Bug Bounty Program Terms and Conditions

Last updated May 5, 2024

PARTICIPATION IN THE BUG BOUNTY PROGRAM IS SUBJECT TO COMPLIANCE WITH THE TERMS OF USE OF SwapBase TRADING INC.

These Bug Bounty Program Terms and Conditions (these “Bug Bounty Terms”) apply to, and will govern, all vulnerabilities that are discovered by you and reported to SwapBase Trading Inc. (“SwapBase”) in accordance with these Bug Bounty Terms (the “Bug Bounty Program”). In the event of a conflict between these Bug Bounty Terms and the Terms of Use of SwapBase (the “Terms of Use”), or any other previously published SwapBase program, the terms of these Bug Bounty Terms will govern to the extent of such conflict. Please read these Bug Bounty Terms carefully before you participate in the Bug Bounty Program. By participating in the Bug Bounty Program, you represent and agree to be bound by these Bug Bounty Terms. By participating in the Bug Bounty Program, you agree to the Terms of Use and the Privacy Policy (the “Privacy Policy”). If you do not agree with the Terms of Use or Privacy Policy, then you should immediately stop using or accessing the Services and participating in the Bug Bounty Program.

1. ELIGIBILITY

Subject to these Bug Bounty Terms, to be eligible to participate in the Bug Bounty Program, during the period of your participation, you must:

  • be of legal age in the jurisdiction in which you reside and you must have the legal capacity to enter into, and be bound by, these Bug Bounty Terms if you are participating in the Bug Bounty Program as an individual;
  • have the legal authority to accept these Bug Bounty Terms on the applicable entity’s behalf, in which case “you” (except as used in this paragraph) will mean the foregoing entity if you are participating in the Bug Bounty Program as an entity;
  • be the first person to report or disclose the vulnerability to SwapBase in accordance with these Bug Bounty Terms, including by emailing sufficient information to [email protected];
  • provide sufficient information to enable SwapBase to reproduce and fix the applicable vulnerability;
  • not engage in any unlawful conduct when discovering, reporting or disclosing the vulnerability to SwapBase, including the use of threats, demands or any other coercive tactics;
  • not have exploited or attempted to exploit the vulnerability in any way, including by making such vulnerability public or by obtaining a profit or other benefit (other than a payment under the Bug Bounty Program);
  • make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any Services or Site (as defined in the Terms of Use), including using automated testing that generates significant amounts of traffic;
  • submit only one (1) vulnerability per report or disclosure, unless you need to combine vulnerabilities to provide sufficient information with respect to any of the applicable vulnerabilities;
  • not submit a vulnerability caused by the same underlying issue on which a payment has been provided under the Bug Bounty Program;
  • not ask for payment in exchange for vulnerability details or dispute the applicability of the Bug Bounty Program to you, including the amount of any proposed or actual payment or categorization of a vulnerability; and
  • not be a current or former employee (within 6 months), vendor, contractor, or agent for SwapBase, or a current or former  employee (within 6 months) of any of the foregoing.

SwapBase reserves the right to limit or refuse your eligibility to participate in the Bug Bounty Program for any reason in its sole discretion, including but not limited to where your participation is prohibited by any Applicable Law. If SwapBase becomes aware of any violation of these Bug Bounty Terms or the Terms of Use, SwapBase may elect to, among other things, (a) prohibit you from using the Services or the Site; (b) withhold, amend or cancel the benefits of or payments under the Bug Bounty Program; or (c) require return of any payment made to you, including taking any action at law to obtain such payment.

2. SCOPE OF VULNERABILITIES

The following non-exhaustive types of vulnerabilities are excluded from any payments with respect to the Bug Bounty Program:

  • vulnerabilities previously known to SwapBase;
  • vulnerabilities with respect to sites hosted by third parties unless such vulnerabilities lead to a vulnerability on the Site;
  • vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack or other similar types of exploitation;
  • vulnerabilities affecting outdated or unpatched browsers;
  • vulnerabilities in third party applications that use SwapBase API;
  • vulnerabilities publicly disclosed in third-party libraries or technology used in the Services or the Site;
  • vulnerabilities that require an improbable level of user interaction;
  • vulnerabilities that require rooting or jailbreaking a mobile device;
  • missing security headers without proof of exploitability;
  • suggestions on best practices;
  • software version disclosure;
  • front end bugs;
  • unsophisticated or generic DDOS attacks;
  • spamming;
  • phishing;
  • automated tools (github actions, aws); and
  • compromise or misuse of third party systems or services.

SwapBase reserves the right to determine whether a vulnerability is eligible for a payment under the Bug Bounty Program in its sole discretion.

3. DISCLOSURE AND REPORTING REQUIREMENTS

Any vulnerability discovered must be only reported to the following email: [email protected], and must comply with all other requirements in this Bug Bounty Program.

The vulnerability must not have been or be disclosed publicly or to any other persons before SwapBase has been notified, has fixed the issue, and has granted permission, if at all, for such disclosure. The disclosure to SwapBase must be made within twenty-four (24) hours following discovery of the applicable vulnerability. If similar vulnerabilities are reported within the applicable twenty-four (24)-hour period any payment may be split by SwapBase between such reporters, or may be paid to the first person to make such report, and in either case shall be determined in the sole discretion of SwapBase.

A detailed report of a vulnerability increases the likelihood of a payment and may increase the amount of such payment. Please provide as much information about the vulnerability as possible, including:

  • the conditions on which reproducing the vulnerability is contingent;
  • the steps needed to reproduce the vulnerability or, preferably, a proof of concept; and
  • the potential implications of abusing the vulnerability.
4. PAYMENTS

Subject to these Bug Bounty Terms, you will receive payments based on the type of vulnerability reported or disclosed in accordance with Exhibit A. The categorization and amount of any payment will be determined at the sole discretion of SwapBase, including without limitation eligibility for such payment, and the severity of any applicable vulnerability.

5. BUG BOUNTY PROGRAM ADMINISTRATION

SwapBase reserves the right to administer the Bug Bounty Program in its sole discretion:

  • SwapBase hereby reserves the right to amend, suspend or terminate the Bug Bounty Program at any time with or without prior notice or consent. SwapBase further reserves the right to amend, withhold or cancel any Bug Bounty Program payments or benefits granted if SwapBase becomes aware of any violation of these Bug Bounty Terms or the Terms of Use.
  • Administration of the Bug Bounty Program is at the sole discretion of SwapBase, subject to the Applicable Law(as defined in the Terms of Use). Any questions relating to eligibility, or these Bug Bounty Terms or the Bug Bounty Program will be resolved by SwapBase at SwapBase’s sole discretion and its decision will be final and binding with respect thereto. If it is discovered by SwapBase that you have or have attempted to violate these Bug Bounty Terms or the Terms of Use, then SwapBase may disqualify you from any Bug Bounty Program payments or benefits in its sole discretion.
  • SwapBase reserves the right to make awards that do not comply with every requirement herein, such as your failure to provide a detailed report of any vulnerability, or your failure to notify SwapBase through the correct channel.  Awards made pursuant to such exceptions made by SwapBase do not constitute any waiver by SwapBase of any other terms and conditions set forth herein.
6. PRIVACY

By participating in the Bug Bounty Program, you acknowledge and agree that any personal information that you provide will be maintained in accordance with the Privacy Policy. By participating in the Bug Bounty Program, you hereby (a) grant to SwapBase the right to use your name, country of residence, email address and any other information you provide to SwapBase (“Personal Information”) for the purpose of administering the Bug Bounty Program; (b) grant to SwapBase the right to use your Personal Information for publicity, promotional, marketing and advertising purposes relating to the Bug Bounty Program, in any and all media now known or hereafter devised, without further compensation unless prohibited by Applicable Law; and (c) acknowledge that SwapBase may disclose your Personal Information to its third-party agents and service providers in connection with any of the foregoing activities. SwapBase will use your Personal Information only for the identified purposes and as contemplated in the Privacy Policy.  Any conflict between the Privacy Policy and any authorization and/or licensing provided herein shall be governed by these Bug Bounty Terms.

If you access any personal information or other sensitive information for which you do not have authority to access, then you must immediately stop accessing such information and destroy all copies thereof. You must not provide such information to SwapBase and must only provide SwapBase a description thereof.

7. RELEASE AND PUBLICITY

YOU AGREE TO RELEASE AND HOLD HARMLESS SwapBase AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS FROM AND AGAINST ANY CLAIM OR CAUSE OF ACTION ARISING OUT OF YOUR PARTICIPATION IN THE BUG BOUNTY PROGRAM AND/OR ANY DETERMINATION MADE ABOUT YOUR ELIGIBILITY IN THE BUG BOUNTY PROGRAM OR ANY PAYMENT THEREUNDER THAT MAY OR MAY NOT BE DUE TO YOU. YOU AGREE THAT SwapBase AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS ARE NOT LIABLE FOR INJURIES, LOSSES OR DAMAGES OF ANY KIND ARISING FROM YOUR PARTICIPATION IN THE BUG BOUNTY PROGRAM AND ACCEPTANCE, POSSESSION AND USE OF THE BENEFITS OR PAYMENTS RECEIVED UNDER THE BUG BOUNTY PROGRAM. SwapBase IS NOT RESPONSIBLE FOR ANY TYPOGRAPHICAL OR OTHER ERROR IN THE PUBLICATION OF THESE BUG BOUNTY TERMS OR ADMINISTRATION OF THE BUG BOUNTY PROGRAM OR ANNOUNCEMENT THEREOF.

8. TAXES

You will be solely responsible for all income tax liabilities that arise from or in any way relate to any benefit or payment that SwapBase conveys to you, including income taxes, sales, personal property, use, VAT, excise, withholding and self-employment taxes. SwapBase has the right to withhold from any amounts payable to you such foreign, federal, state or local taxes as may be required to be withheld under any Applicable Law. You agree to report the value of the benefit or payment you receive from SwapBase to all applicable legal and local authorities, and complete any required tax forms that SwapBase requests be completed prior to receiving your benefit or payment.

9. GENERAL

Sections 11 through 17 of the Terms of Use are incorporated herein by reference, and you are equally subject to those provisions mutatis mutandis with respect to these Bug Bounty Terms and the Bug Bounty Program. Unless the context expressly otherwise requires, (a) wherever the word “include,” “includes” or “including” is used, it will be deemed to be followed by the words “without limitation”; and (b) the word “or” is not exclusive. SwapBase may, without or without notice, revise these Bug Bounty Terms, including any benefits or payments, and publish amended versions thereof from time to time. Your participation or continued participation in the Bug Bounty Program constitute your acceptance of any amendments to these Bug Bounty Terms. SwapBase may, in its sole discretion, amend or terminate the Bug Bounty Program at any time with or without notice, and your continued use of the SwapBase platform or participation in the Bug Bounty Program after such amendment shall constitute acceptance of all amended terms.

EXHIBIT A
BUG BOUNTY PAYMENTS 
Type of Vulnerability Payment Range (USD Coin (USDC))
Very Low Severity, Ineligible Reports, etc. To be determined in SwapBase’s sole discretion.
Low Severity 50 – 5,000
Medium Severity 5,000 – 50,000
High Severity 50,000 – 150,000
Critical Severity 150,000 – 1,000,000