Immunefi

Immunefi – Security Researchers Terms & Conditions (Clickwrap Agreement)

As a condition of your participation in Immunefi’s Bug Bounty Programs, including the submission of bug reports, you agree to be bound by the following terms and conditions.  If you do not agree to these terms and conditions you should not submit any bug report or access the Immunefi Platform for any purpose.

1. Definitions

“Bug Bounty Program” or “BBP” means a series of cybersecurity-related tasks and associated Research Fees developed jointly by Immunefi and Customer for the purpose of encouraging ethical cybersecurity researchers to discover vulnerabilities or other cybersecurity-related issues in Customer’s blockchain network or protocol.

“Bug Reports” means responsive reports to Customer’s Bug Bounty Program submitted by Security Researchers through the Platform.

“Platform” means the system and/or interface through which the Immunefi Services are provided to Customer and includes, without limitation, all ideas, concepts, inventions, systems, platforms, software, interfaces, tools, utilities, templates, forms, techniques, methods, processes, algorithms, know-how, Intellectual Property Rights, trade secrets and other technologies, implementations and information that are proprietary to or used by Immunefi (which may be licensed from a contracted affiliate) in connection with providing the Immunefi Services or as otherwise related to its business.

“Research Fee” means the amount set forth in Customer’s Bug Bounty Program payable to a Security Researcher for such Security Researcher’s role in uncovering and reporting to Customer a cybersecurity vulnerability in Customer’s network.

“Security Researcher” means a cybersecurity professional who uses their skills and knowledge in hacking to identify vulnerabilities and weaknesses in Customer’s computer systems, networks, or applications for the benefit of Customer.

2. No Warranties.  Use at your own risk.

Your participation in Bug Bounty Programs on the Immunefi Platform is solely at your own risk. Immunefi makes no warranty to Security Researchers of any kind.

THE SERVICES AND THE PLATFORM ARE PROVIDED BY IMMUNEFI “AS AVAILABLE” AND “AS IS” AND IMMUNEFI MAKES NO WARRANTIES, EITHER EXPRESS OR IMPLIED, AS TO ANY MATTER WHATSOEVER, INCLUDING WITHOUT LIMITATION THE AVAILABILITY AND CONDITION OF THE SERVICES AND THE PLATFORM AND IMMUNEFI EXPRESSLY DISCLAIMS ALL WARRANTIES OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE OR NEED, ACCURACY OR FREEDOM FROM ERROR, AND ALL WARRANTIES THAT MAY ARISE FROM COURSE OF DEALING, COURSE OF PERFORMANCE OR USAGE OF TRADE. THIS SECTION WILL BE ENFORCEABLE TO THE FULLEST EXTENT ALLOWED BY APPLICABLE LAW. NO INFORMATION OR ADVICE (WHETHER WRITTEN, ORAL OR OTHERWISE) PROVIDED BY IMMUNEFI OR ITS REPRESENTATIVES WILL CREATE ANY WARRANTY OR IN ANY WAY AFFECT THE DISCLAIMERS OF WARRANTY OR LIMITATIONS OF LIABILITY EXPRESSLY PROVIDED IN THIS AGREEMENT.

3. LIMITATION OF LIABILITY

TO THE EXTENT ALLOWED BY APPLICABLE LAW AND NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY OR LIMITATION OF LIABILITY: (A) IMMUNEFI WILL NOT BE LIABLE FOR ANY INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL, LOST PROFITS, OR INDIRECT DAMAGES OF ANY KIND  IN CONNECTION WITH THIS AGREEMENT, INCLUDING WITHOUT LIMITATION RELATING TO IMMUNEFI’S PERFORMANCE OF THE SERVICES AND YOUR USE OF THE SERVICES AND PLATFORM; AND (B) IMMUNEFI’S ENTIRE AGGREGATE LIABILITY TO ANY PERSON OR ENTITY ARISING FROM OR RELATING TO THIS AGREEMENT, UNDER ANY LEGAL THEORY (WHETHER IN CONTRACT, TORT, INDEMNITY OR OTHERWISE), WILL NOT EXCEED ONE HUNDRED DOLLARS (US).

4. Compliance with Applicable Laws.

You are responsible for complying with all applicable laws in the conduct of your research and creation and submission of Bug Reports.  Failure to comply with any applicable law shall be considered a material breach of these terms and result in immediate termination of your access to the Immunefi Platform and your ineligibility to receive any Research Fees for which you may have otherwise qualified.

5. Prohibited Conduct.

1. You agree not to do any of the following in your use of the Platform (including the submission of Bug Reports and interactions with Immunefi and Immunefi customers):

1. Any testing with mainnet or public testnet contracts other than as approved by the applicable Bug Bounty Program.
2. Making any intentional misrepresentation regarding any aspect of a Bug Report.
3. Automated testing of services without prior authorization that generates significant amounts of traffic or submitting AI-generated/automated scanner bug reports;
4. Attempting physical testing (e.g., office access, open doors, tailgating), phishing, or any other social engineering attacks against Immunefi and/or projects on Immunefi
5. Creating multiple accounts on the Immunefi platform;
6. Engaging in harassment, extortion, threats of violence, or any other hostile, abusive, or fraudulent behavior towards Immunefi, Immunefi customers or other Secruity Researchers participating on the Immunefi Platform;
7. Attempting any unauthorized access to the computer systems or code repositories of Immunefi or Immunefi’s customers for any purpose other than as authorized or prescribed by the applicable Bug Bounty Program. For clarity, good faith bug hunting activity pursuant to an active Bug Bounty Program shall not be deemed a violation of these terms.
8. Submitting bugs via email or any channel other than the Immunefi platform
9. Attempting to communicate with any Immunefi Customer outside of the Immunefi Platform for the purpose of circumventing Immunefi or interfering in any way with Immunefi’s relationship with any of its customers
10. Requesting gas fees from Immunefi or projects;
11. Submitting frivolous Bug Reports, or other materials considered to be spam in the sole discretion of Immunefi
12. Submitting Bug Reports in any language other than English
13. Failing to abide by the Responsible Publication Policy categories set by projects, which determines what Security Researchers are allowed to publish about their bug reports
14. Demonstrating a pattern of submitting poor quality and/or noncompliant reports as determined by Immunefi in its sole discretion

6. Payment for Valid Bug Reports

Immunefi is not responsible for the payment of any Bug Bounty.  Bug Bounties are paid directly to You by the Immunefi customer sponsoring the Bug Bounty Program.

Payments are made in some form of crypto-asset and directed to such wallet as you designate.  Any income taxes related to your receipt of Bug Bounty payments are solely your responsibility.

You may be required to provide personal information to satisfy Know Your Customer (KYC) and/or anti-money laundering (AML) legal requirements in order to qualify for payment of a Bug Bounty.  These requirements are at the sole discretion of the Immunefi customer sponsoring the Bug Bounty Program and will be set forth in the Bug Bounty Program.  Failure to comply with these requirements will result in you being ineligible for such Bug Bounty payment.  You understand and acknowledge that you should not submit any Bug Reports for Bug Bounty Programs that require KYC/AML disclosure if you do not intend to cooperate with such requirements.

7. Original Work/Transfer of Rights

You represent and warrant that: i)  any Bug Report submitted by you is your own original work and does not infringe the intellectual property rights (including copyright) or any other right of any third party; and ii) in the event that any Bug Report submitted by you results in the payment of a Research Fee to you that you will cooperate with all steps reasonable and necessary to transfer any copyright or other intellectual property right to such party as may be designated in the applicable Bug Bounty Program.

8. OFAC Compliance

You represent and warrant that you are not a citizen of or otherwise accessing Immunefi from geographic regions subject to sanctions by the United States Office of Foreign Asset Control (“OFAC”), including but not limited to the nations of Belarus, Burma (Myanmar), Cuba, Democratic Republic of Congo, Iran, Iraq, Liberia, North Korea, Sudan, Syria, Yemen, and Zimbabwe and certain areas of Ukraine, (e.g., Crimea, Donetsk, and Luhansk) (collectively, “Prohibited Jurisdictions”), or if the User is otherwise listed as a Specially Designated National by OFAC

9. Adherence to Bug Bounty Program Documentation

You agree to comply with and be bound by any special terms and conditions included in any Bug Bounty Program for which you submit a Bug Report.  

10. Governing law and Dispute Resolution

This Agreement shall be governed by and construed in accordance with the laws of England and Wales without regard to the conflicts of law provisions thereof. Any controversy or claim arising out of or relating to this Agreement, or the breach thereof, shall be settled by arbitration (to be held in English) in accordance with Exhibit A. By signing this Agreement, Customer hereby expressly consents to settle any and all claims or controversies arising out of this Agreement by binding arbitration subject to the terms set forth in Exhibit A. YOU WAIVE YOUR RIGHT TO A TRIAL BY JURY AND AGREE THAT ARBITRATION IS THE SOLE AND EXCLUSIVE MEANS OF SETTLING ANY CLAIM, CONTROVERSY, OR DISPUTE ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT.  This arbitration provision only applies where the Immunefi Customer has extended an Offer to Arbitrate in the Bug Bounty Program.  If the Immunefi Customer has not made such an offer to arbitrate then You may pursue any legal remedy through any court that may have jurisdiction over the dispute.

11. General Applicability of Terms of Use and Privacy Policy

You understand that your use of the Immunefi Platform and website remains subject to the Immunefi Terms of Use and Privacy Policy.

12. Disciplinary Action by Immunefi

You understand and acknowledge access to the Platform is a privilege and not a right.  You further understand and acknowledge that any violation of any of these Terms and Conditions or applicable law may result in: (1) temporary suspension or a permanent ban from the Immunefi platform at the sole discretion of Immunefi; (2) forfeiture and loss of access to bug reports; and/or (3) forfeiture of your right to receive a payout from a Bug Bounty Program.

Exhibit A

Acceptance of Offer to Arbitrate

1. Definitions.  

1. Bug Bounty Program means a series of cybersecurity-related tasks and associated Research Fees developed jointly by Immunefi and an Immunefi customer for the purpose of encouraging ethical cybersecurity researchers to discover vulnerabilities or other cybersecurity-related issues in customer’s blockchain network or protocol, as published on the Immunefi Platform.

2. Bug Report means a responsive report to Customer’s Bug Bounty Program submitted by Security Researchers through the Platform.

3. Contract means the Master Services Agreement or Statement of Work between the Customer and Immunefi including all Exhibits attached thereto and any subsequent order forms or amendments.

4. Digital Assets means any digital currency, cryptocurrency, decentralized application token, protocol token, smart contract, Blockchain-based asset, Stablecoin, cryptoasset and other cryptofinance and digital assets and instruments.

5. Immunefi means Immuni Software PTE. LTD., a Singaporean entity with UEN 202040106C.

6. Immunefi Mediation means the informal process coordinated by Immunefi personnel to encourage Projects and Security Researchers to resolve Disputes (as defined below) on mutually agreeable terms. Immunefi Mediation includes dialogue and the voluntary exchange of information between the parties and, if necessary, a nonbinding recommendation by Immunefi personnel detailing suggested terms of settlement.

7. Platform means the system and/or interface through which the Immunefi Services are provided to customers and includes, without limitation, all ideas, concepts, inventions, systems, platforms, software, interfaces, tools, utilities, templates, forms, techniques, methods, processes, algorithms, know-how, Intellectual Property Rights, trade secrets and other technologies, implementations and information that are proprietary to or used by Immunefi (which may be licensed from a contracted affiliate) in connection with providing the Immunefi Services or as otherwise related to its business.

8. Project means the customer of Immunefi identified in the Bug Bounty Program pursuant to which a Security Researcher submitted a Bug Report that is subject to Dispute.

9. Security Researcher means a cybersecurity professional who uses their skills and knowledge in hacking to identify vulnerabilities and weaknesses in customer’s computer systems, networks, or applications for the benefit of Immunefi customers.

10. Vault means blockchain-based, smart-contract-enforced mechanism through which Immunefi customers may, if customer opts to do so, deposit Digital Assets to signal to Security Researchers that customer intends to allocate funds for its bug bounty program.

2.  Dispute Resolution

11. All disputes, controversies or claims (“Disputes”) between Project and Security Researcher(s) (the “Parties”) arising out of or in connection with a Bug Report shall be settled, if possible, through Immunefi Mediation.  

12. If a Dispute is not resolved through Immunefi Mediation within sixty (60) days of being referred to Immunefi Mediation, then the Dispute shall be exclusively and finally settled by arbitration in accordance with the Blockchain Arbitration Rules of the London Chamber of Arbitration and Mediation (the “Rules”), which rules are deemed to be incorporated by reference in this clause.

13. By posting a Bug Bounty Program on the Platform, a Project makes an irrevocable offer to arbitrate all Disputes with Security Researchers in relation to that Bug Bounty Program (the “Arbitration Offer”) in accordance with sub-clause 2.2 above.

14. By submitting a Bug Report in relation to the Bug Bounty Program, the Security Researcher(s) shall be deemed to have accepted the Arbitration Offer.

15. Once a Bug Report is submitted, no Party may withdraw its consent to arbitrate Disputes in accordance with sub-clause 2.2 above.

16. Consent to arbitrate shall survive termination of this Contract.

17. The Parties agree that Immunefi shall enforce any arbitral awards on the Vault platform to the extent there are any funds available in such Vault to partially or fully cover the quantum of such award. In order to ensure availability of funds for satisfaction of any arbitral awards, funds in Vaults that are subject to dispute shall not be available for withdrawal upon the commencement of arbitration until such time as the arbitration is complete or the Dispute is otherwise resolved through settlement.

Exhibit B

Special Terms and Conditions for Projects Participating in the

SecurityAlliance.org Safe Harbor Program

The following Terms and Conditions apply only to Security Researchers electing to participate in the Safe Harbor program sponsored by the SecurityAlliance.org as adopted by select Customers/Projects on the Immunefi Platform.  Immunefi’s administration of the Safe Harbor Program is governed by the Security Alliance Safe Harbor Agreement located at https://drive.google.com/file/d/1qYgOYGW4DD9oT5HRbwhkF-jNH8K2qXfT/view which is incorporated herein by reference and this Exhibit B.  In the event of any conflict between the Security Alliance Safe Harbor Agreement and this Exhibit, this Exhibit shall take precedence.

You agree and acknowledge:

1. Your participation in any Safe Harbor rescue attempt is completely voluntary.  You should not engage in any efforts related to a Safe Harbor rescue if you do not agree to be bound by these terms.  Your engagement in a Safe Harbor rescue attempt indicates your agreement.

2. There is inherent legal and technical risk in any Safe Harbor intervention.  You understand that Safe Harbor rescue activities may violate civil and criminal laws of some jurisdictions.  Immunefi nor its Customers make any representation to you regarding the legality of any activities you undertake in a Safe Harbor rescue.  If you have any questions regarding the risks and/or legalities of the Safe Harbor program you should obtain independent legal counsel.

3.  Immunefi has not offered any inducement, bounty, or any other incentive to you to encourage your participation in a Safe Harbor program.  You understand the all bounties are offered and payable by the applicable Immunefi Customer.

4.  Immunefi and participating Immunefi Customers will not take any action to encourage or cooperate with law enforcement against you provided that you act within the requirements of the Safe Harbor Agreement and the Immunefi Terms and Conditions for Security Researchers.  Note that this does not apply if you engage in a rescue attempt on behalf of an Immunefi Customer that is not identified as a Safe Harbor program participant.

5.  You understand that Immunefi cannot guarantee you any degree of immunity from criminal prosecution.

6.  You understand that Immunefi and participating Customers will engage and cooperate with appropriate law enforcement agencies if you violate the Safe Harbor Agreement and/or this Exhibit, including but not limited to sharing any information we have regarding your personal identification to appropriate third parties.  Violating these agreements waives any rights you have to anonymity under the Immunefi Privacy Policy to the fullest extent of applicable law.

7.  Failure to depost all funds recovered in a Safe Harbor rescue to the designated Immunefi Vault  within six (6) hours will be considered a material and uncurable breach of the Safe Harbor Agreement WITH NO EXCEPTIONS.  YOU MAY NOT WITHHOLD FUNDS FOR ANY REASON INCLUDING BUT NOT LIMITED TO FEES, EXPENSE REIMBURSEMENT, GAS FEES ETC.  Safe Harbor rewards will be posted in the Bug Bounty Program and shall be payable in the same way as standard bug bounty awards on the Immunefi Platform.

8. You will not engage in a Safe Harbor rescue attempt where you do not believe that you have a reasonable chance of success based on your expertise and experience.