Terms of Service
Introduction and Acceptance
Please read carefully these terms and conditions (hereinafter, “Terms” or “Terms of Service”) applicable to your participation in the huntr vulnerability disclosure and bounty programme, (hereinafter “Programme”), available at https://www.huntr.com/ (hereinafter the “Platform”) operated by 418SEC LTD, registered in England & Wales with company number 11412418 and registered address at C/O Simons Muirhead & Burton LLP, 87-91 Newman Street, London, United Kingdom, W1T 3EY and (hereinafter “huntr”, “we”, “us”). 418SEC LTD is part of the Protect AI corporate group.
These terms are directed at contributors of the Programme (“Contributors”), Free and Open-Source Software (FOSS) project maintainers (“Maintainers”) and Security Researchers that wish to participate in our bounty Programme (jointly the “Users”).
These Terms between Contributors, Security Researchers, Maintainers and huntr, as updated from time to time, together with our Privacy Policy, Participation Guidelines, and policies referred to herein (collectively, the “Agreement”), govern access and use of huntr Services as a Contributor.
Users will be notified of updates and eventually requested to accept the new Terms.
We desire to help discover, report and fix security issues by offering, our services for coordinating bug hunting, reporting and eventually fixing against payment of published bounties (hereinafter “huntr Services”). These services are offered to our clients (“Clients”) usually Free and Open-Source Software (OSS) projects, certain FOSS projects and their sponsors, non-profit or enterprise backed FOSS projects and/or enterprises using FOSS; and Security Researchers are part of our services under these Contributor Terms. We also pay out bounties pro-bono on certain open source projects (i.e. not sponsored or funded by Clients).
By registering and using huntr Services as a Contributor, you agree to be bound by these Terms. Failure to comply with any part of these Terms of Service may result in the termination of your account. As a Contributor you affirm you are fully capable and empowered, being over 18 years old and you have your own bank account, to enter into these Terms of Service.
You represent and confirm that you have read and accept our Privacy Policy and Participation Guidelines, the terms of which are an integral part of these Terms.
Contributors and huntr are jointly referred to as “Parties” and each as a “Party”.
To contact us, please email: support@huntr.com
1. Subject Matter and how huntr works
1.1 The Agreement regulates the terms under which we will provide Contributors with our Services and under which Contributors participate in contributions.
1.2 The Agreement also regulates the terms under which Contributors interact with us and around our Services.
1.3 We support FOSS security by obtaining funding and setting bounties for reporting and fixing security issues, as well as for the creation of code for detecting issues development of code necessary to detect and/or fix such issues (“Contributions”). We have our own funding, and also Clients support our work by financing the bounties under a Client Terms of Service. Our community of Contributors have skills and the desire to detect security issues, report them and eventually fix them and are motivated to report security issues that they find. We pay Contributors the bounties set for each validated security issue for which a bounty has been set. When applicable we pay fix bounties to Contributors that provide validated fixes.
1.4 Our Services are based on crowdsourcing, which takes place on a voluntary basis with a high degree of flexibility. Security research can be performed independently of location and time and there is no long-term commitment of the Contributors. Furthermore, Contributors retain their freedom to choose which projects to analyse for security vulnerabilities and which not. Contributors are not employed by us in any manner (either as employee or contractor), and the only compensation we pay out are the bounties.
1.5 As a Contributor, you agree to abide by our Participation Guidelines, in line with community standards.
2. User Account
2.1 Registration. To become a User and benefit from our Services (including receiving bounties in the case of Contributors), you must register online at https://huntr.com/. On registration, Users must provide true, accurate, current, and complete information about themselves (collectively, the “Registration Data”).
2.2 Contributors must also complete, depending on their condition, their payment information such as Bank Account, when requested.
2.3 Unauthorised access. Users are responsible for any access and use of their account regardless of whether the activities were undertaken by them or a third party. Users agree to notify us immediately if they believe that an unauthorised third party may be using the account or if their account information is lost or stolen.
2.4 Data update. Users must maintain and promptly update the Registration Data to ensure that it remains true, accurate, current, and complete at all times. If we have reasonable grounds to suspect that your information is untrue, inaccurate, not current, or incomplete, we may suspend or terminate User account and/or disable and prohibit all current or future access. We will attempt to get in contact before doing this.
2.5 Data modification. Users can modify their own Registration Data, change their credentials, customise the notification system, and delete their account by getting in contact with us.
2.6 We will not be liable for any loss or damage from the Users’ failure to comply with this Section.
3. Scope of Services
3.1 In accordance with the chosen Programme, we publish the bounties on our site and dedicate and ensure the payment of the bounties corresponding to the Contributions made by Contributors. Such Contributions are validated by Maintainers and also can be validated by huntr depending on the specific Programme. Bounties will be published on https://www.huntr.com/. In some cases, depending on the Programme, we reserve the right to provide details about bounties privately by sending an email to Contributors (for example in private bug bounty Programmes).
3.2 We receive bug reports from Contributors via specific forms, email or other indicated channels on our website. When a bug report is submitted, we usually, if possible, communicate this to FOSS Maintainers (registered or not) of the respective project. The Contributions submitted will be validated by the Maintainer. We are not responsible for the validation of Contributions made by Maintainers. However, Contributions may also be validated by members of the huntr team.
3.3 Bug fixes: When a bug fix is submitted, the Security Researcher, Maintainer or huntr administrators will provide us with a repository and branch name, indicating where the patch exists. This will be immediately notified to the Maintainer, if possible, in order to review the submitted fix and ultimately, decide if it patches the vulnerability. Once the Maintainer, or member of the huntr team, confirms the upstream commit SHA for the patch, the related Security Researcher or Maintainer will be rewarded a bounty.
3.4 We guarantee to payout to Contributors, the amount of money allocated to each validated report.
3.5 We reserve the right to set bounties. We may agree with Clients on certain bounty levels fixed jointly with us or our Sponsors. We also reserve the right to unilaterally change the bounty price if the system quotes the wrong price or the bounty value is otherwise corrected or updated by us or our Sponsors prior to any bug report being validated.
Outside the foreseen cases, no change in the bounty shall be effective unless there is a manifest error in setting the bounty value. Once a bug report is validated, the bounty value is fixed. We may offer an additional amount (usually 25% of the disclosure bounty value) for the Contributor that proposes a fix for the vulnerability that is subsequently validated.
3.6 As part of our Programme, it is important that all Contributors receive the recognition they deserve. Once a vulnerability has been fully disclosed in accordance with the Participation Guidelines, we credit all Contributors involved for their crucial work in the process and pay out the appropriate bounty. Due to the specifications of the Programme or the nature of the vulnerabilities reported, we reserve the right not to disclose the full extent of the vulnerabilities submitted and may keep some subsets of them private. However, all Contributors will still receive acknowledgement for the entire report.
4. Contributors Rights and Obligations
4.1 Contributors must follow guidelines of performance details as stated in these Terms.
4.2 Contributors must follow and comply with our Participation Guidelines, in order to comply with conditions for receiving any bounty.
4.3 Contributors must comply with all relevant laws when reporting a vulnerability. In particular, Contributors must make sure their reports, actions and Submissions do not infringe or violate any third party’s intellectual property rights, privacy and data protection rights or any other applicable law or regulation.
4.4 Contributors must also be aware of the open source community policies as to reporting bugs, and the contribution policies of the FOSS projects that they analyse and report any bugs to.
4.5 Contributors agree that in the event of reporting any bug on our platform, we shall have the period set out in the Participation Guidelines of exclusivity for managing the reporting of the bug and validation with the FOSS Projects. Contributors shall not post the bug report on any other platform or medium of communication, nor communicate with the FOSS project or corresponding maintainer via any other channel (unless agreed with us). In the event of breach of this provision, the Contributor forfeits his/her right to the corresponding bounty and his/her account may be suspended or terminated by us.
5. Maintainers Rights and Obligations
5.1 Maintainers may indicate the projects they maintain in the Registration Data, however we may also verify this through online processes. We will contact you if we have any doubts about your status.
5.2 Maintainers must follow our Participation Guidelines at www.huntr.com/guidelines/
5.3 Maintainers agree that they will not communicate with other Contributors on vulnerabilities and related fixes disclosed on huntr via any channel other than our platform (unless agreed between us and the FOSS project). In the event of breach of this provision, the Maintainers may forfeit their right to the corresponding bounty (as indicated above) and the Maintainer’s account may be suspended or terminated by us.
5.4 Maintainers agree to promptly verify and validate any bug disclosures reported on the platform, once they are notified.
5.5 In the event of any dispute between Contributors and Maintainers regarding the validation of a bug report, we will not be involved, and assume no liability, but we may offer communication and informal mediation services for amicable resolution. Our decision to pay out any bounty is final, and Contributors agree that they will not dispute this decision.
5.6 Maintainers may disclose vulnerability reports about their own projects on the platform, but will not be entitled to any bounty. Maintainers may however propose bug fixes for vulnerabilities disclosed on huntr, and be entitled to the bug fix bounty, if one is set.
6. Payment of bounties. Taxation.
6.1 Payment of a bounty will be granted after (a) correct reporting of the bug on the platform and (b) subsequent validation of the bug by the corresponding Maintainer. Payment may take up to 2 months from validation until made, and is subject to huntr’s own right to verify the validity of the bug report and compliance by the corresponding Contributors with the Agreement.
6.2 All payments will be made by Protect AI to the accounts set out in their payment information.
6.3 Payment may be delayed in the event of any investigation into the validity of the bug report and validation by the corresponding Maintainer/s. Payment may be withheld in the event that huntr has reasonable belief that the bug report or fix is not valid or is made fraudulently or in breach of these Terms and/or our Participation Guidelines.
6.4. We will pay out bounties to Contributors at the end of each month, based on the bounties earned by each Contributor. The payments will be made to the payments accounts provided by the Contributor (or the legal representative if applicable). We are not responsible for payments made to a bank account that is not owned by the Contributor when such payment information has been provided by the Contributor through the means of payment described below.
Although these terms bind you to huntr's UK-based company, payment of bounties will be made by huntr's US-based parent company, Protect AI, with such payments being made using the Stripe platform.
We inform Contributors receiving bounties that these payments may be considered taxable income depending on the country which you are receiving the bounties. Please check the legal conditions in your country in relation to the income received from your Contributions.
The Contributor, the first time they earn a bounty, will receive an email requesting them to create a Stripe Connect account, in which they must provide the information requested by Stripe to verify their identity and provide their payment information. Once the account has been verified and the information has been provided, the Contributor will receive a payout confirmation email, with all the details of the payment. The following months the Contributor will automatically receive an email confirming the payout details.
Stripe Connect supports payouts to most countries, it is therefore essential that the Contributor is domiciled in one of the identified countries. You can see the full list of supported countries here: https://stripe.com/docs/connect/cross-border-payouts#supported-countries.
The Contributor agree to the use of Stripe Connect for this purpose, under their terms of service. If the Contributor’s country is not in this list, we will not be able to process a payout to you, but instead can offer to donate your payout to charity.
6.5 We reserve the right to change financing platform, method and means, without materially changing the modus operandi set out herein (“Scope of Services”), unless otherwise agreed with Contributors.
6.6 Paid-out bounties are not refunded, however if huntr becomes aware of any fraudulent or bad faith use of the platform, it will use reasonable efforts to recover bounties paid-out to Contributors under false pretences, or on the basis of negligence or wilful misconduct and/or misinformation of Contributors or FOSS projects. Any User involved in such activities may be suspended and their account terminated at huntr's discretion.
6.7 When a vulnerability report has been validated, huntr emails the Contributor out with notice of validation and later, a request for payment information. Contributors may waive the bounty payment (email us). If the Contributor does not respond to the notification, no payment will be made. If the Contributor does not respond within 12 months from notification, the Contributor is deemed to waive the bounty payment and the corresponding bounty will be declared void.
6.8 In the event a bug report was made by a Contributor in collaboration with others, the Contributor shall be solely responsible for (a) obtaining the necessary rights to make the report, and (b) sharing any sums (bounties) received hereunder from huntr for the validated report with these third parties pursuant to any possible agreements entered with them. Contributors must notify this situation to huntr to take the appropriate measures.
6.9 We shall not pay any taxes or make any withholding on bounty payments unless required by applicable law. Contributors are fully responsible for paying taxes on their income (including bounties) and agree to indemnify and hold huntr harmless against any claims for taxation and related sanctions made by any taxation or judicial authorities.
7. Data protection
7.1 All personal data collected and processed during the course of providing our services are processed in accordance with our Privacy Policy online at www.huntr.com/privacy/ which terms are incorporated herein. Contributors’ personal identification, Vulnerability Information and payment details will necessarily be shared with Protect AI (as a Data Controller) for the purposes of the performance of this Agreement. This may constitute an international transfer of data to the USA, which is expressly consented by the Contributor. See our Privacy Policy for more details.
8. Intellectual Property Rights
8.1 Subject to clause 8.2 below, in consideration for the bounty payment, Contributors assign to Protect AI on a worldwide, perpetual and exclusive basis all their intellectual property rights (including copyrights and know-how) in and to all and any bug report, bug fix, and/or related information provided by Contributors on the platform (“Vulnerability Information” including without limitation bug fixes and other software code), including all rights to reproduce, modify, distribute and communicate the Vulnerability Information for any purpose and to any party.
8.2 Users retain the right to use the Vulnerability Information for non-commercial research and educational purposes. Users expressly agree not to disclose any Vulnerability Information to any third party before it has been made public by huntr on the huntr platform or otherwise by the Project in agreement with huntr and compliance with these Terms.
8.3 We may submit the Vulnerability Information to the corresponding FOSS Project under the IPR policy or contribution policy of the FOSS project. In the absence of such policy, the Vulnerability Information will be contributed to the Project under the project license.
9. Warranties
9.1 We warrant that our services (set out in Scope of Services) will be performed professionally and diligently in accordance with industry standards.
9.2 Each Party warrants that its actions hereunder and in respect of the huntr website and Services (and for Contributors, without limitation, that their Vulnerability Information) do and will not infringe or violate any third party’s intellectual property rights, privacy and data protection rights or any other applicable law or regulation.
9.3 We make no warranties regarding the processing of bug reports by FOSS Projects, nor that bounties will be paid out unless in accordance with these Terms.
9.4 Except as expressly set out in Sections 9.1 and 9.2, to the maximum extent permitted by applicable law, neither Party nor ProtectAI makes no representations or warranties regarding the huntr Services, including warranties as to satisfactory quality or fitness for purpose.
10. Liabilities
10.1 Each Party shall be liable without limitation for damages due to
10.1.1 fraud, malicious conduct or intentional breach of these Terms by that Party.
10.1.2 gross negligence in performing or omitting to perform the Agreement by a Party.
10.2 Apart from the cases set out in section 9.1, to the maximum extent permitted by applicable law, neither Party shall be responsible to the other for any direct or indirect damages.
10.3 In particular but without limitation, huntr shall not be held liable for any action or omission of the Contributors nor any FOSS projects unless huntr is directly involved and actively participates in such action.
10.4 Contributors agree to release and indemnify and hold huntr and Protect AI harmless from any claims, demands and damages (direct or indirect) of any kind of nature, known and unknown, arising out of or in any way connected with (a) a dispute between a huntr Client or any FOSS project and the Contributor, (b) any false or incorrect information provided by the Contributor to huntr in the Registration Data or (c) false or incorrect information provided by Contributors and FOSS Projects (d) breach by a Contributor of his/her representations, warranties and covenants hereunder, and (e) breach by a Contributor of any law or third party right.
11. Term and Termination
11.1 This Agreement will be effective from the day of acceptance by huntr of the Contributor’s registration and will be in force until terminated hereunder.
11.2 This Agreement may be terminated without cause by a Contributor at any time on 30 day’s prior written notice to huntr at the address set out above or email to support@huntr.com, however termination will not affect payments made before termination nor any rights and obligations or liabilities surviving termination.
11.3 This Agreement may be terminated on written notice by a non-breaching Party in the event of material breach of a term of this Agreement by the other, and that breach has not been remedied within 30 days’ of being notified of the breach by the non-breaching Party.
11.4 Notwithstanding termination rights, huntr may suspend a Contributors account (and payment of any bounties) in the event of any breach of these terms by the Contributor, and huntr will notify the same to Contributor at the email set out on registration.
11.5 Contributors acknowledges and agree that any rights, assignments and licenses referred to Bug reports (and Fixes), remain valid and in full effect and continue perpetually even after this Agreement has been terminated between the Contributor and huntr.
12. General Provisions
12.1 This Agreement constitutes the entire Agreement between the Parties with respect to the subject matter of the Agreement. There are no third party beneficiaries to this Agreement except Protect AI to the extent expressly referenced in the terms.
12.2 No amendment to this Terms shall be effective unless made in text form and communicated to the Contributor. The same applies to a waiver to any clause or right hereunder.
12.3 If any provision of this Terms is or becomes invalid, this shall not affect the validity of the remainder of the Agreement. The Parties shall without delay agree to substitute the ineffective provision with an effective provision which approaches the purpose of the original provision as closely as possible. This applies accordingly in the event of a gap that needs to be filled.
12.4 All notices hereunder must be in writing and will be effective if sent to:
12.4.1 To huntr, at the address set out above or by email to support@huntr.com
12.4.2 To the Contributor: at the email addresses indicated in the registration data.
Email notifications are effective only if receipt is confirmed.
12.5 These Terms may be updated from time to time by huntr, and notification provided to you. Any use of our Services after notification of changes indicates your acceptance of the modified terms. If you do not agree to the modification, you may terminate the Agreement in accordance with clause 11.
12.6 This Agreement shall be governed by and construed in accordance with the laws of England and Wales.
12.7 All disputes arising out or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of London, UK.
12.8 The Parties agree that they will use good faith attempts to amicably resolve any such dispute during a period of 30 days’ from written notice by one party to the other of a dispute, and that they will not submit any judicial claim during that 30 day period.