Effective Date: 22 February 2023
- 1.Important information
1.1 These Bug Bounty Program Terms (Bug Bounty Terms) are issued by and on behalf of the Perion DAO.
1.2 Perion DAO takes security seriously and welcomes reports of vulnerabilities that could significantly impact the security of the technology used by Perion DAO.
1.3 Subject to applicable laws, Perion DAO reserves all rights to change these Bug Bounty Terms, or suspend or terminate the Bug Bounty Program, at any time with or without prior notice or consent.
1.4 In the event of a conflict between these Bug Bounty Terms, the Perion DAO Website Terms (Website Terms), the Participation Incentives Program Terms (PI Program Terms), and other terms that may exist from time to time, these Bug Bounty Terms take priority.
1.6 Your participation and continued participation in the Bug Bounty Program constitutes your acceptance of the Bug Bounty Terms and any amendments that may be made from time to time.
1.8 If it is discovered by Perion DAO (or its authorised representative/s) that you have or have attempted to violate these Bug Bounty Terms, then Perion DAO (acting through its authorised representative) may disqualify you from any Bug Bounty Program payments or benefits in its sole discretion and provide you notice in writing in the forum or fora in which you are known to engage with Perion DAO.
- 2.Scope of vulnerabilities
2.1 The following types of vulnerabilities are included within the scope of this Bug Bounty Program:
2.1.1 attacks on the Website;
2.1.2 attacks on external sites used for Perion DAO activities such as the Perion DAO Discord Server, whether or not those activities are incentivised under the Participation Incentives Program;
2.1.3possible exploits of protocols used by Perion DAO for Perion DAO activities, such as those used with the $PERC token, and Participation Incentives Program, including front end bugs; and
2.1.4 attacks on development resources.
2.2 The following non-exhaustive types of vulnerabilities are excluded from the scope of this Bug Bounty Program:
2.2.1 vulnerabilities previously known to Perion DAO;
2.2.2 vulnerabilities with respect to sites hosted by third parties unless such vulnerabilities lead to a vulnerability on the Website or in respect of Perion DAO activities;
2.2.3 vulnerabilities contingent on physical attack, social engineering, spamming, DDOS stack or other similar types of exploitation;
2.2.4 vulnerabilities affecting outdated or unpatched browsers;
2.2.5 vulnerabilities publicly disclosed in third-party libraries or technology used in the Services, the Website, the Participation Incentives Program and other Perion DAO activities;
2.2.6 vulnerabilities that require an improbably level of user interaction;
2.2.7 vulnerabilities that require rooting or jailbreaking a mobile device;
2.2.8missing security headers without proof of exploitability;
2.2.9 suggestions on best practices;
2.2.10 software version disclosure;
2.2.11 DDOS attacks;
2.2.14 automated tools (github actions, aws); and
2.2.15 compromise or misuse of third-party systems or services.
- 3.Disclosure process
3.1 Upon your discovery of a vulnerability in relation to Perion DAO that is within the scope set out at clause 2, and for all communications about the vulnerability, you must:
3.1.1 Subject to clause 3.2, keep the existence and nature of the vulnerability confidential;
3.1.2 search the Perion DAO Bug Bounty Program register ([insert link]) to determine if a report has already been provided and for which a bounty has been paid in relation to a vulnerability;
3.1.3 immediately submit one vulnerability report to [email protected] with sufficient information about the vulnerability to enable Perion DAO (or its authorised representative/s) to reproduce and fix the vulnerability, and by no later than twenty-four (24) hours after you discover the vulnerability;
3.1.5 cooperate with Perion DAO and its authorised representative/s to allow them to fix the vulnerability.
3.1.6 Only once the vulnerability has been fixed by Perion DAO (or its authorised representative/s) and Perion DAO has granted permission, may you disclose the vulnerability.
- 4.Participation criteria
4.1 You acknowledge and agree that by participating in the Bug Bounty Program that no relationship of employment, joint venture or partnership is created between you and Perion DAO (including its authorised representative/s).
4.2 To participate in the Bug Bounty Program, you must:
4.2.1 be at least eighteen (18) years of age and have the legal capacity to enter, and be bound by, these Bug Bounty Terms; or
4.2.2 have the authority on behalf of an entity you represent to enter, and be bound by, these Bug Bounty Terms; and
4.2.3 not have been disqualified by Perion DAO (acting through its authorised representative/s) from the Bug Bounty Program; and
4.2.4 have satisfied yourself that you are eligible to participate in the Bug Bounty Program, based on the applicable laws of your country of residence; and
4.2.5 understand your tax and other regulatory reporting and payment obligations because of your participation in the Bug Bounty Program; and
4.2.6 not engage in any unlawful conduct when discovering, reporting or disclosing the vulnerability, including the use of threats, demands or any other coercive tactics; and
4.2.7 not have exploited or attempted to exploit the vulnerability in any way, including by making the vulnerability public or by obtaining a profit or other benefit (other than a payment under this Bug Bounty Program); and
4.2.8 not submit a vulnerability report for a vulnerability caused by the same underlying issue on which a payment has been provided under the Bug Bounty Program;
4.2.9 not dispute the applicability of the Bug Bounty Program to you, including the amount of any proposed or actual payment or categorisation of a vulnerability; and
4.2.10 not be a current or former employee (within 6 months), contractor, supplier, agent or authorised representative for Perion DAO, or a current or former employee (within 6 months) of any of the foregoing; and
4.2.11 use only your own accounts (including test accounts) and your own information; and
4.2.12 use good faith and best efforts to avoid violation of applicable laws including privacy laws; and
4.2.13 not destroy data or interrupt or degrade:
- any Services or the Website (as defined in the Website Terms); or
- the Participation Incentives Program; or
- any other Perion DAO activities as they may be available from time to time.
5.1 Subject to the Bounty Decision Maker’s discretion, having regard to the prevailing model of Perion DAO governance and operations, you may be offered a bounty according to terms of the Perion DAO Bug Bounty Agreement if you have:
5.1.1 complied with the disclosure process set out in clause 3; and
5.1.2 meet the participation criteria in clause 4.
5.2 The appointed or elected representative of Perion DAO (Bounty Decision Maker) will determine the bounty amount (if any) for every vulnerability reported, in accordance with terms applicable to its role and that be modified from time to time in accordance with the prevailing model of Perion DAO governance.
5.3 If the same or similar vulnerabilities are reported within the twenty-four (24) hour period set out in clause 3.1.2, the Bounty Decision Maker has sole discretion to decide whether any bounty available is split on a reasonable basis between reporters or is paid to the first reporter.
5.4 Upon the Bounty Decision Maker deciding on the reporter or reporters that will receive a bounty amount, that decision will be communicated to the reporter or reporters with a Bug Bounty Agreement.
5.5 Payment will be made in US dollars , Euro or Australian dollars to the reporter’s bank account once the Bug Bounty Agreement is properly executed.
5.6 The Bounty Decision Maker is not obliged to provide any reasons for its decision nor to enter correspondence once a decision has been made.
6.1 By participating in the Bug Bounty Program, you acknowledge and agree:
6.1.2 to grant to Perion DAO (or an entity hereafter appointed or voted to own data collected through Perion DAO activities, and be responsible for compliance with applicable laws on the collection, storage, use, disclosure and destruction of that data, a Data Ownership and Management Entity), the right to:
22.214.171.124 use your name, country of residence, email address and any other information that you provide as part of participating in the Bug Bounty Program (Personal Information) for the purpose of administering the Bug Bounty Program;
126.96.36.199 use your Personal Information for publicity, promotional, marketing and advertising purposes relating to the Bug Bounty Program, in any and all media now known or hereafter after devised, without further compensation unless prohibited by applicable laws; and
188.8.131.52 disclose your Personal Information to third-party agents and suppliers to Perion DAO (or a Data Ownership and Management Entity) in connection with the activities stated in 184.108.40.206 and 220.127.116.11.
7.1 To the maximum extent permissible by applicable laws, you agree to release and hold harmless Perion DAO, its officers, contractors, employees and authorised representative/s (and their affiliates, suppliers, agents, successors and assigns) (Covered Persons) from and against any claim or cause of action arising out of your participation in the Bug Bounty Program, including any claim or cause of action arising out of your involvement with Perion DAO activities.
7.2 You agree that Perion DAO and the Covered Persons are not liable for injuries, losses or damages of any kind arising from your participation in the Bug Bounty Program (including Perion DAO activities) and your acceptance of the Bug Bounty Terms including your acceptance, possession and use of any payment or other benefits received under the Bug Bounty Program.
8.1 If anything in these Bug Bounty Terms is unenforceable, illegal or void then it is severed and the rest of these Bug Bounty Terms remains in force.
8.2 A single or partial exercise or waiver of a right relating to these Bug Bounty Terms will not prevent any other exercise of that right or the exercise of any other right.
8.3 Perion DAO (or its authorised representative/s) reserve the right to withhold from any amount payable to you on account of taxes that may be required to be withheld under any applicable law.
8.4 In the event of a conflict or dispute between the parties under these Bug Bounty Terms, you agree to the following dispute resolution process:
8.4.2 if the conflict or dispute is still outstanding after undertaking the process in clause 8.4.1, you will draft a proposal for consideration and decision of the Perion DAO and acknowledge that the Perion DAO’s authorised representative/s involved in your matter may participate in the consensus and dissent gathering process, and that the proposal being approved or not approved represents full and final resolution of your matter;
8.4.3 if the conflict or dispute is not deemed to be satisfactorily resolved by the one or each of the persons affected after undertaking the processes in clauses 8.4.1and 8.4.2, then a dispute arising out of or in connection with these Bug Bounty Terms shall be finally settled under the Rules of Arbitration of the International Chamber of Commerce by one or more arbitrators appointed in accordance with the said Rules may be referred to the International Court of Arbitration for international commercial arbitration of the matter; and
8.4.4 if compliance with clause 8.4.3 is not affordable or considered unfair to put a party to, the extent that each of the above processes have been exhausted in good faith and you or a person affected (including Perion DAO) wishes to have the dispute heard in a domestic court of law, then the jurisdiction of England and Wales is to be used as the exclusive jurisdiction of last resort.