Vulnerability Disclosure Program

For the preparation of the vulnerability report, YOU:

1.1. Assume the responsibility to act in good faith and ethically towards the global information security community and Zup. Therefore, YOU affirm that you conduct your flaw/vulnerability research and report it responsibly, maintaining absolute confidentiality regarding any information you have about Zup, its products, clients, services, and the discovered vulnerability. This is why you agree to the confidentiality and personal data processing agreement described in clauses 1.14 and 2 of this term.

1.2. Acknowledge that the preparation and submission of the report occurred voluntarily and was not requested, induced, or contracted in any way by ZUP.

1.3. Attest that, for preparing the report and/or identifying the vulnerability, you did not violate any applicable laws, including local laws of the country, region, and state where you reside.

1.4. Did not use any mechanisms and/or methodologies below and/or presented a report with:

• vulnerabilities requiring social engineering or phishing;
• denial-of-service attacks (DDOS);
• copied, decompiled, reverse-engineered, disassembled, attempted to derive the source code, decrypted, modified, and/or created derivative works of such software;
• hypothetical issues that do not have practical effects;
• security vulnerabilities in third-party applications and third-party sites integrated with Zup, except the integration itself;
• output from a scanner or reports generated by a scanner;
• problems found through automated and unvalidated tests;
• issues publicly disclosed in internet software within 30 days of its disclosure;
• injections into the host header without a specific and demonstrable effect;
• self-XSS, including any payload inserted by the victim;
• login or logout CSRF.

1.5. You commit not to interrupt Zup’s services, software, and environments for your research. In the event of such a violation, YOU must immediately cease your research and promptly notify Zup with sufficient information for system correction and normalization. Also, indemnify Zup for losses and damages that may occur due to the mentioned violation and/or interruption.

1.6. By submitting the report, YOU grant Zup and its affiliates a non-exclusive, irrevocable, perpetual, royalty-free, sublicensable, intellectual property license for the report and the information contained therein, allowing Zup to, at its sole discretion: (i) use, revise, evaluate, test, and otherwise analyze the report, vulnerabilities, and information described in it and other documents sent; (ii) reproduce, modify, distribute, display publicly, create derivative works of, make, use, sell, offer for sale, and import the report, as well as any related materials/documents/information sent by YOU, for any purpose; and (iii) present the report and all content and documents in connection with it for marketing, promotion of programs (including internal and external sales meetings, conference presentations, exhibitions, and screenshots of the report in press releases) in all media (known at the time or developed later), as well as:

• 1.6.1. Agree to sign any documentation that may be necessary for Zup, its affiliates, or third parties appointed by it to confirm the rights granted above;
• 1.6.2. Understand and acknowledge that Zup may have developed or commissioned similar or identical materials to your report, and YOU waive any judicial or extrajudicial claims resulting from these similarities;
• 1.6.3. Understand that there are no guaranteed remunerations or credits for the use of the report;
• 1.6.4. Declare and warrant that the report is the result of your own work and research, that you have not used information belonging to third parties or entities, and that you have the legal right to submit it to Zup;
• 1.6.5. Declare that you are aware that you should not send any documents, information, and reports that you do not wish to license to Zup under the terms described in item 1.6;
  
  Note: In the context of this Agreement, the report is understood as the notification of the vulnerability and any evidence attached to the process.

   

1.7. Commit not to interrupt, compromise, or damage data or properties belonging to third parties. This includes attacking any devices or accounts that are not yours (or those for which you have explicit and written permission from their owners).

1.8. Acknowledge that Zup may, at its sole discretion, grant a reward for submitting the report through the company’s internal assessment and on its terms. This may involve public recognition of your contribution unless you explicitly and previously ask us not to include/disclose your name.

• 1.8.1. If Zup chooses to send you a reward, YOU are aware that this was done out of sheer generosity and, under no circumstances, guarantees YOU the right to demand new rewards for other reports sent;
• 1.8.2. If the reward received is a cash portion, YOU are responsible for paying all applicable taxes and levies;
• 1.8.3. In all cases, after Zup grants the reward, YOU give the broadest, shallowest, general, and irrevocable release to claim nothing more for any reason.

1.9. Acknowledge that information about flaws and/or vulnerabilities reported to Zup will be treated/repaired at its sole discretion, and the lack of treatment will not exempt YOU from the obligations assumed in this Agreement, as well as will not result in a new reward if Zup has granted one.

1.10. Acknowledge that there is no form of association, franchise, consortium, joint venture, employment relationship, corporate or solidarity link between YOU and Zup, other than those expressly stated in this document.

1.11. No provision contained in this Agreement guarantees or aims to grant any rights or licenses, implicitly or explicitly, over any trademarks, trade names, designations, symbols, logos, drawings, any other distinctive signs identifying goods or services of ZUP, patents, patentable rights, or copyrights of ZUP, nor any rights over the Confidential Information revealed or developed through it.

1.12. All materials and documents containing the ZUP logo or its identification need prior and express written authorization from ZUP before being disclosed/reproduced, including those that imply the disclosure of the object of this Agreement.

1.13. You are 18 (eighteen) years old or older when submitting the report and accepting this Agreement.

1.14. By registering on the site to submit your report, YOU will send personal data to Zup, and from now on, YOU authorize Zup to collect, maintain, use, process, and share your data, including, among others, names, emails, addresses, accounts, and other information, in accordance with Zup’s Privacy and Personal Data Treatment Policy.

1.15. If one or more provisions of this Agreement are considered invalid, illegal, or unenforceable by any competent authority, the validity, legality, and enforceability of the other provisions of this Agreement will not be affected or impaired for any reason. To the extent permitted by law, the parties agree that the competent authority should reduce the scope of any illegal, invalid, or unenforceable provision to make it reasonable and binding under the applicable circumstances.

1.16. This Agreement and its obligations are established in an unconditional, irrevocable, and unalterable manner, binding the respective parties, their heirs, and successors for any reason. Moreover, it is certain that any change to this Agreement will only be valid if made in writing and signed by the parties.