CESPPA Researcher Agreement

Eligibility, Vulnerability Reports

These Researcher Terms form a binding agreement between CESPPA, Inc. and its affiliates (collectively, "CESPPA", "we", "us" or "our"), (b) you as an individual and any entity or employer on whose behalf you are acting (collectively, “you” or “your”) and (c) the Customer that owns the applicable vulnerability testing or “bug bounty” Program, with respect to such Program. By accessing or participating in a Program, communicating with CESPPA, Customers and/or other Researchers about a Program, or providing or making available a vulnerability report, you agree to the Researcher Terms and CESPPA’s Terms of Use and Privacy Policy, which are incorporated by this reference. Any capitalized terms not defined herein have the meaning specified in our Terms of Use or Privacy Policy. If you are under 18 years old, your parent or guardian must agree to the Researcher Terms on your behalf.

As between CESPPA and you, you retain ownership of all Intellectual Property Rights in and to your vulnerability report. By providing or making available your vulnerability report through the Site and/or Services, you grant to us a grant, a royalty-free, sub-licensable, transferable, perpetual, irrevocable, non-exclusive, worldwide license to use, reproduce, modify, publish, list information regarding, edit, translate, distribute, publicly perform, publicly display, and make derivative works of the vulnerability report. You also agree that we may collect statistical and other information about vulnerability reports in order to provide and improve the Services.

By participating as a Researcher, you further represent and warrant that:

  • If you are acting as an employee, contractor or agent of a third party, such third party knows about and consents to your conduct including your potential receipt of any award, bug bounty or other consideration, you have full authority to bind such third party to these Researcher Terms, and your conduct will not violate such third party’s policies or procedures; and
  • Any vulnerability report and Customer’s use of such vulnerability report will not infringe, misappropriate or otherwise violate any third-party Intellectual Property Rights, publicity, privacy or other proprietary rights or otherwise violate any applicable law or regulation.

Bounty Awards

As a Researcher, you may receive a bounty award for submitting a vulnerability report to a Customer in connection with a Program, provided that the vulnerability report satisfies CESPPA’s eligibility requirements and any specific Customer requirements described in the Program, including without limitation undergoing any background check, signing a confidentiality or non-disclosure agreement, or other terms and conditions. In the event of a conflict between any CESPPA requirements and specific Program requirements, the Program requirements will control.

If Customer has designated CESPPA to process bounty awards on its behalf, CESPPA typically will make available a bounty award to you within 10 business days after Customer has notified CESPPA of your award and provided CESPPA with the payment funds.

Although you may use a pseudonym and remain anonymous, in order for you to collect a bounty award we may require you to confirm your identity to us, as well as meet all other eligibility requirements. In addition to your CESPPA Account profile information, we may require personally identifying information for background and fraud checking purposes, including without limitation your date of birth, nationality, current and previous addresses, social security number (or tax identification number), and for bounty award purposes, your banking, crypto wallet address, PayPal or other payment information. To receive a merchandise award (swag) as applicable, we may also ask you for additional information such as your mailing address, telephone number, and clothing size. All personally identifying information provided must be complete, accurate and up-to-date.

You are responsible for all taxes related to any awards. You acknowledge that CESPPA does not provide awards or other payments to any person who is identified on, employed by, or associated with an entity that is identified on the United States Department of Commerce’s Denied Persons or Entity List, the U.S. Department of Treasury’s Specially Designated Nationals or Blocked Persons Lists or the U.S. Department of State’s Debarred Parties List, or who is otherwise ineligible to receive items subject to U.S. export control laws and regulations.

Relationship of Parties, Liability

You acknowledge and agree to the following:

  • Under no circumstances will these Researcher Terms, or any invitation to, engagement or participation in a Program, establish any employment, contractor, partnership, joint venture, association, fiduciary or agency relationship between you and either CESPPA or the applicable Customer, or any implied-in-fact contract. You are an independent third party who intends to engage in Programs and connect with Customers through the CESPPA Site and/or Services. Customer is not a contractor, employee or agent of CESPPA, but is an independent third party that intends to engage in Programs and connect with you through the CESPPA Site and/or Services.
  • You have read, understand and will comply with all rules and requirements of the Program.
  • You may only engage or participate in the Program if you meet all eligibility requirements.
  • You may be disqualified from the Program if CESPPA and/or Customer, in its sole discretion, believes that you have attempted to undermine the Program by cheating, deception or other unfair practices or violations of these Researcher Terms.
  • Any non-public information or data about CESPPA or a Customer, including without limitation findings regarding a vulnerability, that you receive or obtain while participating in a Program will be deemed Confidential Information and may only be disclosed to such Customer or CESPPA as applicable, and may not be disclosed to any third party.
  • CESPPA and/or Customer may take legal recourse against you for any damages or losses caused to a Customer’s networks, systems, applications and data, as a result of unlawful misconduct performed by you or on your behalf, as well as any failure to comply with these Researcher Terms and/or applicable Program rules, conditions or requirements.
  • CESPPA and/or Customer may, in its sole discretion, terminate, suspend or change a Program if, for any reason, the Program is incapable of running as intended, including without limitation because of fraud, tampering, viruses, bugs, unauthorized intervention, technical failures or any other causes that corrupt or impact the administration, integrity, security or conduct of the Program.
  • CESPPA will not be liable for any delay or failure to pay a bounty award beyond CESPPA’s reasonable control. Nor will CESPPA be liable for any Program, Program-related materials, information or communications, or loss, damage or injury that you may incur in reliance thereon.

Contact Us

All notices to CESPPA regarding the Research Terms must be in writing, delivered by certified mail return receipt requested, by registered mail, or by a reputable private courier or mail service to: CESPPA, Inc., c/o Legal Department, 5855 Green Valley Cir #110, Culver City, CA 90230.

For any other questions, please contact us through the Site or Services, or email us at legal@cesppa.com.

CESPPA