Session Token Bug Bounty Program Terms and Conditions
These Bug Bounty Program Terms and Conditions (these “Bug Bounty Terms”) apply to, and will govern, all vulnerabilities that are discovered and reported to the Session Technology Foundation (“STF”) in accordance with these Bug Bounty Terms (the “Bug Bounty Program”) in respect of software that is developed by, on behalf of, or at the direction of STF (the “Software”). The specific software that is in scope will be identified here.
Please read these Bug Bounty Terms carefully before participating in the Bug Bounty Program. By participating in the Bug Bounty Program, you agree (and agree on behalf of any entity that you represent, if applicable) to be bound by these Bug Bounty Terms.
STF's decision with respect to paying or not paying a bug bounty, and in relation to the amount and nature of any award, is entirely discretionary, and shall not in any circumstance be construed as an admission or concession of fault or liability by STF (or any of its affiliates or representatives), nor shall it be construed as an endorsement by STF of the accuracy of a description of an alleged vulnerability, alleged root causes of it, or any other information asserted by the participant or other third parties.
1. ELIGIBILITY
Subject to these Bug Bounty Terms, to be eligible to participate in the Bug Bounty Program, during the period of participation, the participant must:
- Be at least 18 years old and have reached the legal age of majority in the jurisdiction in which they reside and have the legal capacity to enter into, and be bound by, these Bug Bounty Terms if participating in the Bug Bounty Program as an individual;
- Have the legal authority to accept these Bug Bounty Terms on the applicable entity’s behalf, in which case “participant” (except as used in this paragraph) will mean the foregoing entity if participating in the Bug Bounty Program as an entity;
- Be the first person to report or disclose the vulnerability to STF in accordance with these Bug Bounty Terms, including by emailing sufficient information to bugbounty@getsession.org;
- Provide sufficient information to enable STF to reproduce and fix the applicable vulnerability;
- Not engage in any unlawful conduct when discovering, reporting or disclosing the vulnerability to STF, including the use of threats, demands or any other coercive tactics;
- Not have exploited or attempted to exploit the vulnerability in any way, including by making such vulnerability public or by obtaining a profit or other benefit (other than a payment under the Bug Bounty Program);
- Submit only one (1) vulnerability per report or disclosure, unless combining vulnerabilities to provide sufficient information with respect to any of the applicable vulnerabilities;
- Not submit a vulnerability caused by the same underlying issue on which a payment has been provided under the Bug Bounty Program;
- Not ask for payment in exchange for vulnerability details or dispute the applicability of the Bug Bounty Program to the participant, including the amount of any proposed or actual payment or categorization of a vulnerability; and
- Not be a current or former employee, director, officer or member (in each case within 6 months), vendor, contractor, or agent for STF, or a current or former employee, director or officer (in each case within 6 months) of any of the foregoing, or an immediate family member of anyone identified in this paragraph (defined for these purposes as including spouse, domestic partner, parent, legal guardian, legal ward, child, and sibling, and each of their respective spouses, and individuals living in the same household as such individuals).
STF reserves the right to limit or refuse eligibility to participate in the Bug Bounty Program for any reason in its sole discretion, including but not limited to where participation is prohibited or restricted by any applicable law, regulation, or decision, order or direction of any court, arbitrator, regulator or other governmental or supranational authority (“Applicable Law”).
If STF becomes aware of any violation of these Bug Bounty Terms, STF may elect to, among other things: (a) withhold, amend or cancel the benefits of or payments under the Bug Bounty Program; or (b) require return of any payment made, including taking any action at law to obtain such payment.
2. SCOPE OF VULNERABILITIES
The following non-exhaustive types of vulnerabilities are excluded from any payments with respect to the Bug Bounty Program:
- Vulnerabilities previously known to STF;
- Vulnerabilities with respect to sites hosted by third parties unless such vulnerabilities lead to a vulnerability in the Software;
- Vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack or other similar types of exploitation;
- Vulnerabilities affecting outdated or unpatched browsers;
- Vulnerabilities publicly disclosed in third-party libraries or technology used in the Software;
- Vulnerabilities that require an improbable level of user interaction;
- Missing security headers without proof of exploitability;
- Suggestions on best practices;
- Software version disclosure;
- Front end bugs;
- Spamming;
- Phishing;
- Automated tools (e.g. GitHub actions, AWS); and
- Compromise or misuse of third party systems or services.
STF reserves the right to determine whether a vulnerability is eligible for a payment under the Bug Bounty Program in its sole discretion.
3. DISCLOSURE AND REPORTING REQUIREMENTS
Any vulnerability discovered must be reported only to the following email: bugbounty@getsession.org, and must comply with all other requirements in this Bug Bounty Program.
The vulnerability (including, without limitation, the existence of a vulnerability) must not have been or be disclosed publicly or to any other persons before STF has been notified, has fixed the issue, and has granted permission, for such disclosure. The disclosure to STF must be made within twenty-four (24) hours following discovery of the applicable vulnerability. If similar vulnerabilities are reported within the applicable twenty-four (24)-hour period any payment may be split by STF between such reporters, or may be paid to the first person to make such report, and in either case shall be determined in the sole discretion of STF.
A detailed report of a vulnerability increases the likelihood of a payment and may increase the amount of such payment. Please provide as much information about the vulnerability as possible, including:
- The conditions on which reproducing the vulnerability is contingent;
- The steps needed to reproduce the vulnerability or, preferably, a proof of concept; and
- The potential implications of abusing the vulnerability.
4. PAYMENTS
Subject to these Bug Bounty Terms, payments will be based on the type of vulnerability reported or disclosed. The categorization and amount of any payment will be determined at the sole discretion of STF, including without limitation eligibility for such payment, and the severity of any applicable vulnerability.
5. BUG BOUNTY PROGRAM ADMINISTRATION
STF hereby reserves the right to amend, suspend or terminate the Bug Bounty Program at any time with or without prior notice or consent. STF further reserves the right to amend, withhold or cancel any Bug Bounty Program payments or benefits granted if STF becomes aware of any violation of these Bug Bounty Terms (without prejudice to the generality of STF’s discretion as set out in these Bug Bounty Terms, including with respect to the grant and/or amount of any award).
Administration of the Bug Bounty Program is at the sole discretion of STF, subject to Applicable Law . Any questions relating to eligibility, or these Bug Bounty Terms or the Bug Bounty Program will be resolved by STF at STF’s sole discretion and its decision will be final and binding with respect thereto. If it is discovered by STF that there has been or has been an attempt to violate these Bug Bounty Terms, then STF may disqualify the participant from any Bug Bounty Program payments or benefits in its sole discretion.
STF reserves the right to make awards that do not comply with every requirement herein, such as failure to provide a detailed report of any vulnerability, or failure to notify STF through the correct channel. Awards made pursuant to such exceptions made by STF do not constitute any waiver by STF of any other terms and conditions set forth herein.
6. PRIVACY
By participating in the Bug Bounty Program, the participant hereby (a) grants to STF the right to use the name, country of residence, email address and any other information provided to STF (“Personal Information”) for the purpose of administering the Bug Bounty Program; and (b) acknowledges that STF may disclose Personal Information to its third-party agents and service providers who are involved in the administration and/or oversight of the Bug Bountry Program.
If any personal information or other sensitive information is accessed for which there is no authority to access, then access must be immediately stopped and all copies thereof must be destroyed. Such information must not be provided to STF and only a description thereof should be provided to STF.
7. RELEASE
THE PARTICIPANT AGREES TO RELEASE AND HOLD HARMLESS STF AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS FROM AND AGAINST ANY CLAIM OR CAUSE OF ACTION ARISING OUT OF PARTICIPATION IN THE BUG BOUNTY PROGRAM AND/OR ANY DETERMINATION MADE ABOUT ELIGIBILITY IN THE BUG BOUNTY PROGRAM OR ANY PAYMENT THEREUNDER THAT MAY OR MAY NOT BE DUE. THE PARTICIPANT AGREES THAT STF AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS ARE NOT LIABLE FOR INJURIES, LOSSES OR DAMAGES OF ANY KIND ARISING FROM PARTICIPATION IN THE BUG BOUNTY PROGRAM AND ACCEPTANCE, POSSESSION AND USE OF THE BENEFITS OR PAYMENTS RECEIVED UNDER THE BUG BOUNTY PROGRAM. STF IS NOT RESPONSIBLE FOR ANY TYPOGRAPHICAL OR OTHER ERROR IN THE PUBLICATION OF THESE BUG BOUNTY TERMS OR ADMINISTRATION OF THE BUG BOUNTY PROGRAM OR ANNOUNCEMENT THEREOF.
8. TAXES
Participants will be solely responsible for all tax liabilities that arise from or in any way relate to any benefit or payment that STF conveys to them, including income taxes, sales, personal property, use, VAT, excise, withholding and self-employment taxes. STF has the right to withhold from any amounts payable such foreign, federal, state or local taxes as may be required to be withheld under any Applicable Law. Participants agree to report the value of the benefit or payment received from STF to all applicable legal and local authorities, and complete any required tax forms that STF requests be completed prior to receiving the benefit or payment.
9. GENERAL
The interpretation and enforcement of these Bug Bounty Terms will be governed by and construed and enforced under the laws of the Canton of Zug, Switzerland. STF may, with or without notice, revise these Bug Bounty Terms, including any benefits or payments, and publish amended versions thereof from time to time. Participation or continued participation in the Bug Bounty Program constitutes acceptance of any amendments to these Bug Bounty Terms. STF may, in its sole discretion, amend or terminate the Bug Bounty Program at any time with or without notice, and continued participation in the Bug Bounty Program after such amendment shall constitute acceptance of all amended terms.