WE ARE GUARDIANS
Recognizing the importance of the contribution of the information security research community to enhance and foster the exponential growth of its products and systems with maturity, Zup has a communication channel where external researchers worldwide can submit reports highlighting any vulnerabilities found in our systems, environments, products, and services.
If YOU are a security researcher and have found vulnerability(ies), Zup wants to hear from you. Contact us through the link zupinnovation.com/security.
But beware! Zup takes information security and data handling from our services, products, and clients very seriously. Therefore, by contacting Zup to report any vulnerability you believe you have found, YOU acknowledge that you have read and agreed to all the terms described here.
Version 1.0 (12/23/2022)
For the preparation of the vulnerability report, YOU:
1.1. Assume the responsibility to act in good faith and ethically towards the global information security community and Zup. Therefore, YOU affirm that you conduct your flaw/vulnerability research and report it responsibly, maintaining absolute confidentiality regarding any information you have about Zup, its products, clients, services, and the discovered vulnerability. This is why you agree to the confidentiality and personal data processing agreement described in clauses 1.14 and 2 of this term.
1.2. Acknowledge that the preparation and submission of the report occurred voluntarily and was not requested, induced, or contracted in any way by ZUP.
1.3. Attest that, for preparing the report and/or identifying the vulnerability, you did not violate any applicable laws, including local laws of the country, region, and state where you reside.
1.4. Did not use any mechanisms and/or methodologies below and/or presented a report with:
1.5. You commit not to interrupt Zup’s services, software, and environments for your research. In the event of such a violation, YOU must immediately cease your research and promptly notify Zup with sufficient information for system correction and normalization. Also, indemnify Zup for losses and damages that may occur due to the mentioned violation and/or interruption.
1.6. By submitting the report, YOU grant Zup and its affiliates a non-exclusive, irrevocable, perpetual, royalty-free, sublicensable, intellectual property license for the report and the information contained therein, allowing Zup to, at its sole discretion: (i) use, revise, evaluate, test, and otherwise analyze the report, vulnerabilities, and information described in it and other documents sent; (ii) reproduce, modify, distribute, display publicly, create derivative works of, make, use, sell, offer for sale, and import the report, as well as any related materials/documents/information sent by YOU, for any purpose; and (iii) present the report and all content and documents in connection with it for marketing, promotion of programs (including internal and external sales meetings, conference presentations, exhibitions, and screenshots of the report in press releases) in all media (known at the time or developed later), as well as:
1.7. Commit not to interrupt, compromise, or damage data or properties belonging to third parties. This includes attacking any devices or accounts that are not yours (or those for which you have explicit and written permission from their owners).
1.8. Acknowledge that Zup may, at its sole discretion, grant a reward for submitting the report through the company’s internal assessment and on its terms. This may involve public recognition of your contribution unless you explicitly and previously ask us not to include/disclose your name.
1.9. Acknowledge that information about flaws and/or vulnerabilities reported to Zup will be treated/repaired at its sole discretion, and the lack of treatment will not exempt YOU from the obligations assumed in this Agreement, as well as will not result in a new reward if Zup has granted one.
1.10. Acknowledge that there is no form of association, franchise, consortium, joint venture, employment relationship, corporate or solidarity link between YOU and Zup, other than those expressly stated in this document.
1.11. No provision contained in this Agreement guarantees or aims to grant any rights or licenses, implicitly or explicitly, over any trademarks, trade names, designations, symbols, logos, drawings, any other distinctive signs identifying goods or services of ZUP, patents, patentable rights, or copyrights of ZUP, nor any rights over the Confidential Information revealed or developed through it.
1.12. All materials and documents containing the ZUP logo or its identification need prior and express written authorization from ZUP before being disclosed/reproduced, including those that imply the disclosure of the object of this Agreement.
1.13. You are 18 (eighteen) years old or older when submitting the report and accepting this Agreement.
1.14. By registering on the site to submit your report, YOU will send personal data to Zup, and from now on, YOU authorize Zup to collect, maintain, use, process, and share your data, including, among others, names, emails, addresses, accounts, and other information, in accordance with Zup’s Privacy and Personal Data Treatment Policy.
1.15. If one or more provisions of this Agreement are considered invalid, illegal, or unenforceable by any competent authority, the validity, legality, and enforceability of the other provisions of this Agreement will not be affected or impaired for any reason. To the extent permitted by law, the parties agree that the competent authority should reduce the scope of any illegal, invalid, or unenforceable provision to make it reasonable and binding under the applicable circumstances.
1.16. This Agreement and its obligations are established in an unconditional, irrevocable, and unalterable manner, binding the respective parties, their heirs, and successors for any reason. Moreover, it is certain that any change to this Agreement will only be valid if made in writing and signed by the parties.
2.1. Due to access to Zup’s programs, projects, products, services, and/or environments, YOU acknowledge that you may have had contact with confidential information, which includes any information, know-how, and data (whether provisional or definitive), whether legal, technical, commercial, or personal in nature, or of various kinds, including, but not limited to trade secrets; information related to customers and suppliers; current, expired, and/or negotiating contracts; existing or future products; information related to technology; strategy and/or business plans; patents; patent applications; source code; processes; promotional or marketing activities; economic, financial, and accounting information; developed information containing part of another Confidential Information; and related to any other Zup business that, in general, is not known to the public.
2.2. YOU undertake to keep confidential all files, information, data that, directly or indirectly, come to your knowledge due to this Agreement, the preparation of the presented report and/or access to Zup’s environments, software, products, and programs, or through ZUP, whether verbally, in writing, electronically, or by any other means of transmission, from now on collectively referred to as “CONFIDENTIAL INFORMATION,” and cannot share them with third parties and/or disclose them through any communication channel, media, social networks, interviews, among others.
2.3. YOU acknowledge that you cannot share with any third parties the vulnerabilities found, nor can you reproduce, commercialize, disclose by any means copies of the report, and you also cannot disclose externally, without prior written authorization from Zup, whether in interviews, lectures, social networks, resumes, or any other means, the information about Zup obtained/accessed/discovered due to your research and/or preparation of the report, as well as by accessing Zup’s environment/software/programs and/or projects, undertaking to take all appropriate measures to keep confidential and not reveal, in whole or in part, data, information, or documents related to ZUP, responding for the violation of confidentiality or for use for a purpose other than that provided for in the Agreement.
2.4. At the express request of ZUP, all CONFIDENTIAL INFORMATION, as well as the copies generated by YOU, must be returned to ZUP within 48 (forty-eight) hours from the request, or, if instructed in this regard, YOU undertake to destroy entirely the Confidential Information in your possession within the same retroactive period.
2.5. YOU assume the obligation that if required to disclose the Confidential Information by legal order of a competent authority, YOU must immediately notify Zup so that it can take the necessary steps to prevent disclosure. If Zup is unsuccessful in this regard, YOU undertake only to disclose the confidential information strictly requested.
2.6. For the purposes of this Agreement, “Personal Data” means all information accessed or received in any tangible or intangible form concerning, or that personally identifies or makes individuals identifiable. When executing this Agreement, as well as researching/accessing Zup’s environments and programs, involving the collection, access, receipt, processing, transmission, treatment, and/or international transfer of personal data, YOU undertake to:
2.7. YOU may not transfer, in whole or in part, the Personal Data to which you have access to any third parties, even in aggregated and/or anonymous form.
3.1. It is hereby established that in any discussion and/or controversy arising or in connection with this Agreement, the Parties will endeavor to negotiate a friendly settlement. Suppose the negotiation attempt is unsuccessful, in whole or in part. In that case, the Parties elect the jurisdiction of the Judicial District of São Paulo/SP to resolve any remaining disputes, waiving any other jurisdiction, however privileged. It is also established that this Agreement will be governed and interpreted according to applicable Brazilian laws, excluding any others.
4.1. In any dispute, discussion, controversy, or judicial and/or extrajudicial demand arising or in connection with this Agreement, YOU agree that Zup’s total liability will be limited to direct damages proven to have been caused by negligence, up to the full value of U$100.00. Zup, under no circumstances, will be liable for indirect, consequential, special, incidental, moral, punitive, loss of profits, and/or consequential damages.