By taking part in the Vulnerability Disclosure Program (‘Program’) organised by Galactus Funware Technology Private Limited (‘MPL’) in the capacity of a Security Researcher, I hereby undertake that:
- I am a major and over the age of 18 years.
- I am an individual researcher, participating in the Program in my individual capacity, and I am not associated with or acting on behalf of any organisation in this regard.
- I do not have any “black hat” background (i.e any incident or history of unethical, unauthorized access or breach of computer security with an intent to abuse, cause an injury, financial loss, or similar mala fide intent) or any criminal cases directly or indirectly linked to me.
- I am not an employee, agent, vendor, contractor or subcontractor of MPL or any of its subsidiaries and group companies (‘MPL Affiliates’) or an immediate relative of any existing employee, agent, contractor or subcontractor of any MPL Affiliates. Further, I confirm that I was not an employee, agent, vendor, contractor or subcontractor of any MPL Affiliates in the last 12 months prior to my participation in the Program or an immediate relative of any such persons.
- I shall use the email address used by me regularly for email communications for reporting any vulnerability information to MPL, and shall not use an anonymous email address or any other anonymized information to participate in the Program.
- I am not in violation of any national, state, or local law or regulation with respect to any activities directly or indirectly related to my participation in the Program.
Vulnerability Identification and Submission:
- I shall furnish accurate information as to the vulnerability identified by me as well as submit a step by step guide to reproduce the issue in the Submission Form provided by MPL (‘Vulnerability Disclosure’), and agree that I shall claim a Reward associated with the Programme only in the event that I am identified by MPL as the first reporter of such vulnerability.
- Vulnerability items not part of the Program: I agree that the discovery of, inter-alia, HTTP 404 codes/pages or other HTTP non-200 codes/pages, fingerprinting / banner disclosure on common/public services, disclosure of known public files or directories, tapjacking/clickjacking and issues only exploitable through tapjacking/clickjacking, social engineering of our service desk, employees or contractors, missing HTTP security headers, SPF / DMARC / DKIM Mail and domain findings, email rate limiting or spamming, SSL Issues, non-application layer denial of service or DDoS, cookie issues, CSRF on forms that are available to anonymous users, logout/login cross-site request forgery, presence of application or web browser ‘autocomplete’ or ‘save password’ functionality and error messages with non-sensitive data shall not be regarded as an issue which shall be regarded as a vulnerability under this Programme.
- I will not launch Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks or use Automated tools/Scripts which produce heavy traffic.
- I will not attempt to gain access to any other person’s MPL account, data or personal information.
- I shall not use any scanners or automated tools to identify vulnerabilities during my course of participation in the Programme.
- I shall not attempt any non-technical attacks such as social engineering, phishing, or physical attacks against MPL’s employees, users, or infrastructure.
- I agree that zero-day vulnerabilities or recently disclosed common vulnerabilities and disclosures will not be considered eligible until more than 180 days have passed since patch availability by MPL.
- I agree that MPL has the sole discretion to determine the quality of my Vulnerability Disclosure, including if it qualifies the rules of the Program.
- I shall maintain confidentiality over any and all vulnerabilities submitted by me to MPL.I shall not publicly disclose the vulnerability to any third party on any online or physical platform (i) before it is fixed by MPL and the same is intimated to me, and (ii) without a prior written approval to publicly disclose the said information being received by me from MPL.
- I accept that any violation of the above said confidentiality obligation shall (i) disentitle me from being eligible for any Reward under the Program, and/ or (ii) require me to return to MPL any Reward received by me under the Program.
Receipt of reward under the Program:
- I agree that while I am entitled to receive a reward for a successful vulnerability identification (‘Reward’), the content and quantum of any such Reward shall be at the sole discretion of MPL, including on the basis of severity of the vulnerability identified by me and the quality of the report submitted by me to MPL.
- I agree that any Reward under the Program will be conditional on me accepting this present Undertaking and also adhering to any other specifications set out at or communicated as a part of MPL’s Responsible Vulnerability Disclosure Program.
- I may be publicly recognised by MPL if my findings, in MPL’s sole discretion, appear to exhibit a high level of dedication to the Program, and any decision in this regard taken solely by MPL shall at all times be final and binding.
- I note and agree that I cannot designate someone else as the recipient of the Reward, and I shall be liable to pay all taxes as may be applicable on the Reward.
Rights on the Vulnerability Disclosure:
- I hereby agree to grant to MPL an exclusive, royalty-free, perpetual, worldwide, and irrevocable license to all intellectual property in my Vulnerability Disclosure, and MPL shall have the right to deal with such Vulnerability Disclosure in any manner deemed fit by MPL at its sole discretion, including to review, reproduce, modify, feature its content, use the content for academic, marketing, sale or promotion purposes. I confirm and consent that I shall not have any claim to any compensation (financial or otherwise) for such use. Further, I agree to provide my signature on any documentation that may be required to confirm the rights so granted by me to MPL
- I agree that my conduct will be ethical, diligent and honest, I shall participate in a professional and competent manner, and conduct myself in a way which does not adversely affect MPL’s standing and reputation. I shall not indulge in any activity(s) that shall result in defamation or disparagement of MPL, in any manner or form.
- Warranties: I understand and agree that MPL along with MPL Affiliates have made no express or implied warranties with respect to the Program, and my participation in the Program is at my own risk and discretion.
- Limitation of Liability: I understand and agree that MPL will not have no liability or responsibility for any special, indirect, incidental, consequential or exemplary damages in connection with this Program (however arising, including negligence) including, without limitation, damages relating to the loss of profits, income or goodwill, even if it is aware of the possibility of such damages with the exception of indemnification obligations, in no event will MPL’s liability for monetary damages under this Undertaking or Program exceed the Reward payable by MPL to me, if any, under this Program.
Disputes and Jurisdiction:
- All disputes arising out of my participation in the Program and associated activities, shall be governed by the laws of India and the courts in Bangalore, India, only shall have exclusive jurisdiction over all matters arising pursuant to this Undertaking.
- I understand that any failure on my part to abide by this above Undertaking shall cause grave harm and irreparable injury to MPL, and shall entitle it to withhold any Reward(s) or prizes (monetary or otherwise) that I may be entitled to receive from it as well as pursue further legal action against me. I further acknowledge that MPL shall also be entitled to initiate appropriate legal action against me for this.
- I specifically confirm that I have complied with all the terms of this Undertaking set out hereinabove. I further specifically undertake and confirm that I shall indemnify, defend and hold harmless MPL against any loss, damage, cost or expense that MPL may incur or sustain as a result of any claim, suit or proceeding made, brought or threatened against MPL, its employees or its representatives, including third party claims, on account of my failure to comply with any requirement that I have consented to through this present Undertaking or any other action that I may take when participating in the Program.