Bounce offers bug bounty program for security vulnerabilities in the Platforms to encourage researchers in discovering security bugs across our Platforms. This Bug Bounty Agreement (the “Agreement”) sets forth the terms under which the relationship of the Security Researchers and Bounce will be governedalongwith the terms governing the Bounty. By choosing to opt for the Bug BountyProgram that references this Agreement, the Security Researcher so executing the Report agrees to this Agreement on and represents that he or she has the authority for this Agreement. The Parties agree as follows:
DEFINITIONS
Capitalized terms will have the meaning set forth in this section or as otherwise defined in this Agreement.
- “Bounce” means Wickedride Adventure Services Private Limited, a company incorporated under the Companies Act, 2013 and having its registered office at No. 1705, Second Floor, East End “A” Main Road, 9th Block, Jayanagar, Bangalore – 560069 and corporate office at Mohan Chambers, #33, 1st Main Rd, 3rd Phase, J. P. Nagar, Bengaluru, Karnataka – 560078.
- “Bounty” means themonetary reward or otherwise awarded by Bounce to Security Researchers for identifying and reporting the security vulnerability in the Platforms.
- “Bug Bounty Program” means a bug bounty program or vulnerability disclosure program offered by Bounce.Bug Bounty Program will be governed by this Agreement.
- “Data” means all products and information available on the Platforms.
- “Security Researchers” are the individuals who identify or discover the security vulnerability in the Platforms of Bounce and report the security vulnerability to Bounce.
- “Services” means the services of discovering the security vulnerability in the Platform and reporting it to Bounce.
- “Party” or “Parties” means Bounce and Security Researcher shall hereinafter be referred to individually as the “Party” and collectively as the “Parties”.
- “Platforms” are the Android and iOS applications of Bounce and includes the website of Bounce i.e. www.bounceshare.com that is available in public domain.
ENGAGEMENT
Security Researchers will identify and report the security vulnerability to Bounce. Unless otherwise specified in the specific format, Security Researchers will notify Bounce electronically about any security vulnerability in the Platform through a Report available for review by Bounce.
Security Researchers should submit their Report to the email address bug.bounty@bounceshare.com. Any Report of the security vulnerability in the Platform sent to the above-mentioned email address only will be considered valid for the Bug Bounty Program.
Security Researchers should ensure the intimation of security vulnerability in the Platformshould contain a detailed description of the security vulnerability including but not limited to details like vulnerability type, vulnerable URL, impact description, relevant screenshots to depict the flow of the vulnerability, video pertaining to vulnerability (“Report”)
Bounce will investigate and respond to all valid Reports at such suitable time it deems fit. Upon receipt of Report, Bounce will review the Report and may reasonably reject the recommendation if the applicable results are outside the scope of the Bug Bounty Program, or if the vulnerability reproduction instructions provided by Security Researcher are not sufficient to reproduce the vulnerabilities, or if it’s a repetition of an already submitted Report by any other Security Researcher, or for any other reason as Bounce may deem fit. If Bounce rejects a Report, the Security Researcher will not be eligible for the reward for the particular rejected Report. The acceptance and rejection for such Reports are entirely at Bounce’s discretion.
If the Security Researcher inadvertently causes a privacy violation or disruption in the Platform while investigating an issue, the Security Researcher must stop the investigation at that very moment and disclose the privacy violation in the Report. The Security Researcher shall be responsible for any such breach or violation it causes to Bounce’s Platform while investigating and working for Bug Bounty Program.
INDEPENDENT CONTRACTOR RELATIONSHIP
Bounce does not control or supervise the Security Researchers, and the Security Researchers are not employees of Bounce. Nothing in this Agreement is intended or should be construed to create a partnership, joint venture, or employer-employee relationship between Security Researchers and Bounce. Security Researchers are not agents of Bounce and are not authorized to act on behalf of Bounce.
BOUNTY
Bounce may provide a Bounty to the Security Researcher if it accepts the Report given by the Security Researcher. Bounties are awarded based on the severity, impact and complexity of the security vulnerability reported, which shall be decided by Bounce at sole discretion. Bounty awarded to the Security Researcher will be in the denomination of Indian Rupees (INR). Apart from Bounty, Security Researchers whose Report has been accepted by Bounce will be honored on the Hall of Fame on the Platform i.e. www.bounceshare.com upon the sole discretion of Bounce. Bounce determines Bounty amounts based on a variety of factors, including but not limited to impact, ease of exploitation and quality of the report. In an event there is an extremely low-risk issue reported, such issue may not qualify for a Bounty at all. Bounce aims to pay similar Bounty amounts for similar issues subject to change over time upon the sole discretion of Bounce. In the event of duplicate Reportssubmitted by Security Researchers which is eligible for Bounty, Bounce will award a Bounty to the first Security Researcher to submit the Report. Bounce holds the sole right to determine a duplicate Report and may not share details on the other Reports.Bug Bounty Program may be discontinued, without notice, upon the sole discretion of Bounce.
CONFIDENTIALITY
Confidential Information shall mean any and all information of Bounce (“Disclosing Party”) disclosed to Security Researcher (“Receiving Party”), of the fact if the same contains any notice of its confidential nature.
The Receiving Party:
- acknowledges the proprietary right of the Disclosing Party over the Confidential Information;
- shall not to disclose the Confidential Information in whole or in part to any other person; and
- shall not use or disclose the Confidential Information for any purpose, other than to exercise its rights and perform its obligations under this Agreement.
The foregoing shall not apply to the Confidential Information that:
- is publicly known at the time of disclosure or subsequently becomes publicly known;
-
is lawfully received from a third party, who is not subject to confidentiality obligations with the Disclosing Party;
- was independently developed by the Receiving Party without reference to the Confidential Information of the Disclosing Party, as established by the written evidence of the Receiving Party, or
- is required to be disclosed under a legal requirement, provided that, in such cases the Receiving Party shall: (i) give the Disclosing Party reasonable written notice prior to disclosure pursuant to such requirement (unless prohibited by such requirement); (ii) use diligent efforts to limit disclosure and to obtain confidential treatment or a protective order and allow the disclosing Party to participate in the proceeding; and (iii) comply with any applicable protective order or equivalent.
The Receiving Party acknowledges that the unauthorized disclosure, access or use of the Confidential Information by it may irreparably damage the Disclosing Party in such a way that monetary compensation may not adequately remedy the damage. Accordingly, the Disclosing Party shall have the right to seek injunctive relief restraining such unauthorized disclosure or use, without the necessity of proving actual damages, in addition to any other remedy otherwise available to the Disclosing Party, at law or at equity.
Notwithstanding anything contained herein, the provisions of this clause shall continue to be applicable and to bind the Receiving Party without limit on point in time except and until such information enters the public domain.
OWNERSHIP
- Bounce reserves all right, title and interest in and to the Platform and Reports, and all modifications and improvements to it, including all related Intellectual Property Rights (as defined below). No rights are granted to Security Researcher other than as expressly set forth in this Agreement. The Reports shall be deemed the Confidential Information of Bounce unless otherwise agreed by the parties, and nothing in this Agreement shall be deemed to limit or restrict Bounce’s rights in or to the Reports. Bounce shall have an exclusive, perpetual, irrevocable, worldwide, transferable, sub-licenseable, fully-paid right to its existing rights with respect to its Platform, Business and Report or reproduce, create derivative works of, distribute, publicly perform, publicly display, digitally transmit, and otherwise use the derivative works thereof.Bounce shall have an exclusive royalty-free, worldwide, transferable, sub-licensable, irrevocable, perpetual license to use or incorporate into its services any part of the Report provided by Security Researcher.
- “Intellectual Property Rights” means, all patents (including originals, divisionals, continuations, continuations-in-part, extensions, foreign applications, utility models and re-issues), patent applications, copyrights (including all registrations and applications therefore), trade secrets, service marks, trademarks, trade names, Reports, trade dress, trademark applications and other proprietary and intellectual property rights, including moral rights.
- Security Researcher hereby agrees that Bounce shall be the sole assignee having exclusive ownership over all the Intellectual Property Rights of any content produced or made under the scope of this Agreement and the Security Researcher gains no right over it. Security Researcher hereby represents that Security Researcher has all rights and authority of the Report and at no point shall the Security Researcher infringe over any rights of any third party.
SECURITY RESEARCHER REPRESENTATION AND WARRANTIES
- Security Researcher shall not make any public disclosure of security vulnerability before it has been fixed by Bounce.
- Security Researcher shall describe the security vulnerability in detail and shall cooperate at all times with Bounce if additional information regarding the security vulnerability is required.
- Security Researcher shall not exploit / misuse Data without permission of Bounce.
- Security Researcher shall not run tests which might disrupt the services of Bounce.
- If any security vulnerability is made public before the fix is effectuated by Bounce, such security vulnerability will not eligible for Bounty.
- Security Researcher shall share a detailed Report depicting the security vulnerability of the Platform and Bounce reserves the rights on the Reports shared by the Security Researcher.
EXCLUSION OF THE BOUNTY
The Security Researcher will not be eligible for any Bounty in the following circumstances:
- If the Security Researcher infringes any of the applicable laws or any of the rights of Bounce to identify the security vulnerability in the Platform.
- If the Security Researcher does not identify security vulnerabilities in the Platform but on any underlying operating system or supporting software.
- If the Security Researcher is an employee of Bounce or a relative of an employee of Bounce or a former employee of Bounce and / or a related party to Bounce.
INDEMNIFICATION
Security Researcher shall indemnify, defend and hold harmless Bounce, its affiliates, and each of their directors, officers, employees, and agents from and against all claims, suits and proceedings and any and all related liabilities, losses, expenses, damages and costs (including, without limitation, reasonable attorneys’ fees) (collectively, the “Losses”) relating to or arising out of the breach by Security Researcher of any of its representations or warranties under this Agreement and breach of or non-compliance with the provisions of applicable law
TERM AND TERMINATION
This Agreement will continue from the day the Security Researcher accepts such terms and participates in the Bug Bounty Program and shall hold valid until terminated by Bounce in accordance with the terms of this Agreement. Bounce may terminate this Agreement immediately upon written notice to the other party (the “defaulting party”) if the defaulting party has materially breached a provision of this Agreement or any applicable law.
Upon termination or expiration of this Agreement, Bounce will cease Bug Bounty Program for that Security Researcher.
GENERAL PROVISIONS
This Agreement shall be governed by and construed in accordance with the laws of India. The Courts at Bangalore shall have the exclusive jurisdiction in respect of any matter, claim or disputes arising out of or relating to this Agreement. All differences, disputes or claims arising out of or in relation to this Agreement, or any breach or alleged breach thereof, shall be settled by the Parties through mutual discussions. In case where such disputes do not settle through mutual discussions, the Parties shall refer such dispute for settlement by a sole arbitrator, appointed by Bounce. The arbitration proceedings shall be governed by the Arbitration and Conciliation Act, 1996 and its subsequent amendments. The arbitration proceedings shall be held in Bangalore, India. The language to be used at arbitral proceedings shall be English.
Any waiver, amendment or other modification of this Agreement will be upon the sole discretion of the Bounce.
Any notice or other communications under or in connection with this Agreement shall be in writing and shall be sent by electronic mail on the email address mentioned in the Agreement.