“Asset”: An ICT system, network, technology, infrastructure, application, software or other target, communicated by a Company in its Program, for the purpose of having its security assessed by Researchers (previously defined and known as the “Environment”).
“Bounty”: A monetary reward, that is awarded to the first Researcher who successfully makes a Submission of a Vulnerability in the Company’s Asset.
“Code of Conduct”: The document entitled “Community Code of Conduct”, accessible here.
“Company”: A customer of Intigriti using the Platform to reach out to Researchers by means of one or more Programs, and to receive Submissions.
“Company Data”: Any information, files, personal data or other data which becomes known to a Researcher, or to which a Researcher obtains access in the context of your participation in a Program. Non limitative examples of Company Data are: The description of the Company’s Program, information about the Asset, Vulnerabilities, login credentials that may be provided to Researchers from time to time or which become known in the context of a Program, any information, files, data or materials on the Asset or any environment connected with or otherwise related to the Asset.
“Ethical hacking”: May be defined as the process of attempting to penetrate a network or computer system and bypass system security, for the purpose of identifying potential security vulnerabilities and informing the owner of the system of such vulnerabilities. It may also entail an attempt to exploit encountered vulnerabilities, in order to determine to what extent unauthorized access and/or malicious activities could be possible. Ethical hacking is considered “ethical” in the sense that the hacker has good intentions and discloses the vulnerabilities it identifies to the owner of the system, so that it could improve its system security.
“Platform”: The platform accessible at https://app.intigriti.com.
“Program”: A Company’s security initiative published on the Platform, by means of which the concerned Company authorizes Researchers to test the security of the Asset described as in scope of the Program, for the purpose of reporting Submissions.
“Program Conditions”: The Company’s description of the assistance it is seeking from Researchers, the scope, requirements, conditions to receive Bounties and any other terms and conditions applicable to a specific Program. Program Conditions are either included in the description of the applicable Program and/or could be communicated before a Researcher can access the Program or make a Submission.
“Researchers”: Independent security researchers (ethical hackers), willing to participate in one or more Programs. Researchers may act in a professional or non-professional capacity and may each have different levels of experience and expertise. Anyone who initiates activities of Ethical Hacking in the context of a Program is considered a Researcher.
“Submission”: A Researcher’s description of a Vulnerability identified in an Asset, in the context of its participation in a Program. Submissions serve as a notification of the Vulnerability to the Company, and are submitted by Researchers through the Platform.
“Vulnerability”: A bug, defect or a weakness, a design- or execution error, an absence of alignment to the most recent state of the art, or any other (technical) error which compromises the security of the information or communication technologies. A Vulnerability might lead to an unexpected or unwanted event and could potentially be exploited by malicious third parties, for the purpose of compromising the integrity, availability or confidentiality of a system and/or to cause damage.
2. OPERATION AND BACKGROUND
Intigriti created the Platform as a transaction platform and communication tool, through which Companies can connect and interact with Researchers. By creating one or more Programs, Companies may use the Platform to reach out to a community of Researchers, for the purpose of having the security of their Assets assessed by the community and to receive information on any Vulnerabilities that would be identified in the process. Researchers operate on the Platform on an independent and voluntary basis. They freely determine in which Programs they want to participate and independently determine the time, timeframe, and efforts they want to devote to the concerned Program. If a Researcher identifies a Vulnerability, it is required to disclose it to the concerned Company in a Submission. The aim is to enable the Company to take appropriate action to resolve the Vulnerability and improve its system security.
Intigriti provides both Companies and Researchers access to the Platform and operates as a coordinator. Any Program-specific content, information and conditions are communicated on the Platform by or in the name of the Company involved and Intigriti assumes no responsibility in this context. A Researcher’s participation in a Program is provided directly to and for the benefit of the Company named in the concerned Program and Intigriti is not responsible or liable for interactions and transactions between Company and Researcher.
3. REGISTERING AS RESEARCHER
By creating an account on the Platform, and/or by participating in a Program, you sign up as a Researcher and you accept and agree to comply with the terms of these Researcher T&C. If you do not agree with any term herein, you are not allowed to participate in any Program and have no permission to access Assets.
You enter these Researcher T&C vis-à-vis Intigriti, as well as in favor of the Companies whose Programs you would access and/or participate in. Companies can derive rights from these Researcher T&C in their relationship with you and may enforce them directly against you.
By creating an account on the Platform, you declare, confirm and warrant that you:
have the right, power and authority to enter into these Researcher T&C, to become a party hereto and perform your obligations hereunder;
have reached the age of 18 years old (or have reached the aged of 16 years old and have permission from your parent or guardian);
are not subject to legislative or other measures prohibiting you and/or Intigriti from entering into these Researcher T&C with each other;
are not prohibited to perform activities in the context of Ethical Hacking by law, by your organization or employer, by any agreement you have entered into or otherwise.
Your account is strictly personal. You must maintain the confidentiality of your account credentials, including your password, and are responsible for all activity that occurs through your account. You may not:
breach or circumvent any laws, third-party rights or our policies or instructions regarding the use of the Platform;
allow for another person or party to access your account, or transfer your account to someone else;
harvest or otherwise collect information about Companies or Researchers without their consent.
4. YOUR LICENSE
Subject to your compliance with the terms of these Researcher T&C, when you create an account as Researcher, Intigriti grants you a revocable, non-exclusive, non-sublicensable, non-transferable, royalty-free license to access the Platform and any information on the Platform made freely accessible to your account, solely for the purpose of participating in Programs in accordance with the terms of these Researcher T&C and/or to evaluate whether you wish to participate in one or more Programs.
Intigriti may, without prejudice to any other rights it may have, in its sole discretion, at any time and with immediate effect, suspend or permanently disable access to your account and/or to the Platform or any part thereof and/or terminate any licenses provided to your herein. Intigriti may do so if it suspects you are abusing the Platform, do not operate in good faith or have provided false identity information; if you do not respect the Researcher T&C and/or the scope of any Program(s); or if you violate the Code of Conduct. If your account and/or access to the Platform is suspended or terminated, you are prohibited to (further) participate in Programs and no longer have permission to access any Asset.
5. PARTCIPATING IN A PROGRAM
If a Company wants to allow Researchers to test the security of one of its Assets, the Company will express this by publishing a Program on the Platform. A Company can have multiple Programs, each with its own scope. A Program can be accessible to all Researchers or only to a limited number of Researchers, as determined by the Company.
In each Program, the Company will set out Program Conditions. These will minimally describe the scope of the Program (target Asset, prohibited actions, etc.) and the conditions to receive Bounties (if any). The Program Conditions may contain any additional requirements or information the Company deems relevant and may impose additional terms and conditions the Researcher must comply with if it wants to participate in the Program.
By opening a Program, a Company invites and authorizes Researchers who are provided access to the Program to participate in it, and gives the authorization to use Ethical Hacking techniques on and to the Assets in scope. The Company’s authorization is subject to the Researcher’s compliance with the Program Conditions and Researcher Guidelines and is limited to the time period during which the Program is activated on the Platform.
By registering on the Platform, you sign up to participate in one or more Programs. You are considered to participate in a Program as soon as you access or attempt to access an Asset (or any connected Environment) in response to a program, or use any credentials or information provided to you in the context of a Program. Participating in a Program implies that you may use Ethical Hacking techniques on and to the Asset in scope and must promptly report on Vulnerabilities you would identify, in accordance with these Researcher T&C.
Subject to compliance with the applicable Program Conditions, you are free to decide if, when, where and which Companies you would like to assist, and on which Programs you will do so.
If you participate in a Program you:
must read the full Program scope and Program Conditions carefully, before accessing (or attempting to access) an Asset;
must comply with these Researcher T&C, the Code of Conduct and the Program Conditions - if you do not agree with any of the terms thereof, you may not participate in a Program and are prohibited to use Ethical Hacking techniques on the Asset;
must ensure you have sufficient expertise and experience to do Ethical Hacking in a safe and secure way;
may only use Ethical Hacking techniques and are not allowed to launch uncontrolled attacks or use malicious techniques that could have an impact on the availability or operation of an Asset or other system;
may use Ethical Hacking techniques only for the purpose of testing the security strength of the Asset in scope - you are not allowed to browse through the Company’s systems and files and/or to copy or download any Company Data;
are required to report upon discovered Vulnerabilities in a prompt and transparent manner through the Platform and/or to the Company’s security contact as found on the Platform;
should always respect applicable law, in particular in relation to secrecy of electronic communications, privacy and data protection;
are liable for your actions and any potential damages caused to the Company and/or other parties;
must understand that applying Ethical Hacking techniques, accessing, or trying to infiltrate Assets and/or data beyond the scope of a Program and/or in violation of the Program Conditions can be illegal and criminally sanctionable (e.g. pursuant to article 550 bis of the Belgian Criminal Code) and both Companies and Intigriti reserve the right to file a criminal complaint and/or initiate (civil) proceedings, if you do anything illegal.
6. PROHIBITED ACTIONS
In connection with your activities in the context of the Platform, you may never:
misuse a Vulnerability you discovered;
exploit more than necessary to identify a Vulnerability in the Asset and to gather information and/or evidence for your Submission;
undertake any actions that could cause the Asset (or any other Company or third-party asset) to become more susceptible to vulnerabilities, or that enable easier exploitation of existing vulnerabilities;
make use of techniques such as (Distributed) Denial of Service attacks (DoS or DDoS), physical and/or social engineering and/or techniques that are mentioned in the out-of-scope section of the Program;
distribute or post spam, unsolicited or bulk electronic communications, chain letters, or pyramid schemes;
install or distribute malware, viruses or any other technologies that may harm the interests or property of the Company or any third party;
change or remove any data or parameters (unless where it concerns your own data in your test accounts);
disclose to third parties (without the Company’s permission) or misuse information or data that was acquired in the context of a Program.
You may not (attempt to) infiltrate third party systems that are not in scope of the Program, and must stop as soon as you become aware of such system being affected by your actions. In this event, you must also immediately notify the concerned Company of this fact, through the Platform.
In general, you must always make sure that you do not intervene with the effective functioning of the Assets and must mitigate any possible harm.
You may never share or disclose information collected during your hacking process with any third parties, unless in accordance with article 9.2.
7. YOUR OBLIGATION TO SUBMIT VULNERABILITIES IMMEDIATELY
If you believe that you have found a Vulnerability in the Asset of a Company, you should promptly submit a report (Submission) through the Platform, addressed to the concerned Company.
The Submission must describe the Vulnerability in a clear, concise, and comprehensive manner and how it can be reproduced.
You must add information to the Submission whenever new significant events arise as well as when the Company or Intigriti request additional information. You should always collaborate in good faith with the Company to allow the Company to gain sufficient insight in the Vulnerability, for the purpose of remedying the Vulnerabilities you detected in its Asset(s).
A Company may choose to award a Bounty to the first Researcher who successfully informs the Company of a Vulnerability in its Asset, by means of a Submission. Bounties may differ per Company, Program and severity of the Vulnerability.
A Bounty is awarded only for the successful Submission of a Vulnerability and is not a remuneration for the time or efforts you would spend on the Program.
If a Bounty is applicable, the Company will set out the amount and the conditions to receive the Bounty in its Program. If a Program does not expressly mention the payment of Bounties, no Bounties will be awarded.
By default, you will only be awarded a Bounty (i) if you are the first Researcher to Submit a specific Vulnerability; (ii) if - to the Company’s discretion - the Vulnerability corresponds with the level of severity for which a Bounty applies; (iii) if the Vulnerability is confirmed and validated by the Company; (iv) if your identity is vetted; and (v) if you have at all times complied with these Researcher T&C and the Program Conditions.
The Company will verify your Submissions and, if it determines the conditions to receive a Bounty are met, will confirm this to Intigriti. Intigriti’s payment of a Bounty to a Researcher is always conditional upon the Company confirming that the Bounty may be paid.
You are responsible for paying all applicable taxes and social contributions on any Bounties you receive and in general must comply with any legal and tax related obligations and formalities applicable to your situation, status and income.
All Bounty payments will be made in Euros, unless expressly otherwise agreed with Intigriti.
Intigriti will not perform any payments in the event you are subject to any legislative or other measures (e.g. EU or US restrictive measures) prohibiting Intigriti from doing so.
All information and communication you receive or get access to by using the Platform, by participating in a Program and/ or by accessing an Asset, including but not limited to Company Data, will be considered confidential information. Secrecy and protection of such confidential information is essential, and you may not disclose such information to any third party.
You may communicate any Vulnerabilities you find only to the concerned Company and Intigriti, via the Platform. Public disclosure is only allowed if both parties (the Company and you) expressly agree (through the Platform or otherwise in writing) that information about a Vulnerability can be shared. The Company can choose to redact or remove certain parts of the report and the information that is shared about the Vulnerability, and this should be respected.
You will be liable for any damages that could be attributed to an infringement of the confidentiality obligations hereunder.
You must ensure all personal data you provide to Intigriti is true and accurate. If you desire so, you may operate on the Platform under a pseudonym. In such event, Intigriti will disclose your real identity only (i) when disclosure is required by law, by any governmental, judicial or other regulatory authority; and/or (ii) in the event Intigriti and/or a Company have reasonable ground(s) to believe you do not operate in good faith, breach these Researcher T&C, the Code of Conduct or do not respect a Company’s Program Conditions; and/or (iii) if a Company or other party claims that you have caused damages; and/or (iv) where reasonably necessary for defense against a (threatening or actual) claim or legal proceedings.
10. DATA PROCESSING
You must at all times adhere to your obligations under applicable law regarding to privacy and the processing of personal data, in connection with your use of the Platform and your participation in any Program. In particular, you must comply with Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the “GDPR”).
Your activities in the context of a Program are not specifically targeted at processing personal data. However, Assets could potentially contain personal data and (depending on the nature and severity of existing Vulnerabilities in an Asset) in the process of searching for Vulnerabilities you might become able to view or otherwise access personal data or other Company Data.
You may only process Company Data (including any personal data) in accordance with the instructions the concerned Company may provide to you from time to time (e.g. in its Program description). By default, the following will apply:
If you would process Company Data, you may do so only to the extent reasonably needed for your proper participation in a Program and only during such activity.
In many cases, as soon as personal data or other Customer Data becomes accessible in or through the Asset, this will mean you have identified a Vulnerability. In such event, you are not allowed to proceed with your activities and must report your findings in a Submission immediately.
You are not allowed to browse through Company Data and/or to copy or download any personal data or other Company Data. Only where this is necessary to convince the Company of your findings, then you may in as limited a way as possible gather some evidence of the situation you encountered, only for the purpose of including it in your Submission.
If - in case of necessity - Company Data would temporarily be reproduced on your systems, you must delete it without undue delay, and at the latest as soon as your Submission is submitted.
You may not store or host Company Data on third party systems and may in general not engage any sub-processor or authorize any other party to process personal data or other Company Data without obtaining prior permission from the Company.
You need to have appropriate safeguards in place to avoid any erasure of or changes to Company Data due to your activities.
You must take appropriate technical and organisational measures to ensure a level of security of Company Data, appropriate to the risks involved. In first instance you will effectuate this by leaving the Company Data as-is on the Asset or environment where it is located, and by not downloading, copying or otherwise storing such data.
If you would process any personal data or other Company Data, you must in general cooperate with the Company on any instructions it provides in that context and must promptly provide to the Company any information it may request from time to time. You must contribute to any inspections the Company might organise to verify your compliance with this article 10.
The Company may at any time, in its discretion, add, modify, or derogate from the stipulations herein, in relation to Company Data. The Company could for example clarify your rights and obligations in the context of the processing of personal data in its Program description or may ask you to enter into a data processing agreement with the Company.
11. INTELLECTUAL PROPERTY RIGHTS
You may not engage in any activity that infringes or misappropriates the industrial-, intellectual- or other proprietary rights of others. In particular, you must ensure the content of your profile and Submissions do not violate the intellectual property rights of any party.
You will remain the owner of the intellectual property rights in your Submissions. Do note that you are required to maintain any information related or retraceable to a Company confidential, in accordance with article 9.
By submitting a Vulnerability through the Platform, your Submission will be sent to both Intigriti, and the Company involved. By making a Submission, you provide:
to the Company to whom you direct your Submission an irrevocable, in time unlimited, non-exclusive, non-transferable, worldwide, royalty-free license to use, access, copy, reproduce, display, modify, translate, transmit and distribute copies of that Submission to the extent needed for the purpose of assessing the Vulnerability and improving the security of its systems, assets and environments.
to Intigriti an irrevocable, in time unlimited, non-exclusive, worldwide, royalty-free license to use, reproduce, copy, display, modify, translate and disclose (within its organisation and to the Company to whom your Submission is addressed) any content of your Submissions, for the purpose of operating and managing the Platform in a normal manner, within its intended purpose, which in particular implies that Intigriti will use your Submissions to comply with any of its obligations vis-à-vis you and/or the Company involved and/or to demonstrate or proof such compliance where relevant. Intigriti will not claim ownership of your Submissions.
Intigriti may collect anonymous/statistical information about your Submissions and may use such information for any purpose it sees fit, including for commercial purposes. By signing up to the Platform, you irrevocably agree thereto.
The Platform, its content and any other services of Intigriti are protected by copyright, trademarks and other proprietary rights and may only be used in accordance with any license and instructions we provide to you.
12. RELATIONSHIP BETWEEN COMPANY, RESEARCHER AND INTIGRITI
A Program and Program Conditions are always published by or in the name of the Company whose name is indicated with the Program. Companies interact with you and allow you to participate in their Programs, through the Platform, and act independently from Intigriti. Intigriti is not responsible for their actions, omissions, communication, and content (including but not limited to Program content and/or Program Conditions).
You provide your assistance and information in the context of a Program directly to and for the benefit of the Company involved and on your own risk and account. You are responsible for your (Ethical Hacking) activities in this context directly vis-à-vis the Company and thereby act as an independent party. Companies are independent parties inviting you to participate in their Programs and connect with you through the Platform.
By participating in a Program, you are considered to accept and enter into the applicable Program Conditions vis-à-vis the Company involved. Companies can also derive rights from these Researcher T&C against you, in accordance with article 3.2. In case of contradiction between the Program Conditions and these Researcher T&C, the Program Conditions will prevail within your (contractual) relationship with the Company.
You perform and provide your activities, assistance, and information in the context of the Platform on a voluntary, ad hoc and independent basis to Companies and not as an agent, representative, partner or employee of the Company or Intigriti. Nothing herein shall be intended, considered, or interpreted to determine otherwise, or to give you any rights that usually come with such capacity. You are responsible for the payment of any applicable taxes, levies and/or social contributions in the context of your receipt of any Bounties and are responsible to comply with any other statutory obligations associated with your activities hereunder.
13. COMMUNICATION BETWEEN COMPANY AND RESEARCHER
Your Submissions and any communication made in the context of your Submission, may be accessed by both Intigriti and the Company involved.
In the context of a specific Program or Submission, Intigriti may communicate with you on the Company’s request and on Company’s behalf and vice versa. Intigriti will act in good faith and transfer received communications between both parties without exceptions and without undue delay. All communications will fall under the confidentiality regime as stipulated above.
14. YOUR LIABILITY
You must make sure your reports, actions and Submissions do not infringe or violate any third-party’s intellectual property rights, privacy and data protection rights or any other applicable third-party rights, laws or regulations.
In your participation in any Program, you must always act diligently and with due care and you are responsible for your actions and the consequences thereof.
You must use all reasonable endeavors to prevent and mitigate potential damages to Companies, Intigriti or any third party, and in particular to Assets and other computer systems and/or data. Without being restrictive, this implies that you must take precautions to ensure that no data is altered, lost or corrupted and to avoid service interruption, hardware or software damage or system failure.
Whenever you act in violation of these Researcher T&C, the Code of Conduct or Program Conditions, Intigriti and/or the Company may hold you liable for the damage arising from this violation.
15. DISPUTE MEDIATION
In the event of a dispute between a Company and a Researcher, Intigriti may help to facilitate the resolution thereof.
In the first (informal) phase, Intigriti will try to reconcile positions and may for example verify the scope and authorizations applicable at a certain time, clarify certain aspects of the performed techniques to the Company involved, and disclose your identity details to the Company. Such guidance and assistance provided by Intigriti is solely informational and Intigriti does not guarantee that it is complete or accurate. You acknowledge that Intigriti is not an accredited mediator and does not provide legal advice. The sole purpose of this assistance is to reconcile positions and to clarify the operation of the Platform to the parties involved.
In the event you and Company do not reach an agreement within one month from Intigriti’s first intervention, upon agreement with the Company, Intigriti will assign a mediation committee which will consist of 5 independent security professionals. Both you and the Company involved will be required to attend a meeting with this committee within two (2) weeks (or any other term communicated by Intigriti) from Intigriti’s notification that the committee is assigned.
By default, your relationship with Companies in the context of the Platform and your participation in Programs is exclusively governed by Belgian law and the courts of Antwerp (division Antwerp), Belgium, will have sole jurisdiction for any claims or disputes between you and the Company in the context thereof. You understand and agree that a Company’s Program may determine otherwise, and/or you may agree otherwise with the concerned Company.
lf you have a dispute with one or more Companies, you release and indemnify Intigriti from claims, demands and damages (actual and consequential) of every kind of nature, known and unknown, arising out of or in any way connected with such disputes.
16. OUR LIABILITY
We use reasonable efforts to keep our services safe, secure, and functioning properly, but do not guarantee the continuous operation of, or access to our Platform and disclaim any liability in that context. Updated information and notifications may not occur in real time and may sometimes be subject to delays, which risk you accept by subscribing to the Platform.
You agree that you are accessing the Platform at your own risk, and that it is being provided to you "AS IS" and "AS AVAILABLE". Accordingly, to the extent permitted by applicable law, Intigriti excludes all express or implied warranties, terms and conditions including, but not limited to, use or operation, merchantability and/or fitness for a particular purpose.
Intigriti acts as coordinator on the Platform and is not responsible for any content, communications, acts or omissions of Companies, Researchers or other users and disclaims any liability in this context. In particular, in no event Intigriti will be liable for a Researcher’s participation or other activities in the context of a Program. Confirmation of Submissions and payment of Bounties is done only upon instruction of the Company involved.
Intigriti can only be held liable for direct damages, caused by its violation of the obligations Intigriti expressly undertakes in these Researcher T&C, and this only within the limitations set out below.
Without prejudice to the above, Intigriti’s aggregate liability to you or to any third party is limited to a maximum amount of 1500,00 EUR per claim and per year in total.
The limitation of liability in article 16.5 is not intended or construed to limit Intigriti’s responsibility to pay Bounties in accordance with article 8. Any claims or actions related to the payment of Bounties will irrevocably lapse and become invalid six (6) months from the date of the Submission.
Nothing in this agreement is intended to exclude or limit any liability that cannot be excluded or limited as a matter of law and relevant clauses will be interpreted accordingly.
We may update these Researcher T&C from time to time. The applicable version of the Researcher T&C will always be available on the Platform. You must make sure to consult the most recent version of these Researcher T&C when using the Platform and/or participating in any Program.
If we make significant changes that could substantially alter your obligations, we will prominently display a notice on the platform at the latest fifteen (15) days before we make those changes. If you do not agree with the amended terms, you may no longer participate in any Programs as from their entry into force.
All disputes arising from these Guidelines will be governed by Belgian law and must be submitted to the competent courts of Antwerp, division Antwerp. Parties are committed to resolve disputes as much as possible in mutual consent.
The nullity or invalidity of one of the provisions of these Researcher T&C shall have no effect whatsoever on the validity of the other provisions. The parties (or where applicable the court ruling on any dispute) shall make every effort to replace the invalid clause with a valid clause with the same or largely the same economic effect as was intended with the original clause.
Not claiming a right or not applying a sanction (or delay in doing so) by one of the parties shall in no way apply as a waiver of rights.
In the event of contradiction between the Code of Conduct and these Researcher T&C, the terms of these Researcher T&C will prevail.
Parties expressly agree to the evidentiary value of e-mails, Platform communication, digital signatures and other digital means. The logs of the Platform will be considered to have full evidential value, unless it its proven that they where manipulated. The above is applicable regardless of the value or nature of what a party intends to prove. Such evidence has the same evidential value as a (other) written evidence in accordance with the provisions of the (Belgian) Civil Code.