Terms of Service
Introduction and Acceptance
Please read carefully these terms and conditions (hereinafter, “Terms” or “Terms of Service”) applicable to your participation in the huntr open source vulnerability disclosure and bounty programme, (hereinafter “platform”, available at https://www.huntr.dev/) operated by 418SEC LTD. Company number 11412418 with registered address at C/O Simons Muirhead & Burton Llp, 87-91 Newman Street, London, United Kingdom, W1T 3EY (hereinafter “huntr”, “we”, “us”).
These terms are directed at Contributors, usually Free and Open-Source Software (FOSS) project maintainers (“Maintainers”) and Security Researchers that wish to participate in our bounty programme.
Contributors will be notified of updates and eventually requested to accept the new Terms.
We desire to help the open source community to discover, report and fix security issues by offering, our services for coordinating FOSS bug hunting, reporting and eventually fixing against payment of published bounties (hereinafter “huntr Services”). These services are offered to our clients (“Clients”) usually Free and Open-Source Software (FOSS) projects, certain FOSS projects and their sponsors, non-profit or enterprise backed FOSS projects and/or enterprises using FOSS; and Security Researchers are part of our services under these Contributor Terms. We also pay out bounties pro-bono on certain open source projects (i.e. not sponsored or funded by Clients).
Contributors and huntr are jointly referred to as “Parties” and each as a “Party”.
To contact us, please email: email@example.com
1. Subject Matter and how Huntr works
1.1 The Agreement regulates the terms under which we will provide Contributors with our Services and under which Contributors participate in bounties.
1.2 The Agreement also regulates the terms under which Contributors interact with us and around our Services.
1.3 We support FOSS security by obtaining funding and setting bounties for reporting and fixing security issues (“Contributions”). We have our own funding, and also Clients support our work by financing the bounties under a Client Terms of Service. Our community of Contributors have skills and the desire to detect bugs, report them and eventually fix them and are motivated to report bugs that they find. We pay Contributors the bounties set for each validated security bug for which a bounty has been set. When applicable we pay bug fix bonuses to Contributors that provide validated fixes.
1.4 Our Services are based on crowdsourcing, which takes place on a voluntary basis with a high degree of flexibility. Security research can be performed independently of location and time and there is no long-term commitment of the Contributors. Furthermore, Contributors retain their freedom to choose which projects to analyse for security vulnerabilities and which not. Contributors are not employed by us in any manner (either as employee or contractor), and the only compensation we pay out are the bounties.
1.5 As a Contributor, you agree to abide by our Responsible Disclosure Policy, in line with community standards.
2. User Account
2.1 Registration. To become a User and benefit from our Services (including receiving bounties in the case of Contributors), you must register online at https://huntr.dev/. On registration, Users must provide true, accurate, current, and complete information about themselves (collectively, the “Registration Data”).
2.2 Contributors must also complete, depending on their condition, their payment data such as Bank Account, PayPal Account, when requested.
2.3 Unauthorised access. Users are responsible for any access and use of their account regardless of whether the activities were undertaken by them or a third party. Users agree to notify us immediately if they believe that an unauthorised third party may be using the account or if their account information is lost or stolen.
2.4 Data update. Users must maintain and promptly update the Registration Data to ensure that it remains true, accurate, current, and complete at all times. If we have reasonable grounds to suspect that your information is untrue, inaccurate, not current, or incomplete, we may suspend or terminate User account and/or disable and prohibit all current or future access. We will attempt to get in contact before doing this.
2.5 Data modification. Users can modify their own Registration Data, change their credentials, customise the notification system, and delete their account by getting in contact with us.
2.6 We will not be liable for any loss or damage from the Users’ failure to comply with this Section.
3. Scope of Services
3.1 We offer different service tiers for coordinating the funding and payment of bounties for FOSS project security Contributions.
3.2 In accordance with the chosen programme, we publish the bounties on our site and dedicate and pay the bounties corresponding to bug reports and bug fixes made by Contributors, that are validated by the FOSS project Maintainers. Bounties will be published on https://www.huntr.dev/.
3.3 We receive bug reports from Contributors via specific forms or other indicated channels on our website. When a bug report is submitted, we communicate this to FOSS maintainers (registered or not) of the respective project. We are not responsible for subsequently managing or validating bug reports and/or any bug fixes, which is carried out between Security Researchers and the FOSS project Maintainer.
3.4 Bug fixes: When a bug fix is submitted, the Security Researcher or Maintainer will provide us with a repository and branch name, indicating where the patch exists. This will be immediately notified to the Maintainer in order to review the submitted fix and ultimately, decide if it patches the vulnerability. Once the Maintainer confirms the upstream commit SHA for the patch, the related Security Researcher or Maintainer will be rewarded a bounty.
3.5 We fund an overall bounty prize pot for all FOSS projects or specific pots for identified FOSS projects (collectively, “Prize Pots”), creating available funds for bounties from Client funding or our own funds.
3.6 We guarantee to payout to Contributors, the amount of money allocated to each validated report.
3.7 We reserve the right to set bounties (in accordance with our own algorithm). We may agree with Clients on certain bounty levels. We also reserve the right to unilaterally change the bounty price if the system quotes the wrong price or the bounty value is otherwise corrected or updated by us prior to any bug report being validated. Maintainers can reduce bounty value before a bug report is validated.
Outside the foreseen cases, no change in the bounty shall be effective unless there is a manifest error in setting the bounty value. Once a bug report is validated, the bounty value is fixed (confirmed by maintainers). We may offer an additional amount (usually 25% of the disclosure bounty value) for the Contributor that proposes a fix for the vulnerability that is subsequently validated.
3.8 As part of our programme, it is important that all Contributors receive the recognition they deserve. Once a vulnerability has been fully disclosed in accordance with the Responsible Disclosure Policy, we credit all Contributors involved for their crucial work in the process and pay out the appropriate bounty.
4. Contributors Rights and Obligations
4.1 Contributors must follow guidelines of performance details on https://www.huntr.dev/terms/.
4.2 Contributors must follow comply with our Responsible Disclosure Policy https://www.huntr.dev/policy/.
4.3 Contributors must report bugs in accordance with the procedures set out at https://www.huntr.dev/policy/, in order to comply with conditions for receiving any bounty.
4.4 Contributors must comply with all relevant laws when reporting a vulnerability. In particular, Contributors must make sure their reports, actions and Submissions do not infringe or violate any third party’s intellectual property rights, privacy and data protection rights or any other applicable law or regulation.
4.5 Contributors must also be aware of the open source community policies as to reporting bugs, and the contribution policies of the FOSS projects that they analyse and report any bugs to.
4.6 Contributors agree that in the event of reporting any bug on our platform, we shall have the period set out in the Responsible Disclosure Policy of exclusivity for managing the reporting of the bug and validation with the FOSS Projects. Contributors shall not post the bug report on any other platform or medium of communication, nor communicate with the FOSS project or corresponding maintainer via any other channel (unless agreed with us). In the event of breach of this provision, the Contributor forfeits his/her right to the corresponding bounty and his/her account may be suspended or terminated by us.
5. Maintainers Rights and Obligations
5.1 Maintainers may indicate the projects they maintain in the Registration Data, however we may also verify this through online processes. We will contact you if we have any doubts about your status.
5.2 Maintainers must follow our Responsible Disclosure Policy at https://www.huntr.dev/policy/.
5.3 Maintainers agree that they will not communicate with other Contributors on vulnerabilities and related fixes disclosed on huntr via any channel other than our platform (unless agreed between us and the FOSS project). In the event of breach of this provision, the Maintainers may forfeit their right to the corresponding bounty (as indicated above) and the Maintainer’s account may be suspended or terminated by us.
5.4 Maintainers agree to promptly verify and validate any bug disclosures reported on the platform, once they are notified.
5.5 In the event of any dispute between Contributors and Maintainers regarding the validation of a bug report, we will not be involved, and assume no liability, but we may offer communication and informal mediation services for amicable resolution. Our decision to pay out any bounty is final, and Contributors agree that they will not dispute this decision.
5.6 Maintainers may disclose vulnerability reports about their own projects on the platform, but will not be entitled to any bounty. Maintainers may however propose bug fixes for vulnerabilities disclosed on huntr, and be entitled to the bug fix bounty, if one is set.
6. Payment of bounties. Taxation.
6.1 Payment of a bounty will be granted after (a) correct reporting of the bug on the platform and (b) subsequent validation of the bug by the corresponding Maintainer. Payment may take up to 1 month from validation until made, and is subject to huntr’s own right to verify the validity of the bug report and compliance by the corresponding Contributors with the Agreement.
6.2 All payments will be made to the accounts set out in the Payment Data.
6.3 Payment may be delayed in the event of any investigation into the validity of the bug report and validation by the corresponding Maintainer/s. Payment may be withheld in the event that huntr has reasonable belief that the bug report or fix is not valid or is made fraudulently or in breach of these Terms and/or our Responsible Disclosure Policy.
6.4 For Contributors between 16 and 18 years old, we will hold bounty payments for you either until you are 18 years old or, if earlier, your legal representative (parent, legal guardian) authorises the transfer and provides payment account details (e.g. bank or PayPal).
6.6 We reserve the right to change financing platform, method and means, without materially changing the modus operandi set out herein (“Scope of Services”), unless otherwise agreed with Contributors.
6.7 Paid-out bounties are not refunded, however if huntr becomes aware of any fraudulent or bad faith use of the platform, it will use reasonable efforts to recover bounties paid-out to Contributors under false pretences, or on the basis of negligence or wilful misconduct and/or misinformation of Contributors or FOSS projects. Any User involved in such activities may be suspended and their account terminated at huntr's discretion.
6.8 When a vulnerability report has been validated, huntr emails the Contributor out with notice of validation and pro forma invoice form for payment. Contributors may waive the bounty payment (email us). If the Contributor does not respond to the notification, no payment will be made. If the Contributor does not respond within 12 months from notification, the Contributor is deemed to waive the bounty payment and the corresponding bounty will be declared void.
6.9 In the event a bug report was made by a Contributor in collaboration with others, the Contributor shall be solely responsible for (a) obtaining the necessary rights to make the report, and (b) sharing any sums (bounties) received hereunder from huntr for the validated report with these third parties pursuant to any possible agreements entered with them. Contributors must notify this situation to huntr to take the appropriate measures.
6.10 We shall not pay any taxes or make any withholding on bounty payments unless required by applicable law. Contributors are fully responsible for paying taxes on their income (including bounties) and agree to indemnify and hold huntr harmless against any claims for taxation and related sanctions made by any taxation or judicial authorities.
7. Data protection
8. Intellectual Property Rights
8.1 Subject to clause 8.2 below, Contributors assign to huntr on a worldwide, perpetual and exclusive basis all their intellectual property rights (including copyrights and know-how) in and to all and any bug report, bug fix, and/or related information provided by Contributors on the platform (“Vulnerability Information” including without limitation bug fixes and other software code), including all rights to reproduce, modify, distribute and communicate the Vulnerability Information for any purpose and to any party. This grant is made in consideration for payment of the bounty.
8.2 Users retain the right to use the Vulnerability Information for non-commercial research and educational purposes. Users expressly agree not to disclose any Vulnerability Information to any third party before it has been made public by huntr on the huntr platform or otherwise by the Project in agreement with huntr and compliance with these Terms.
8.3 We will submit the Vulnerability Information to the corresponding FOSS Project under the IPR policy or contribution policy of the FOSS project. In the absence of such policy, the Vulnerability Information will be contributed to the Project under the project licence.
9.1 We warrant that our services (set out in Scope of Services) will be performed professionally and diligently in accordance with industry standards.
9.2 Each Party warrants that its actions hereunder and in respect of the huntr website and Services (and for Contributors, without limitation, that their Vulnerability Information) do and will not infringe or violate any third party’s intellectual property rights, privacy and data protection rights or any other applicable law or regulation.
9.3 We make no warranties regarding the processing of bug reports by FOSS Projects, nor that bounties will be paid out unless in accordance with these Terms.
9.4 Except as expressly set out in Sections 9.1 and 9.2, to the maximum extent permitted by applicable law, neither Party makes no representations or warranties regarding the huntr Services, including warranties as to satisfactory quality or fitness for purpose.
10.1 Each Party shall be liable without limitation for damages due to 10.1.1 fraud, malicious conduct or intentional breach of these Terms by that Party. 10.1.2 gross negligence in performing or omitting to perform the Agreement by a Party.
10.2 Apart from the cases set out in section 9.1, to the maximum extent permitted by applicable law, neither Party shall be responsible to the other for any direct or indirect damages.
10.3 In particular but without limitation, huntr shall not be held liable for any action or omission of the Contributors nor any FOSS projects unless huntr is directly involved and actively participates in such action.
10.4 Contributors agree to release and indemnify and hold huntr harmless from any claims, demands and damages (direct or indirect) of any kind of nature, known and unknown, arising out of or in any way connected with (a) a dispute between a huntr Client or any FOSS project and the Contributor, (b) any false or incorrect information provided by the Contributor to huntr in the Registration Data or (c) false or incorrect information provided by Contributors and FOSS Projects (d) breach by a Contributor of his/her representations, warranties and covenants hereunder (e) breach by a Contributor of any law or third party right.
11. Term and Termination
11.1 This Agreement will be effective from the day of acceptance by huntr of the Contributor’s registration and will be in force until terminated hereunder.
11.2 This Agreement may be terminated without cause by a Contributor at any time on 30 day’s prior written notice to huntr at the address set out above or email to firstname.lastname@example.org, however termination will not affect payments made before termination nor any rights and obligations or liabilities surviving termination.
11.3 This Agreement may be terminated on written notice by a non-breaching Party in the event of material breach of a term of this Agreement by the other, and that breach has not been remedied within 30 days’ of being notified of the breach by the non-breaching Party.
11.4 Notwithstanding termination rights, huntr may suspend a Contributors account (and payment of any bounties) in the event of any breach of these terms by the Contributor, and huntr will notify the same to Contributor at the email set out on registration.
11.5 Contributors acknowledges and agree that any rights and licenses referred to Bug reports (and Fixes), remain valid and in full effect and continue perpetually even after this Agreement has been terminated between the Contributor and huntr.
12. General Provisions
12.1 This Agreement constitutes the entire Agreement between the Parties with respect to the subject matter of the Agreement.
12.2 No amendment to this Terms shall be effective unless made in text form and communicated to the Contributor. The same applies to a waiver to any clause or right hereunder.
12.3 If any provision of this Terms is or becomes invalid, this shall not affect the validity of the remainder of the Agreement. The Parties shall without delay agree to substitute the ineffective provision with an effective provision which approaches the purpose of the original provision as closely as possible. This applies accordingly in the event of a gap that needs to be filled.
12.4 All notices hereunder must be in writing and will be effective if sent to: 12.4.1 To huntr, at the address set out above or by email to email@example.com 12.4.2 To the Contributor: at the written and email addresses indicated in the registration data.
Email notifications are effective only if receipt is confirmed.
12.5 These Terms may be updated from time to time by huntr, and notification provided to you. Any use of our Services after notification of changes indicates your acceptance of the modified terms. If you do not agree to the modification, you may terminate the Agreement in accordance with clause 11.
12.6 This Agreement shall be governed by and construed in accordance with the laws of England and Wales.
12.7 All disputes arising out or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of London, UK.
12.8 The Parties agree that they will use good faith attempts to amicably resolve any such dispute during a period of 30 days’ from written notice by one party to the other of a dispute, and that they will not submit any judicial claim during that 30 day period.