Valid from: 1 July 2021
A Bug Bounty Program is a company-driven initiative to identify, fix and disclose software bugs and security vulnerabilities (hereinafter Vulnerabilities) by offering financial rewards to the discoverers.
The NoZero Platform (hereinafter:Platform) is a platform operated by NoZero srl (Platform Operator), which offers its customers (Customers) to run a bug bounty program.
A Customer is a company who uses the Platform’s offer to find vulnerabilities in its software and to fix them before they become publicly known.
Ethical Hackers are security experts who participate in a bug bounty program and are rewarded for finding bugs in the Customers’ software.
2. DESCRIPTION OF THE PLATFORM
Many companies cannot afford independently organized bug bounty programs or platforms due to the technical, organizational and legal effort involved. This is where the NoZero platform comes in: The platform enables the customer to create and manage an individual bug bounty program via the NoZero platform and offers both the ethical hackers and the customers legal protection in the form of a “legal safe harbor”. As long as the ethical Hackers stay within the framework set by the Customers, they are not liable to prosecution because the Customers have given their prior consent to such hacking activities. Any vulnerabilities are reported by the ethical Hackers exclusively via the NoZero platform. The platform ensures the secure storage of this information and checks reported vulnerabilities for verifiability and novelty. It then categorizes verifiable vulnerabilities that are not already known in terms of their severity and criticality. Depending on the severity of a vulnerability (“bug”), it then awards a reward (“bounty”) and transfers the corresponding amount of money to the Ethical Hacker’s account. The categories of vulnerabilities and the associated rewards can be viewed on the platform’s website for registered Ethical Hackers, with the rewards being determined by the customers for the respective bug bounty program.
3. SERVICES OF THE PLATFORM
The Platform offers Customers a bug bounty platform through which the Customer can operate its individual bug bounty program. This includes the following services, unless otherwise specified in the selected service type of the platform:
Verification of the Ethical Hackers’ identity according to the various identity verification levels.
Review of vulnerabilities reported by Ethical Hackers for novelty and verifiability.
Review of the severity classification of new and verifiable vulnerabilities initially determined by the Ethical Hacker.
Providing a discussion platform between the Customer and the Ethical Hacker for queries regarding reported vulnerabilities.
Securely storing information about vulnerabilities until they are fixed.
Information about vulnerabilities already found for Ethical Hackers participating in the bug bounty program concerned (to exclude multiple reports).
Payment of rewards for new and verifiable vulnerabilities according to the customer’s individual bounty list.
4. DUTIES OF THE Ethical HACKERS
Denial of service attacks or other bruteforce attacks
In addition to the improper hacking methods listed in Section 4.4, the Ethical Hackers are required to immediately discontinue vulnerability hunting if they determine that their conduct will result in a significant degradation (negative impact on regular users or on the operations team) of the Platform’s or Service’s operations.
5. DUTIES OF THE CUSTOMERS
When setting up a bug bounty program via the platform, customers must define the scope of the program. The scope defines for which services of the customer the bug bounty program should apply. In particular, they can include or exclude certain domains and/or subdirectories from the scope. The additional information required for the scope can be found in the corresponding form.
Customers undertake to pay the prices according to the price list for the services of the platform as well as a sum chosen by them, which will be used as a bounty in the event of the discovery of new and traceable vulnerabilities for the payment of Ethical Hackers. The fee for the platform’s services and the sum designated for rewards must be transferred to the platform operator prior to the start of a bug bounty program or pledged, e.g., in the form of a Purchase Order (PO). The reward for the Ethical Hacker including the handling fee of the platform must be transferred within 15 days after definite confirmation of the bug. An advance payment of the sums provided annually for rewards is also possible.
The bug bounty program started by a Customer will run until it is paused or stopped by the Customer. Customers agree to pay Bounties for Bugs found during an ongoing (i.e. not paused or stopped) Bug Bounty Program.
6. EVALUATION AND PAYMENT OF BOUNTIES
The bugs reported by Ethical Hackers via the platform will be evaluated by the platform operator within 5 days with regard to their novelty and verifiability and, if they are new and verifiable, confirmed in a category and thus in a reward according to the bounty list of the respective bug bounty program.
Unless otherwise defined in the bug bounty program, the rating is verified by means of the Common Vulnerability Scoring System (CVSS):
low: 0.1 – 3.9
medium: 4.0 – 6.9
high: 7.0 – 8.9
critical: 9.0 – 10
The reward for finding and reporting a new and verifiable bug will be transferred to the bank account of the Ethical Hacker concerned specified during registration within 30 days after definite confirmation of the bug.
Multiple vulnerabilities caused by one underlying problem are rewarded with one premium.
The platform is entitled to reject reported bugs if they are not new and/or not verifiable. There by any claim for compensation is forfeited.
The following vulnerabilities and forms of documentation are generally not sought and are rejected:
Best practices that do not lead to a directly exploitable vulnerability (e.g., missing security headers).
Vulnerabilities due to third-party software libraries for which the vulnerabilities are already known.
Documentations of automatic tools without additional explanations.
7. CONTRACT TERM
The Customers are solely responsible for any damage that occurs within the scope of the hacking permitted by the Scope. Civil or criminal action against Ethical Hacker or the platform is excluded in this case.
If a Ethical Hacker does not adhere to the specified scope and damage occurs as a result, the Ethical Hacker alone is responsible for this. If there is evidence of a justified suspicion that the Customers have exceeded the scope, the platform will block the account of the offending Ethical Hacker(s). Any further liability of the platform is excluded.
The platform shall ensure a safe storage of the information about found vulnerabilities according to the state of the art. In the event that third parties are able to access such information despite the protective measures taken and damage occurs as a result, the Platform’s liability is excluded.
The platform shall ensure the best possible availability. The platform shall not be liable for any damage resulting from an unavailability of the platform.
Ethical Hackers are responsible for correctly declaring their earnings (rewards for found bugs) according to the law applicable to them. The platform excludes any liability due to incorrect declaration of earnings by the Ethical Hackers. For Ethical Hackers residing in Italy, the lack of economic and work-organizational dependence means that there is no dependent employment and thus no obligation to pay social security contributions.
9. FINAL PROVISIONS
Communications from the Platform to Customers and Ethical Hackers shall be made by secure e-mail or via the Platform.
Contracts between the Platform and the Ethical Hackers or between the Platform and the Customers shall be governed exclusively by Italian law. The contracts between the Platform and Friendly Hackers, or between the Platform and the Customers, shall be governed exclusively by italian substantive law, excluding international conventions, including the United Nations Convention on Contracts for the International Sale of Goods of April 11, 1980 (CISG) and the conflict of laws rules.
The exclusive place of jurisdiction is Rome.