This webpage is a legal document that outlines the terms and conditions for individuals who have registered usernames (also referred to as “ID”) with Capture The Bug (“CTB”) through the CTB website. The Researcher Agreement includes the Code of Ethics, Disclosure Policy, and CTB Platform T&Cs, which are incorporated by reference. Once you obtain a username with CTB, you become a “Researcher” and are required to comply with the Researcher Agreement.
When you believe you have discovered a vulnerability, please submit a report for the relevant program through the CTB platform. Each program has specific guidelines known as the Program Guide, which is maintained by the Program Owner. Please note that the terms outlined in the Program Brief take precedence over these terms.
As part of the submission process, each report will be updated with significant events, including validation of the issue, requests for additional information, or confirmation of eligibility for a reward.
The Program Owner will assess each report on a first-to-find basis, although CTB may assist in the evaluation process.
To qualify for a reward, you must be the first to alert the Program Owner to an unknown issue and the issue must trigger a code or configuration change.
Our top priority is to protect Security Researchers, and to do so, we have established a set of standard rules. Please note that rules may differ between programs, so make sure to read the specific program brief before submitting. These are the standard rules that apply to all programs:
To be eligible to receive monetary compensation as a Researcher, you must be at least 18 years old or have reached the age of majority in your jurisdiction of primary residence and citizenship. Additional eligibility requirements are stated in our Terms of Service. Exceptions for minors may be considered on a case-by-case basis between CTB and the applicable minor’s guardian(s).
To become a Researcher, you will need to create an account and username on the CTB platform. You cannot use a third-party’s account without their permission. When creating your account, you must provide accurate and complete information, using your real name and contact information. You are responsible for everything that happens on your account, so keep your password secure and do not share it with others. If you suspect that someone is using your account without permission, you must inform CTB immediately. You may not transfer your account to someone else. CTB reserves the right to deny the use of certain usernames or require usernames to be changed, and usernames with offensive or discriminatory language are prohibited. If someone uses your account without your permission and causes damage, you may be held liable.
Some types of submissions are not eligible for rewards due to their potential danger or low impact on the Program Owner’s security. This section lists the types of issues that are immediately deemed invalid and not eligible for rewards. Such issues include findings resulting from physical testing, social engineering, systems and applications that are not part of the “Targets” section, functional, UI, and UX bugs, spelling errors, and network level Denial of Service (DoS/DDoS) vulnerabilities.
Certain types of submissions are not eligible for a reward as they have a low security impact on the program owner and do not result in a code change. This section lists commonly reported issues that are often not eligible, and we advise against reporting them unless you can demonstrate a chained attack with a higher impact.
The eligibility for a Bounty depends on being the first eligible person to report a previously unknown issue that triggers a code or configuration change to the Program Owner. The Bounty details may vary for each program. Each submission’s Bounty amount is determined by the issue’s business impact, severity, and creativity, with higher levels of awards given to bugs found in applications, features, and functions called out in the program guide as “Focus Area(s).” To receive a monetary award, you may need to provide additional verification and tax information, fulfil various eligibility requirements, and agree to additional terms and conditions with a third-party payment processor. You are solely responsible for paying taxes on Bounty paid to you, and any Bounty that remain unclaimed or undeliverable for twelve (12) months will be forfeited.
By participating as a Researcher, you confirm that you have obtained all necessary approvals and consents from third parties, including your employer, to conduct the testing services.
In this section, “Testing Results” refer to any information about vulnerabilities discovered on the target systems by Researchers, while “Target Systems” refer to the applications and systems that are being tested. You agree to disclose all of your Testing Results to CTB and assign any of your Testing Results and related rights to CTB.
If any rights in your Testing Results cannot be assigned, you shall grant CTB an irrevocable, perpetual, royalty-free, exclusive, transferable, sublicensable (directly or indirectly through multiple tiers), and worldwide license to use the Testing Results in any manner desired by CTB, including without limitation, the right to make, have made, sell, offer for sale, use, rent, lease, import, copy, prepare derivative works, publicly display, publicly perform, and distribute all or any part of such Testing Results and modifications and combinations thereof, and to sublicense or transfer any and all such rights.
You also waive any moral rights or other rights or claims that are inconsistent with the intent of the complete transfer of rights to CTB in your Testing Results. You authorize CTB, Bug Bounty Programs, or Vulnerability Disclosure sponsors to publicize your Testing Results, including your account name (ID), and other information as required by the Program Brief. If any Program Brief requests personally identifiable information about you, your participation in the program indicates your consent to provide such information.
The term “Confidential Information” refers to any information that is designated as confidential at the time of disclosure or would reasonably be considered confidential based on the circumstances and content of the disclosure. This includes, but is not limited to, customer information, personally identifiable information, financial information, information about Target Systems, information about crowdsourced security programs, pricing information, business information, fees paid to Researchers, and the existence and terms of private crowdsourced security programs. Confidential Information does not include information that: (i) is obtained from a source other than the disclosing party under no obligation of confidentiality; (ii) becomes publicly known or ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party.
As a Researcher, you agree to keep all Confidential Information confidential and not disclose it to any third party without written approval from the disclosing party. You also agree to protect the Confidential Information using reasonable care and only use it for the purpose permitted by the disclosing party. If you discover any unauthorised disclosure of Confidential Information, you must notify the disclosing party immediately.
All submissions are considered confidential information of the Program Owner unless stated otherwise in the bounty brief. This means that you cannot publicly disclose any submission without the Program Owner’s consent. Please see the Disclosure Policy for more information on disclosing vulnerabilities in connection with Bug Bounty Programs.
For information about the confidentiality of Researchers’ Confidential Information, please refer to the CTB privacy policy.
During each program, the CTB team may communicate updates via: Program Updates’ section within the program. Email.
If you have questions about a program or a specific submission, you may contact the CTB team via:[email protected]