We, Boku, Inc. (“Boku,” “us” or “we”) are making a unilateral offer to an individual who wishes to uptake the offer to participate in Boku’s Bug Bounty Program (the “Program”) and follow the entirety of the Program’s Terms and Conditions herein. The Program is subject to the Bug Bounty Terms and Conditions contained herein and enables an individual that agrees to participate in the Program (“Participant”) who has found a security exposure in an operating system or other system software or application component (“Vulnerability/ies”) to submit such Vulnerabilities to Boku for a chance to earn a Boku Bug Bounty payment (“Bounty/ies“). Boku retains the sole discretion to determine i) whether a Vulnerability submission qualifies as a Vulnerability; ii) whether a Vulnerability submission is eligible for a Bounty reward; and iii) the amount of the Bounty reward.
The Boku Bug Bounty Terms and Conditions (“Terms”) cover participation in the Program. These Terms are between a Participant and Boku. Through submitting any vulnerabilities to Boku or in any manner participating in the Program, the Participant hereby accept these Terms. By participation in this Program, the Participant agrees to adhere to the terms and conditions of the Program.
1. The Boku Bug Bounty Program and Changes to these Terms
1.1. The decisions made by Boku regarding Bounties are final and binding.
1.2. Boku may change or cancel this Program at any time, for any reason.
1.3. Boku may change these Terms at any time.
1.4. Participation in the Program following the changes becoming effective would mean that the Participant accepts and agrees to the new Terms.
1.5. If a Participant does not agree to the new Terms, they must not participate in the Program.
1.6. If a Participant wishes to opt-out of the Program and withdraw their consideration for a Bounty, the Participant must contact Boku by sending an email indicating their request to the [email protected] email address.
1.7. Each Vulnerability submitted to Boku shall be referred to as a “Submission/s“.
2. Submission Process
2.1. A Participant that has identified a Vulnerability which meets the entirety of the requirements defined in these Terms is eligible to submit it to Boku by following the Submission Process outlined herein in clause 2.
2.2. Once the Participant is ready to make a Submission to Boku, they must submit it via email to Boku to the [email protected] email address.
2.3. In order for the Submission to be considered as eligible for the Program, the Submission must specify the all of the following details, if applicable;
a) the name of the Bounty Program;
b) the Vulnerability details;
c) specific product version numbers the Participant had used to validate research;
d) the steps taken to reproduce proof;
e) a detailed analysis;
f) type of issue (buffer overflow, SQL injection, cross-site scripting, etc.);
g) product and version that contains the bug, or URL if for an online service;
h) service packs, security updates, or other updates applicable to the product installed;
i) any special configuration required to reproduce the issue;
j) step-by-step instructions to reproduce the issue on a fresh install;
k) proof-of-concept or exploit code;
l) impact of the issue, including how an attacker could exploit the issue.
2.4. Submissions that contain reports which are made from automated tools or scans must include additional analysis that demonstrate the exploitability of the vulnerability in order to be considered eligible for the Bounty.
2.5. The Participant must avoid research that bears the risk of causing harm to Boku systems, destroying data or causing an interruption to service.
2.6. If the Participant finds Boku data or is unsure whether it is safe to proceed with their Bug Bounty research, the Participant must get in touch with Boku at [email protected] requesting guidance on how to proceed with their Bug Bounty research.
2.7. The Participant commits to executing good and reasonable judgement in the process of conducting Bug Bounty research to ensure that the research does not detriment Boku systems and infrastructure.
2.8. Prior to making a Submission, the Participant must ensure that they read the entirety of these Terms.
2.9. Submissions that do not meet the minimum submission quality described in this clause 2 are considered incomplete and are not eligible for Bounty.
2.10. Boku is not responsible for Submissions that have not been received for any reason. It is the responsibility of the Participant to notify Boku by email at [email protected] if they do not receive a confirmation email following a Submission being made to confirm that Boku has received the Submission.
2.11. There are no restrictions on the number of qualified Submissions a Participant can provide and potentially be paid a Bounty for.
2.12. If a Submission is successful in assisting Boku to address a Vulnerability that we were not aware of at the time that the Submission was made, and the Participant is the first external researcher to identify the Vulnerability, then they may be eligible for a Bounty.
2.13. The Participant will not be eligible to receive Bounty if the product or service is later added to the Program.
3. Participation Eligibility
3.1. The Participant must meet all the following criteria in order to be eligible for consideration for the Bounty. The Participant must:
a) be an individual or work for an organisation that permits them to participate. The Participant is solely responsible for reviewing their employer’s rules for participating in this Program;
b) be 21 years of age or older and must be considered an adult in their place of residence; and
3.2. The Participant is ineligible to participate in this Program if they meet anyof the following criteria. The Participant is ineligible if:
a) they are a resident of any countries under UK, US, UN or EU sanctions, or any other country that does not allow participation in this type of program;
b) they are a sanctioned individual under UK, US, UN or EU laws;
c) they are under the age of 21 years old;
d) they are considered a minor in their place of residence;
e) their organisation does not allow them to participate in these types of programs;
f) they are an employee of the public sector and have not obtained permission from the relevant sector ethics officer permitting participation in this Program;
g) the Submission requires the social engineering of Boku staff;
h) the Submission requires a physical attack on Boku offices.
3.3. There may be additional restrictions that impact a Participant’s ability to be considered eligible for this Program, depending upon the Participant’s local law.
4. Intellectual Property
4.1. The Participant agrees that by providing any Submission to Boku they agree to the conditions herein this clause 4.
4.2. For the purposes of this clause 4, ‘Intellectual Property Rights’ means: including without limitation, rights in patents, trademarks, service marks, trade names, other trade-identifying symbols and inventions, copyrights, design rights, database rights, rights in know-how, trade secrets and any other intellectual property rights arising anywhere in the world, whether registered or unregistered, and including applications for the grant of any such rights.
4.3. The Participant agrees and acknowledges that Boku shall be granted a non-exclusive, irrevocable, perpetual, worldwide, royalty free, sub-licensable license to use, copy, publish, review, assess, test, adapt, modify and otherwise analyse the Vulnerabilities and/or any feedback related to the Vulnerabilities including any Intellectual Property Rights therein, submitted to Boku via the Program and all related software, applications, documentation, and materials.
4.4. The Participant confirms and warrants that their Submission is entirely their own work, that no information or work that is owned by another individual or entity has been used in the Submission, and that they have an absolute legal right to present the information contained in the Submission to Boku.
4.5. Except for the Participant’s limited right to participate in the Program subject to and in accordance with these Terms, nothing in these Terms grants the Participant any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of Boku software, these services and related documents and/or any updates, developments or improvements thereto which are expressly reserved by Boku.
4.6. The Vulnerability shall be deemed the Confidential Information of Boku, and the Participant shall not publish, discuss or disclose the Vulnerability to any third parties in order to provide Boku with an opportunity to fix the Vulnerability. The Participant may publish and discuss the Vulnerability only after receiving notice that the Vulnerability is fixed, subject to the prior written consent of Boku, which shall not be unreasonably withheld.
4.7. Failure to comply with this clause and the requirement of confidentiality may compromise the Bounty Reward and create risk of legal action, and the Participant agrees to indemnity Boku for any losses as a result of such breach of this clause.
5. Confidentiality of Submissions or Restrictions on Disclosure
5.1. Submissions and the contents of each Submission must remain confidential and are not to be disclosed for any reason to third parties or as part of paper reviews or conference submissions.
5.2. The Participant is only permitted to make high-level descriptions of Submission research and non-reversible demonstrations available after the Vulnerability is fixed.
5.3. All detailed proof-of-concept exploit codes and details, especially those that would make attacks easier on Boku customers, must be withheld for 90 days after the Vulnerability is fixed.
5.4. Boku aims to notify the Participant as soon as the Vulnerability in a Participant’s Submission is fixed.
5.5. The Participant may be paid prior to the Vulnerability fix being released, and payment is not to be taken as notification of fix completion.
5.6. Boku has the permission to publicly recognise Participants who have been awarded Bounties and may at its own discretion recognise the Participant on Boku materials, both digital and printed, unless the Participant explicitly requests Boku to not feature their name on the materials.
5.7. THE PARTICIPANT RECOGNISES THAT ANY VIOLATIONS OF THIS SECTION COULD REQUIRE THEMSELVES TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY THEMSELVES FROM FUTURE PARTICIPATION IN THE PROGRAM.
6. Submission Review Process
6.1. Boku retains sole discretion in determining which Submissions are qualified.
6.2. After a Submission is made to Boku in accordance with the Submission Process outlined in clause 3 above, Boku will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of the Submission, as well as on the number of Submissions Boku receives.
6.3. Where Boku receives multiple Submissions from different parties identifying the same Vulnerability issue the Bounty will be granted to the first eligible Submission.
7. Bounty Award
7.1. All decisions made by Boku regarding the Bounty award are final and binding.
7.2. All payments are made in compliance with local laws, regulations and ethics rules.
7.3. Boku will notify the Participant if their Submission is recognised as eligible for a Bounty and will confirm the fiscal Bounty award amount offered to the Participant.
7.4. If a Participant is recognised as eligible for a Bounty, the payment amount will be at the discretion of Boku.
7.5. Boku will only pay a Bounty Reward per instance of Vulnerability limited to one instance of that Vulnerability, and not per each novel Vulnerability found.
7.6. Once and if the Participant is offered a Bounty, the Participant must submit an invoice to Boku which details banking information necessary to process the Bounty. Boku will provide the Participant with the required invoice material necessary to process the Bounty payment in a timely manner.
7.7. Boku will only process Bounty payment via our method of payment to bank account and will not process payment to alternative payment methods such as, but not limited to, ‘Paypal’ and ‘Google Wallet’.
7.8. The Participant is required to independently complete any local tax requirement and obligations and the Participant agrees that adherence to any local tax requirements and obligations are entirely in their remit and their responsibility. Boku is not responsible for any local tax requirements and obligations that the Participant is required to meet. Boku reserves the right to not provide payment if the Participant does not adhere to any necessary local tax requirements and obligations.
7.9. Boku will only be able to make a Bounty payment once the Participant completes and submits all necessary fully executed documents.
7.10. If the Participant accepts a Bounty, they are solely responsible for the paying all applicable taxes relating to the acceptance of the Bounty payment.
7.11. The Participant has the option to waive the Bounty payment if they do not wish to receive a Bounty.
7.12. If a dispute arises regarding the identity of the Participant who made the Submission, Boku will consider that the qualified Participant is the account holder of the email address used to enter the Program.
7.13. The Participant is prohibited from designating an alternative individual to receive Bounty payment.
8. Privacy
The Boku privacy and disclosure terms shall be subject to the Boku Privacy Notice.
9. Code of Conduct
9.1. The Participant agrees that through their participation in this Program, they are to adhere at all times to the following rules:
a) Not to do anything illegal.
b) Not to engage in any activity that exploits, harms, or threatens to harm children.
c) Not to send spam (e.g., unwanted or unsolicited bulk email, postings, contact requests, text messages, or instant messages).
d) Not to share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
e) Not to engage in activity that is false or misleading.
f) Not to engage in activity that is harmful to themselves, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
g) Not to infringe upon the rights of others (e.g., unauthorised sharing of copyrighted material) or engage in activity that violates the privacy of others.
h) Not to assist any other individuals to break any of the rules outlined in this clause 9.1.
9.2. Violation of any of the terms outlined in the above clause 9.1. the Participant risks indefinite prohibition from current and future Program participation, and any Submission may be immediately deemed ineligible for Bounty consideration.
10. No Warranties
THE PROGRAM IS PROVIDED “AS IS”. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WE EXPRESSLY DISCLAIM ALL REPRESENTATIONS AND WARRANTIES IN CONNECTION WITH THE PROGRAM, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OF INTELLECTUAL PROPERTY, ACCURACY, COMPLETENESS, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING BY STATUTE OR OTHERWISE IN LAW OR FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USE OF TRADE WHICH ARE HEREBY EXCLUDED AND THE PARTICIPANT UNDERSTANDS THAT THEIR PARTICIPATION IN THE PROGRAM IS AT THEIR OWN RISK.
11. Limitation of liability and Disclaimer
TO THE MAXIMUM EXTENT PERMITTED BY LAW (A) WE SHALL NOT BE LIABLE TO THE PARTICIPANT FOR ANY DAMAGES, CLAIMS, EXPENSES OR OTHER COSTS (INCLUDING, WITHOUT LIMITATION, ATTORNEYS’ FEES) THEY SUFFER OR INCUR AS A RESULT OF OR RELATING TO THEIR PARTICIPATION IN THE PROGRAM, (B) UNDER NO CIRCUMSTANCES WILL WE BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, AND (C) OUR MAXIMUM AGGREGATE LIABILITY TO THE PARTICIPANT ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR THEIR PARTICIPATION IN THE PROGRAM SHALL BE LIMITED TO $100, REGARDLESS OF THE CAUSE. WE DO NOT EXCLUDE OR LIMIT OUR LIABILITY FOR DEATH OR PERSONAL INJURY CAUSED BY OUR NEGLIGENCE, FOR FRAUD OR FOR ANY OTHER LIABILITY WHICH CANNOT BE LIMITED OR EXCLUDED BY APPLICABLE LAW.
12. Choice of law and dispute resolution jurisdiction
12.1. These Terms shall be governed by and interpreted in accordance with the laws of England and both parties agree to submit to the exclusive jurisdiction and venue of England, and the London Court of International Arbitration for all disputes arising out of or relating to these Terms or the Program.
12.2. The governing language of these Terms is English.
12.3. These Terms will be binding on and will inure to the benefit of the legal representatives, successors and assigns of the parties hereto.
12.4. These Terms (and any policies referenced herein and incorporated by reference) constitute the entire agreement between the Participant and Boku with respect to the subject matter hereof, and the Participant has not relied upon any promises or representations by Boku with respect to the subject matter except as set forth herein.
12.5. The Participant shall not assign these Terms or assign any rights or delegate any obligations hereunder, in whole or in part, whether voluntarily or by operation of law.
12.6. A person who is not a party to these Terms of Use has no rights under the Contracts (Rights of Third Parties) Act 1999 (the “Act”) to enforce, or to enjoy the benefit of, any term of these Terms, but this does not affect any right or remedy of a third party which exists or is available apart from the Act.
13. General
These Terms and the Boku Privacy Statement are the entire agreement between the Participant and Boku for the Participants participation in the Program, these Terms supersede any prior agreements between the Participant and Boku regarding the Participants participation in the Program. If a court or arbitrator holds that Boku is not able to enforce a part of these Terms as written, Boku may replace those terms with similar terms to the extent enforceable under the relevant law.
IF THE PARTICIPANT DOES NOT AGREE TO THE ENTIRETY OF THESE TERMS, THEY SHOULD NOT SEND BOKU ANY SUBMISSIONS OR PARTICIPATE IN THIS PROGRAM.