漏洞賞金計劃條款

Here, you will find the terms and conditions that relate specifically to our Bug Bounty Program Participants. These terms should be read in conjunction with the General Terms for Business Partners (the “General Terms”). Any defined terms used in these Bug Bounty Program Terms shall have the meaning given to them in the General Terms.

‍

1. Introduction

1.1. These terms cover your voluntary participation in Deriv’s bug bounty program, which incentivises participants to discover and report vulnerabilities or bugs in Deriv’s software system or networks in exchange for a financial reward (the “Program”). By reporting a vulnerability related to any of the Deriv-owned web services to us or otherwise participating in the Program, you acknowledge that you have read and agreed to these terms.

1.2. You acknowledge that the Program is not a competition but rather an experimental and discretionary rewards program.

‍

2. Scope

2.1. The scope of the Program is specified in detail on the Program webpage. If you aren’t sure whether some content falls within the scope of this Program, send an email to [email protected] to check before making any testing attempts.

‍

3. Eligible participants

3.1. You cannot participate in the Program if:

3.1.1. Your employer or the organisation you work for does not allow you to participate in these types of programs;

3.1.2. You are or have been employed by us or any of our group companies;

3.1.3. You are an immediate family member of an employee or a former employee of ours or any of our group companies.

3.2. If we know or have reason to suspect that you meet any of the above criteria, we reserve the right to disqualify you from the Program and rescind any bounty payments to you.

‍

4. Potential rewards

4.1. We reserve the right to determine if the submitted vulnerability report is eligible for a reward. The decision as to whether or not to pay a reward is entirely at our discretion.

4.2. All of our determinations as to the amount of a bounty are final.

4.3. Bounty ranges are based on the classification and sensitivity of the impacted data, ease of exploitation, and overall risk to our clients and brand if the reported vulnerability is determined to be a valid security issue by our Security team.

‍

5. Bug submission requirements

5.1. Your submission needs to follow the guidelines below:

5.1.1. Give a full description of the vulnerability you are reporting, including the exploitability and impact.

5.1.2. Present evidence and explanation of all the required steps for reproducing the submission, which may include:

5.1.2.1. Videos;

5.1.2.2. Screenshots;

5.1.2.3. Exploit code;

5.1.2.4. Traffic logs;

5.1.2.5. Web/API requests and responses;

5.1.2.6. Email address or user ID of any test accounts; and/or

5.1.2.7. IP address used during testing.

5.2. Failure to include any of the above items may delay or jeopardise a bounty payment.

‍

6. Sensitive information disclosure

6.1. You agree not to discuss discovered vulnerabilities (even resolved ones) outside the Program without our written consent.

6.2. You undertake to follow Deriv’s disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with the submission guidelines set out in Clause 5 above.

‍

7. Licence

7.1. You hereby grant us a royalty-free, fully paid-up, perpetual, non-revocable, exclusive, worldwide, transferable, and sub-licensable licence in respect of any report and any feedback you provide us. You agree that we have unrestricted rights to utilise the report and feedback. We reserve the right to not utilise any or all items you provide us. You waive any compensation for the incorporation of any materials in a report or any feedback that you provide us regarding our products and services.

7.2. You also understand and acknowledge that we may have developed or commissioned materials similar or identical to the submission and waive claims you may have resulting from any similarities to the submission. You understand that you are not guaranteed any compensation or credit for the use of the submission.

7.3. You present and warrant that your submission is your own work, you have not used information owned by another person or entity, and you have the legal rights to grant us the licence in this Clause 7.

‍

8. Your obligations

8.1. You must not participate in the Program unless in doing so, you comply with all applicable laws, rules, and regulations. You are responsible for familiarising yourself with your local laws and following them, as they may place additional restrictions on your participation in the Program.

8.2. You are responsible for any tax implications in relation to your participation in the Program, which will depend on your country of residency and citizenship.

8.3. Your testing must not disrupt or compromise any data that is not your own.

8.4. You must not share any inappropriate content or material.

8.5. You must not infringe upon the rights of any third party or engage in any activity that violates the privacy of others.

8.6. You must not engage in any activity that is harmful to us, the Program, or others (including transmitting viruses).