e.g. phishing, vishing).

• Findings from applications or systems not listed in the ‘Targets’ section.

• Functional, UI and UX bugs and spelling mistakes.

• Network level Denial of Service (DoS/DDoS) vulnerabilities.

5. Common "Non-qualifying" Submission Types

Some submission types do not qualify for a reward because they have low security impact to the program owner, and thus, do not trigger a code change. This section contains a listing of issues found to be commonly reproducible and reported but are often ineligible. We strongly suggest you do not report these issues unless you can demonstrate a chained attack with higher impact.

• Descriptive error messages (e.g. Stack Traces, application or server errors).

• HTTP 404 codes/pages or other HTTP non-200 codes/pages.

• Banner disclosure on common/public services.

• Disclosure of known public files or directories, (e.g. robots.txt).

• Clickjacking and issues only exploitable through clickjacking.

• CSRF on forms that are available to anonymous users (e.g. the contact form).

• Logout Cross-Site Request Forgery (logout CSRF).

• Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

• Lack of Secure and HTTPOnly cookie flags.

• Lack of Security Speedbump when leaving the site.

• Weak Captcha / Captcha Bypass

• Username enumeration via Login Page error message

• Username enumeration via Forgot Password error message

• Login or Forgot Password page brute force and account lockout not enforced.

• OPTIONS / TRACE HTTP method enabled

• SSL Attacks such as BEAST, BREACH, Renegotiation attack

• SSL Forward secrecy not enabled

• SSL Insecure cipher suites

• The Anti-MIME-Sniffing header X-Content-Type-Options

• Missing HTTP security headers, specifically (https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/)

6. Program Rewards

You will qualify for a reward if you were the first eligible person to alert the Program Owner to a previously unknown issue AND the issue triggers a code or configuration change. Reward details vary for each program. Rewards can take the form of VND, WHC or WhiteHub Points. Please carefully read each program brief for specific details.

Each submission’s reward amount is based on the business impact, severity, and creativity of the issue. Bugs found in applications, features, and functions called out in the program brief as an “Focus Area(s)” are awarded at higher levels.

If you become eligible for a monetary award, to get paid, you may need to: (a) provide additional verification and tax information, (b) fulfill various eligibility requirements and (c) agree to additional terms and conditions with a third party payment processor. Taxes on monetary rewards paid to you are your sole responsibility and monetary rewards which remain unclaimed or undeliverable for a period of six (6) months will be forfeited.

7. Intellectual Property; Ownership of Testing Results

You hereby represent that you have obtained the necessary approvals and consents from all third parties including your employer for the purpose of participating as a Researcher.

For the purposes of this section, “Testing Results” means information about vulnerabilities discovered on the Target Systems discovered, found, observed or identified by Researchers” and “Target Systems” are the applications and systems that are the subject of the Testing Services.

You hereby agree and warrant that you will disclose all of the Testing Results found or identified by you (“your Testing Results”) to WhiteHub. Furthermore, you hereby assign to WhiteHub and agree to assign to WhiteHub any and all of your Testing Results and rights thereto. To the extent any rights in your Testing Results are not assignable, you shall grant and agree to grant to WhiteHub under any and all such rights an irrevocable, paid-up, royalty free, perpetual, exclusive, sublicensable (directly or indirectly through multiple tiers), transferable, and worldwide license to use and permit others to use such Testing Results in any manner desired by us (and/or our customers and sponsors) without restriction or accounting to you, including, without limitation, the right to make, have made, sell, offer for sale, use, rent, lease, import, copy, prepare derivative works, publicly display, publicly perform, and distribute all or any part of such Testing Results and modifications and combinations thereof and to sublicense (directly or indirectly through multiple tiers) or transfer any and all such rights. Further, you shall waive and agree to waive in favor of WhiteHub any moral right or other right or claim that is contrary to the intent of a complete transfer of rights to WhiteHub in your Testing Results.

You hereby authorize us and any Bug Bounty Program or Vulnerability Disclosure sponsors to publicize your Testing Results, including account name (ID), and any additional information as may be required by the Program Brief. Any such Program Brief may request certain personally identifiable information about you be provided to the Program Owner and your agreement to participate in such Bug Bounty Program or Vulnerability Disclosure indicates your consent to provide such information.

8. Confidentiality Obligations

“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and includes, without limitation: customer information, personally identifiable information, financial information, information regarding Target Systems, information regarding the target of a crowdsourced security program (including, as may be applicable, any merger, acquisition or sale discussions or transactions), pricing information, business information, fees and amounts paid to Researchers and existence of and terms of private crowdsourced security programs. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party.

You agree that you will (i) hold in confidence and not disclose to any third party any Confidential Information, except as approved in writing by disclosing party; (ii) protect such Confidential Information with at least the same degree of care that the Researcher uses to protect its own Confidential Information, but in no case, less than reasonable care; (iii) use the disclosing party’s Confidential Information for no purpose other than the use permitted by the disclosing party; and (iv) immediately notify disclosing party upon discovery of any loss or unauthorized disclosure of disclosing party’s Confidential Information.

ALL SUBMISSIONS ARE CONFIDENTIAL INFORMATION OF THE PROGRAM OWNER UNLESS OTHERWISE STATED IN THE BOUNTY BRIEF. This means no submissions may be publicly disclosed at any time unless the Program Owner has otherwise consented to disclosure. Please see the Disclosure Policy for a more fulsome description regarding disclosure of vulnerabilities in connection with Bug Bounty Programs.

With respect to the Confidential Information of Researchers, please refer to the WhiteHub privacy policy

9. Official Support Channels and Private Communication

During the course of each program, the WhiteHub team may communicate updates via:

• ‘Program Updates’ section within the program.

• Email.

If you have questions about a program or a specific submission, you may contact the WhiteHub team via:

• WhiteHub Submission Messages.

• [email protected]