1.1 “Environment”: An ICT system, network, technology, infrastructure, application, software or other environment communicated and/or made available by a Customer on the Platform, for the purpose of having its security tested.
1.2 “Ethical hacking”: Ethical hacking is a security testing technique which may be defined as the process of attempting to penetrate a network or computer system and bypass system security, for the purpose of identifying potential security vulnerabilities. Ethical hacking may also entail an attempt to exploit such encountered vulnerabilities, in order to determine to what extent unauthorised access and/or other malicious activities could be possible. Ethical hacking is considered “ethical” in the sense that no malicious intentions are available and the ethical hacker discloses found Vulnerabilities to the concerned organisation, so that the organisation could improve its system security.
1.3 “Platform”: www.intigriti.com
1.4 “Researchers”: independent security researchers (ethical hackers), whether companies or natural persons, willing to offer their services through the Platform.
1.5 “Submission”: A notification that a Vulnerability was found in (one of) Customer’s Environment(s). Submissions are submitted by Researchers through the Platform and describe the Vulnerability and how it was discovered.
1.6 “Vulnerability”: a bug, defect or a weakness, a design- or execution error, an absence of alignment to the most recent state of the art, or any other (technical) error which compromises the security of the information or communication technologies. A vulnerability might lead to an unexpected or unwanted event and might be exploited by malicious third parties, for the purpose of compromising the integrity, availability or confidentiality of a system and/or to cause damage.
2.1 intigriti aims to bring responsible companies (“Customers”) and enthusiastic ethical Researchers together to help improve the safety of Customers’ computer systems. intigriti created this Platform as a marketplace/communication tool where Researchers can offer their Ethical Hacking services to different Customers and where Customers can reach out to a community of Researchers, to have their computer systems tested. When Researchers test a Customer’s Environment, they are required to disclose detected security vulnerabilities in a responsible and coordinated manner, to enable Customers to take the appropriate action to improve their system security.
2.2 By creating an account on the Platform, you sign up as a Researcher and you accept and agree with the terms of these Researcher Guidelines. If you do not agree with the terms enshrined herein, you are not allowed to access and/or make use of the Platform and you do not have permission to test/ethically hack the Environments communicated on the Platform. By signing up you confirm that you have reached the age of 18 years old and are legally competent to enter into this agreement. You confirm that you are not subject to legislative or other measures (e.g.EU restrictive measures) prohibiting you and intigriti from entering into these Researcher Guidelines with each other.
2.3 By accepting to these terms, you declare that you fully understand that intigriti solely provides a communication Platform where it will act as a moderator. Any services in the field of Ethical Hacking you would perform in relation to an Environment communicated on the Platform, will be delivered by you directly to the applicable Customer on an independent basis. Any contractual relationship relating to the Ethical Hacking will be concluded directly between you and the Customer.
3. YOUR LICENSE
3.1 intigriti hereby grants to you a revocable, non-exclusive, non-sublicensable, non-transferable, worldwide, royalty-free license to access and use the Platform and to access and view the content made available on the Platform. This only in good faith and within the margins of your permitted use.
3.2 intigriti may discontinue your use of all or any part of the intigriti Platform, including your access to it, at any time at intigriti's discretion. In particular if we believe you are abusing the Platform in any way, the personal information you entered is not correct, or you do not respect the scope and limits of your authorisations, we may, in our sole discretion and without limiting other remedies, suspend or terminate your user account(s) and access to the Platform. A notification thereof immediately withdraws any authorisations given to you and prohibits you to (further) use (ethical) hacking techniques on the Environments of Customers.
3.3 In connection with using and/or accessing this Platform and/or delivering related Ethical Hacking services, you are not allowed to:
(a) breach or circumvent any laws, third-party rights or our systems, policies, or instructions regarding the use of the Platform;
(b) use or access our Platform if you are not able to form legally binding contracts (for example, if you are under 18 years old);
(c) transfer your account and user ID to another party without our consent;
(d) harvest or otherwise collect information about Customers or Researchers without their consent; or
(e) circumvent any technical measures we use to provide the Platform.
4. CUSTOMER/RESEARCHER RELATION
4.1 Your Ethical Hacking activities carried out in relation to the Environments on the Platform will be delivered directly to the Customer who communicated the concerned Environment.
4.2 Intigriti will allow both Customer and Researchers (you) to access and use the Platform and will act as a coordinator/moderator. Subject to compliance with the Customer’s scope, you are entirely free to decide if, when, where and to what Customer’s you will deliver your Ethical Hacking services. You will deliver your services on an independent basis and, for the avoidance of doubt, not as a subcontractor, employee or agent of intigriti or Customer. Intigriti is not responsible and/or liable for your or Customer’s actions or omissions.
4.3 When signing up to perform ethical hacking services for a Customer, and/or when accessing an Environment for that purpose, you must always respect these Researcher Guidelines, the scope, term, prohibited actions and any other terms and conditions set out by Customer on the Platform. If you do not agree with the Customer’s terms, refrain from using any Ethical Hacking techniques in relation to the applicable Environments. By the mere initiation of your testing/Ethical Hacking activities in relation to an Environment, you are deemed to have read and accepted the Customer’s terms and conditions applicable to that Environment. Therefore, you agree that the applicable terms and conditions (including these Researcher Guidelines) constitute as a legally binding contract between you and Customer and that both you and the Customer can derive rights and obligations from the contract.
In the event of a conflict between the Customer’s terms and conditions and these Researcher Guidelines, the Customer’s terms and conditions will always prevail within your (contractual) relationship with Customer, unless the Customer explicitly states otherwise. The Customer’s terms and conditions will not affect you relationship with intigriti.
5. YOUR PERFORMANCE OF ETHICAL HACKING SERVICES
5.1 By login in on the Platform, you sign up to perform Ethical Hacking services on one or more Environments of one or more Customers and to report on any found Vulnerabilities.
In this respect you:
(a) are responsible for reading the full scope and terms set out by the Customer, before initiating any Ethical Hacking activities in relation to an Environment;
(b) understand that you may only use Ethical Hacking techniques and are not allowed to launch uncontrolled attacks or use malicious techniques that could have an impact on the availability and operation of system;
(c) explicitly declare that you have the necessary expertise and experience to perform Ethical Hacking services in a safe and secure way;
(d) understand that the Ethical Hacking techniques may exclusively be used for the purpose of testing the security strength of the Environment in scope. You are not allowed to browse through the Customers data and/or copy any confidential files, data or information;
(e) are required to report upon discovered Vulnerabilities in a prompt and transparent manner through the Platform or to the Customer’s security contact as found on the Platform;
(f) should always respect applicable law, in particular in relation to secrecy of electronic communications, privacy and data protection.
6. TESTING OF IN SCOPE VULNERABILITIES
6.1 Every Environment open for Ethical Hacking will be communicated by Customer on the Platform in a project (hereafter “Project”). A Project will define a scope, clarify your authorizations and may impose (contractual) terms on you. A Customer can have multiple Projects where each Project has its own scope. Projects can be available to all Researchers or limited Researchers, depending on the choice of the Customer.
6.2 The Customer grants you the right to use Ethical Hacking techniques only on the Environment communicated on the intigriti Platform by the Customer and limited to the described scope and the duration the Project is made available, or as otherwise communicated by the Customer.
6.3 Third party systems are out of scope. You may not (attempt) to infiltrate third party systems through Customer’s Environment and must stop as soon as you become aware of a third party system being affected by your services. In this event, you must also immediately notify Customer through the Platform. You are fully liable for actions performed and any potential damages caused to third parties, under article 1382 of the Belgian Civil Code and other applicable legislation.
6.4 You understand that performing Ethical Hacking techniques beyond the scope and/or testing or accessing any environment out of scope (and therefore without authorization) is illegal and criminally sanctioned (e.g. under article 550 bis of the Belgian Criminal Code) and you are fully liable for such actions performed and any potential damages caused.
7. PROHIBITED ACTIONS
7.1 In connection with your ethical hacking services to Customers, you may never:
(a) misuse a Vulnerability you discovered;
(b) exploit more than necessary to demonstrate that there is a Vulnerability in the Environment;
(c) distribute or post spam, unsolicited or bulk electronic communications, chain letters, or pyramid schemes;
(d) install or distribute malware, viruses or any other technologies that may harm the interests or property of Customer or any third party;
(e) change or remove any data or parameters;
(f) make use of techniques such as (Distributed) Denial of Service attacks (DoS or DDoS), physical and/or social engineering and/or techniques that are mentioned in the out of scope section of a particular Project;
(g) use malicious techniques such as brute password guessing, theft of passwords, scanning of systems, phishing, etc.;
(h) obtain data and publish/communicate or misuse data that was acquired.
7.2 In general, you must always make sure that you do not intervene with the effective functioning of the Environments and must mitigate any possible harm.
7.3 You may never share or disclose information collected during your hacking process with any third parties.
7.4 Public disclosure is only allowed if both parties (the Customer and you) agree that the content of a Vulnerability and its communication can be shared. A Customer can still choose to redact certain parts of the report, Vulnerability and/or communication and this should be respected and not disclosed.
8. YOUR OBLIGATION TO SUBMIT VULNERABILITIES IMMEDIATELY
8.1 If you believe that you have found a Vulnerability in the Environment of the Customer, you should promptly submit a report (Submission) through the Platform, addressed to the respective Customer.
8.2 The Submission must describe the Vulnerability in a clear, concise and comprehensive manner and must, where possible, include the necessary evidence (e.g. IP addresses, log entries, screenshots etc.).
8.3 You must add information to the Submission whenever new significant events arise as well as when the Customer or intigriti request additional information. You should always collaborate in good faith with Customer to remedy the Vulnerabilities you detected in its Environment(s).
9.1 Customer may agree to award a bounty fee to the first Researcher who discovers a verified Vulnerability in an Environment. In this event, the Customer will set out the amount and the conditions to receive the bounty fee in his Project. If this is not explicitly mentioned by the Customer, no bounty fee will be awarded.
9.2 The Customer will verify you Submissions and, if a bounty fee is communicated and the requirements of the Customer are being met, intigriti will transfer 50% of the bounty fee to you within twenty (20) working days after acceptance of the Customer. The next 50% will be paid upon confirmation that the issue has been fixed.
9.3 You will only be awarded a bounty fee when you are the first Researcher to Submit a specific Vulnerability in the Environment, if the issue is confirmed and validated by the Customer and if you have at all times complied with these Researcher Guidelines and the terms set out by Customer.
9.4 All bounty payments will be made in Euros. You are responsible for paying all applicable taxes and social contributions on the payments.
9.5 Intigriti will not perform any payments in the event you are subject to any legislative or other measures (e.g. EU restrictive measures) prohibiting intigriti from doing so.
10. CONFIDENTIALITY AND DATA PROTECTION
10.1 All information you receive or get access to by using the Platform and/ or accessing an Environment will be considered strictly confidential. You may for example never communicate findings concerning the Customer, Customer data, Customer’s Environment, detected Vulnerabilities etc. to any third party. Public disclosure will only be allowed upon explicit consent of both intigriti and the Customer. You will be considered liable for all damage that can be attributed to an infringement of this confidentiality obligation.
10.2 When registering on this Platform, you are required to disclose your identity details to intigriti. However, if you desire so, you may operate on the Platform under a pseudonym. Where your Ethical Hacking services to Customer’s are being delivered properly, in good faith and in accordance with all terms herein, intigriti will use its best endeavours to keep your real identity details confidential. Intigriti may disclose your real identity (i) when disclosure is required by law, by any governmental, judicial or other regulatory authority; or (ii) in the event intigriti and/or Customer have reasonable ground(s) to believe you do not operate in good faith, exceed the given authorization(s), breach these Researcher Guidelines or do not respect the scope or any of the terms imposed by Customer.
10.3 You must at all times adhere to your obligations under applicable law regarding to privacy and the processing of personal data in connection with your use of the Platform and your ethical hacking services to Customers. In particular, you must comply with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
10.4 All personal data you encounter on the Platform and/or during the performance of your Ethical Hacking services will be considered confidential. Where you would process Customer’s (personal)data in the performance of your Ethical Hacking services, you may only do so if and to the extent this is strictly necessary for the performance of such services. You are not allowed to copy, duplicate, amend or modify any data of the Customer, or to store any data of the Customer on your own or any other party’s computer systems.
10.5 You must respect all reasonable instructions provided by Customer in relation to its personal and other data and provide to Customer any reasonable assistance as may be requested to allow Customer to comply with its obligations under applicable law. You need to have appropriate safeguards in place to avoid any erasure or changes in the personal data due to the Ethical Hacking processes and must in general take appropriate technical and organizational measures to protect all personal data.
11. YOUR INTELLECTUAL PROPERTY RIGHTS
11.1 intigriti does not claim any ownership rights of your Submissions. You agree that intigriti may collect statistical and other information about your Submissions.
11.2 By submitting a Vulnerability through the Platform, your Submissions will be sent to both intigriti and the applicable Customer. By making any Submission available through the Platform, you hereby grant to the Customer an irrevocable, non-exclusive, non-transferable, worldwide, royalty-free license to use, access, copy, reproduce, display, modify, transmit and distribute copies of that Submission, internally and externally.
12. COMMUNICATION BETWEEN CUSTOMER AND RESEARCHER
12.1 In certain events, intigriti may communicate with you on Customer’s request and on Customer’s behalf and vice versa. intigriti will act in good faith and transfer received communications between both parties without exceptions and without undue delay. All communications will fall under the confidentiality regime as stipulated above.
13. YOUR LIABILITY
13.1 You must make sure your reports, actions and Submissions do not infringe or violate any third party’s intellectual property rights, privacy and data protection rights or any other applicable law or regulation.
13.2 You are aware of the risks arising from Ethical Hacking techniques, including but not limited to lost profits, loss of data, service interruption, hardware or software damage or system failure for the Customer, and make a good faith effort not to cause any damage to the Customer or any third party, to the Customer’s Environment and other computer systems of the Customers, nor the data processed.
13.3 Whenever you act in violation with these Researcher Guidelines, intigriti and Customer will hold the right to hold you liable for the damage arising from this violation.
13.4 In you have a dispute with one or more Customers, you release and indemnify Intigriti from claims, demands and damages (actual and consequential) of every kind of nature, known and unknown, arising out of or in any way connected with such disputes.
14. DISPUTE MEDIATION
14.1 In the event of a dispute between Customer and Researcher, intigriti may help to facilitate the resolution thereof.
14.2 In the first (informal) phase, intigriti will try to reconcile positions and may for example clarify certain aspects of the performed techniques to Customer, verify the scope and authorizations applicable at a certain time and (in certain cases) disclose your identity details to Customer. Such guidance and assistance provided by intigriti is solely informational and intigriti does not guarantee that its assistance and guidance is complete or accurate. You acknowledge that intigriti is not an accredited mediator and does not provide legal advice. The purpose of this assistance is solely to reconcile positions and to clarify the operation of the platform to all parties.
14.3 In the event you and Customer do not reach an agreement within two weeks of intigriti’s first intervention, intigriti will assign a mediation committee which will consist of independent professionals from the KU Leuven security department. You and Customer will be required to attend a meeting with this committee within two (2) weeks from intigriti’s notification that the committee is assigned.
14.4 Unless expressly agreed otherwise with Customer, in the event Customer and Researcher do not reach an agreement upon the dispute during the above-mentioned meeting, the courts of Antwerp (section Antwerp) will have sole jurisdiction for any claims or disputes relating to you performance of ethical hacking services to Customer. Your relationship with Customer will be governed by Belgian law.
15. OUR LIABILITY
15.1 We try to keep our services safe, secure, and functioning properly, but we cannot guarantee the continuous operation of, or access to our Platform. Updated information and notifications may not occur in real time and be subject to delays beyond intigriti’s control.
15.2 You agree that you are accessing the Platform at your own risk, and that it is being provided to you on an "AS IS" and "AS AVAILABLE" basis. Accordingly, to the extent permitted by applicable law, intigriti excludes all express or implied warranties, terms and conditions including, but not limited to, use or operation, implied warranties of merchantability and fitness for a particular purpose.
15.3 You understand that intigriti cannot be held liable in relation to your Ethical Hacking services, the services of other Researchers and/or any information or content made available on the Platform by other users, such as Customers. intigriti solely provides a Platform where Customer and Researcher meet and we are not involved in the actual transaction between Customer and Researcher. You perform the Ethical Hacking services directly to Customer and on your own risk and account.
15.4 Regardless of the previous paragraphs, if intigriti would be found liable, our liability to you or to any third party is limited to the greater of (a) any bounty fees due and/or paid by intigriti to you during the last twelve (12) months prior to the event giving rise to the liability; or (b) 500,00 EUR.
16.1 We may update these Researcher Guidelines from time to time. The most current version of the Researcher Guidelines will always be available at https://www.intigriti.com. If we make significant changes that could substantially alter your obligations, we will send you an email and prominently display a notice on the platform seven (7) days before we make those changes.
17.1 All disputes arising from these Guidelines will be governed by Belgian law and will be submitted to the competent courts of Antwerp, section Antwerp. Parties are committed to resolve disputes as much as possible in mutual consent.
17.2 You are not an employee, contractor or agent of intigriti, but are an independent third party who wants to contribute to the security strength of one or more Customers’ Environment(s) and connect with Customers through the Platform. Under no circumstances shall intigriti be considered to be your employer, nor shall you have any right as an employee, agent or subcontractor of intigriti.
17.3 The nullity of one of the provisions in this Agreement shall have no effect whatsoever on the validity of the other clauses, despite the nullity of the disputed clause. The parties shall make every effort to replace the invalid clause with a valid clause with the same or largely the same economic effect as the invalid clause. Not claiming of a right or not applying a sanction by one of the parties shall in no way apply a waiver of rights.
17.4 In addition to the means of evidence explicitly allowed under applicable law, parties can validly invoke the following means of evidence: copies or reproductions in any form whatsoever (carbon copy, photocopies, microfilm, scans, ...), via data carrier, fax, telex and email. This regardless of the value or nature of what a party intends to prove. Such evidence has the same evidential value as a (other) written evidence in accordance with the provisions of the (Belgian) Civil Code.