Codium Ltd. – Bug Bounty Program

1. Overview

a. Codium Ltd. and its subsidiaries (hereafter referred to as “Codium” or “We“) hereby extend an invitation to external security researchers and members of our user community to participate in our bug bounty program (“Program“), pursuant to the terms herein (“Program Terms“);

b. The Program will take place for the duration of one (1) week between since started, or a longer duration if extended by Codium at its discretion (the “Program Period“).

c. The Program is intended to provide an opportunity for individuals to submit pull requests concerning technical, visual or textual errors, bugs, security vulnerabilities and exploitation techniques (“Pull Request” and “Vulnerabilities“, respectively) in relation to eligible Codium products and services (“Products“), for the possibility of earning rewards (“Bounty(ies)“), as determined by Codium in its sole discretion;

d. By submitting Pull Requests or otherwise participating in the Program, you (“You” or “Your“) agree to these Program Terms as a legally binding contract between Codium and Yourself;

e. These Program Terms are integrated into and form part of Codium’s Terms of Use (as amended from time to time), and are incorporated therewith by reference;

f. You should also carefully read our Privacy Policy (as amended from time), which sets out how We collect and use Your personal information in relation to the Program, and is an integral part of these Program Terms;

g. Codium may change or cease this Program at any time in its sole discretion. By participating in the Program after the publication of such changes, You are deemed to have read and accepted to be bound by the new Program Terms;

h. If You do not agree to these Program Terms, You should stop participating in the Program immediately and not submit any Pull Requests to the Program; and

i. Violations of these Program Terms may result in the return of any Bounties paid for the Pull Request and disqualification from participation in the Program.

2. Confidentiality

a. As part of Your participation in the Program, You may have access to certain non-public and/or proprietary information of Codium, in any form or media, including (without limitation) confidential trade secrets and other information related to the products, software, technology, data, know-how, and to any other information that a reasonable person or entity should have reason to believe is proprietary, confidential, or competitively sensitive (”Confidential Information”). Notwithstanding anything to the contrary, Codium’s intellectual propriety rights are deemed as Codium’s Confidential Information;

b. By providing a Pull Request, or by agreeing to these Program Terms, You acknowledge and agree that You may not disclose any Confidential Information about the Vulnerability or the contents of Your Pull Request to any third parties without Codium’s prior written approval; and

c. You hereby acknowledge and agree that due to the unique nature of the Confidential Information, there may be no adequate remedy at law for any breach of its obligations under this section, and that any such breach or any unauthorized use or release of any Confidential Information may result in irreparable harm to Codium. Therefore, upon any such breach or any threat thereof, Codium shall be entitled to appropriate equitable relief, including without limitation, injunctive relief against any breach of this section in addition to whatever remedies Codium might have at law, and Codium shall be entitled to be indemnified by the You from any loss or harm, including, without limitation, attorney’s fees, in connection with any breach or enforcement of Your obligations pursuant to this section or the unauthorized use or release of any Confidential Information.

3. Program Eligibility

a. In order to be eligible to participate in the Program, you must not:

  1. be under the age of 18 or the age of majority in the country in which You reside;
  2. be a resident of, or make Your Pull Request from a country that is subject to export sanctions or other trade restrictions, including OFAC list sanctions;
  3. be in violation of any national, state, or local law or regulation;
  4. be employed at an organization that does not allow You to participate in these types of programs;
  5. be a public sector employee and participate in the Program without obtaining permission from Your ethics compliance officer;
  6. be involved in any part of the development, administration, and/or execution of this Program;
  7. be employed by Codium or its subsidiaries, or perform services for Codium or for a Codium’s subsidiary in an external staff capacity that requires access to Codium’s systems and/or network, such as agency temporary worker, vendor employee, business guest, or contractor; and
  8. be an immediate family member of a person employed by Codium or its subsidiaries or affiliates.

b. It is Your responsibility to comply with any policies that Your employer may have that would affect Your eligibility to participate in the Program. If You are participating in violation of Your employer’s policies, You may be disqualified from participating or receiving any reward or payment; and

c. All payments will be made in compliance with local laws, regulations, and ethics rules. Codium disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter. If Codium discovers that You meet any of the criteria above, Codium will remove You from the Program and disqualify You from receiving any payments or rewards.

4. Code of Conduct

a. Any activities conducted in a manner consistent with this Program (excluding any activities identified below as Prohibited Activities or otherwise in violation of these Program Terms) will be considered an authorized conduct

b. By participating in the Program, You will not, directly or indirectly, engage in any of the following activities:

  1. Engage in any activity beyond the scope of identifying in-scope Vulnerabilities (as identified herein) or beyond the systems and/or system components identified herein as made available as part of the Program;
  2. Engage in any illegal activity, any activity that is fraudulent or misleading, or any activity that infringes on the rights of any third parties, including privacy and intellectual property rights;
  3. Engage in any activity that does not comply with any default third party security or system requirements or settings, or any activity impacting or degrading the performance, reliability, integrity or confidentiality of any third party systems and/or data;
  4. Engage in any activity that interferes with, disrupts, damages, or accesses in an unauthorized manner third party’s devices, servers, networks, application programming interfaces (APIs), or services, including but not limited to Google, Apple, or an authorized carrier’s network;
  5. Engage in any activity that exploits, harms, or threatens to harm or degrade our Products or any third parties’ services (including by way of transmitting viruses or malware, including without limitation Potentially Harmful Applications, binaries, trojans, phishing, or spyware apps);
  6. Modify any files or data, including permissions, or intentionally view or access any data beyond what is needed to prove the Vulnerability; and
  7. Engage in any intentional conduct that deletes or alters data, impairs, disrupts, or disables systems, or renders data inaccessible.

c. Participants are required to contact Codium for clarification before engaging in conduct that may be inconsistent with or unaddressed by the policy. If You violate the Program Terms, You may be prohibited from participating in the Program in the future and any Pull Requests You have provided may be deemed to be ineligible for Bounty payments; and

5. Pull Request Submission Process

a. Each Pull Request will be submitted to GitHub and subjected to the approval of the Program’s Open Source Maintainer (the “Maintainer“). Please clearly and accurately describe the Vulnerability that You have discovered.

b. If You submit a Pull Request for a product or service that is not covered by the Program at the time You submitted it, You will not be eligible to receive Bounty payments if the product or service is later added to the Program.

c. You hereby agree to not exploit or further investigate any Vulnerability beyond what is necessary for Pull Request in accordance with Section 5a above.

d. Codium will not provide Bounty payments or score for Pull Requests that weren’t approved by the Maintainer or for Pull Requests submitted outside the Program Period.

6. Pull Request Review Process by the Maintainer

a. After a Pull Request is submitted in accordance with the Program Terms, the Maintainer will review the Pull Request and validate its eligibility. The review time will vary depending on the complexity and completeness of Your Pull Request, as well as on the number of Pull Request we receive; and

b. Codium and the Maintainer retains sole discretion in determining which Pull Requests are qualified. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Pull Request. If a duplicate report provides new information that was previously unknown to Codium or the Maintainer, we may award a differential to the person submitting the duplicate report.

7. Submission License

a. Accessing or participating in the Program does not grant any express or implied right to You or any other person to any of Codium’s intellectual property;

b. By providing any Pull Request, such Pull Request will not be considered Your confidential or proprietary information. Codium shall own all Pull Requests following receipt and may, at its discretion and for any purpose, freely use, modify, and incorporate into its products any Pull Requests, Vulnerabilities, comments, or suggestions provided by you under the Program;

c. You hereby agree to sign any documentation that may be required for us or our designees to confirm the rights aforementioned;

d. You waive any claims You may have relating to the rights aforementioned;

e. You understand that You are not guaranteed any compensation or credit for our use of Your Pull Request;

f. You represent and warrant that Your Pull Request is Your own work, does not infringe any intellectual property rights or other rights of any third party and does not violate any applicable law, and that You have the legal right to provide the Pull Request; and

g. During Your participation in the Program, including in Your preparation and delivery of the Pull Request and any related action, You shall comply with all applicable laws.

8. In-Scope Vulnerabilities

In-scope Vulnerabilities include, but are not limited to:

  1. Syntax Errors: Errors that occur when the code violates the programming language’s syntax rules.
  2. Logic Errors: Errors that cause the program to produce incorrect or unexpected results due to flawed logic.
  3. Runtime Errors: Errors that occur while the program is executing, often due to issues like division by zero or out-of-memory conditions.
  4. Compilation Errors: Errors that arise during the compilation phase, typically caused by incorrect or incomplete code.
  5. Semantic Errors: Errors that occur when the code is syntactically correct but does not perform as intended due to incorrect usage of variables, functions, or types.
  6. Integration Errors: Errors that arise when different modules or components of a system fail to work together correctly.
  7. Performance Bugs: Issues that affect the performance of the software, causing it to run slower or consume excessive resources.
  8. Security Vulnerabilities: Weaknesses or flaws in the software that can be exploited to compromise its security, such as buffer overflows, injection attacks, or authentication bypasses.
  9. Race Conditions: Bugs that occur when the behavior of a program depends on the relative timing of events, often leading to unexpected and incorrect results.
  10. Memory Leaks: Issues where a program fails to release memory resources after they are no longer needed, resulting in a gradual loss of available memory.
  11. UI/UX Bugs: Errors that affect the user interface or user experience, such as layout problems, unresponsive controls, or confusing interactions.
  12. Compatibility Issues: Problems that arise when software fails to work correctly in certain environments, operating systems, or hardware configurations.
  13. Data Corruption Bugs: Issues that result in the loss, alteration, or incorrect handling of data, potentially leading to data integrity problems.
  14. Concurrency Bugs: Errors that occur in concurrent or multi-threaded programs, leading to issues like deadlocks, livelocks, or inconsistent state management.
  15. Input Validation Bugs: Problems arising from inadequate input validation, allowing unexpected or malicious input to cause errors or security vulnerabilities.

 

9. Out Of-Scope Vulnerabilities

Certain Vulnerabilities are considered out-of-scope for the Program and will not be eligible for a Bounty. Those out-of-scope Vulnerabilities include, but are not limited to:

  1. Social engineering of Codium’s employees, affiliates, customers or users;
  2. Physical attacks (e.g. office access, data center access);
  3. Denial of service (dos) attacks;
  4. Vulnerabilities requiring physical access to a user’s device;
  5. Vulnerabilities in third-party services or libraries;
  6. Vulnerabilities that have already been reported or are already known to Codium, Codium’s employees or agents;
  7. Vulnerabilities that are not reproducible;
  8. Vulnerabilities impacting only old/end-of-life or unsupported browsers/plugins;
  9. Vulnerabilities that are disclosed publicly without giving Codium a reasonable time to address them;
  10. Vulnerabilities that are specific to individuals rather than the organization or application.
  11. Attacks that aim to destroy or corrupt data not belonging to You.
  12. Attacks stemming from stolen or leaked credentials;
  13. Intentional access to data or information not belonging to You beyond the minimum necessary to demonstrate the Vulnerability;
  14. Attacks related to email servers, protocols, security (e.g., SPF, DMARC, DKIM), or spam;
  15. Reports of insecure SSL/TLS ciphers without a working proof-of-concept, reports of missing HTTP headers (e.g., lack of HSTS) without a working proof-of-concept and reports of server error messages without proof of an exploit;
  16. Reports relating to server version strings;
  17. Reports about verification tokens in ./well-known/ai-plugin.json;
  18. Attempts to get malicious code executed by posting internal package names (or close replicas of them) in public repos.

10. Bounty Payments and Rewards

a. The decisions made by Codium and the maintainer regarding Bounties are final and binding. If we have determined that Your Pull Request is eligible for a Bounty, we will notify You of the Bounty amount and provide You with the necessary paperwork to process Your payment. We may also, as a condition to the receipt of Bounty by You, request You to provide us with any document or information which, in Codium’s and the maintainer’s sole discretion, is required in order to ensure Codium’s compliance with all applicable laws, regulations and contractual obligations. You acknowledge and accept that if You fail to provide Codium with any such information or document within the timeframes required, You will not be eligible for any Bounty, or any other reward, payment, compensation, or credit.

b. If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.

c. The Bounty will be provided to You by Codium or anyone on its behalf in USD in the form of (i) an Amazon Gift Card, or (ii) via PayPal transfer.

d. The participants will be eligible to receive the Bounty in accordance with the below:

  • Points will be awarded to participants for their Pull Request approved by the Maintainer as follows (the “Points”):
  1. 5 points per Small Bug
  2. 50 points per Significant Bug
  3. 100 points per Test Suite
  4. 200 points per Bug (of any kind) + Test Suite
    The determination of each bug’s category and test suite will be done by Codium at its sole discretion.
  • Those three (3) participants with the most Points will be allocated the Bounty by Codium as follows:
  1. The participant with the most points will receive US$ 1,500
  2. The participant with the second most points will receive US$ 1000
  3. The participants with the third most points will receive US$ 500

e. Regardless of your Bounty allocation, if you conduct tests, discover bugs, and submit at least one (1) approved Pull Request, you will receive a one-time $50 bonus. For the avoidance of doubt, the bonus will only be payable once, regardless of the number of approved Pull Requests you submit but provided you have submitted at least one (1) such approved Pull Request.

f. If Your Pull Request qualifies for a Bounty, please note:

  1. You may not designate someone else as the Bounty recipient;
  2. if You are unable or unwilling to accept Your Bounty, we reserve the right to rescind it; and
  3. if You accept a Bounty, You will be solely responsible for all applicable taxes related to accepting the payment(s).

g. Non-monetary recognition may also be awarded, such as by way of recognition in a leader-board, as determined by Codium at its sole discretion.

h. Bounty will only be rewarded to the first Pull Request received per Vulnerability and Codium reserves the right to determine the eligibility of a Pull Request at its sole discretion and meeting the terms and conditions set out in the Program, including obtaining the Maintainer’s approval.

11. No Warranties

a. Codium, its affiliates, resellers, distributors, and vendors, make no warranties, express or implied, guarantees or conditions with respect to the Program. You understand that Your participation in the Program is at Your own risk. Under no circumstances shall Codium be held liable for Your choice to participate in the Program;

b. Without limiting the foregoing, Codium does not endorse or recommend anyone to participate in the Program and does not guarantee the award of Bounty associated therewith. Each participant in the Program is solely responsible for exercising their own judgment, determining whether the Program suits their purposes and deciding whether to participate.

c. To the extent permitted under Your local law, we exclude any implied warranties in connection with the program. You may have certain rights under Your local law. Nothing in these Program Terms is intended to affect those rights, if they are applicable.

12. Safe Harbor, Limitation of Liability & Disputes

a. To the fullest extent permitted under applicable laws the limitations and exclusions set below shall apply to anything or any claims regarding this Program;

b. User Safe Harbor. We will not not threaten or bring any legal action against anyone who makes a good faith effort to comply with these Program Terms. As long as you comply with these Program terms, we waive any restrictions in our Terms of Use that would prohibit your participation in this Program, but only for the limited purpose of your Vulnerability research under this Program. For the avoidance of doubt, your compliance with the Program Terms does not authorize your efforts on third party products and services which may be connected with Codium’s systems, and Codium does not guarantee that such third parties will not pursue legal action against you nor will defend or indemnify you against such third party claim (other than a reasonable effort by Codium to notify such third party you complied with the Program Terms, if this is the case).

c. Should You have any basis for recovering damages in connection with this Program (including breach of these Program Terms), You agree that Your exclusive remedy is to recover, from Codium or any of its respective officers, directors, agents, employees, affiliates, resellers, distributors, third-party providers, and vendors, direct damages up to 100 USD dollars;

d. No other damages or losses, under any theory of liability, including but not limited to contract or tort, including direct, consequential, loss of profits, lost revenues, loss of goodwill, exemplary, special, indirect, incidental, or punitive damages shall be recoverable; and

e. The abovementioned limitations and exclusions shall apply even if the remedy would lead to incomplete compensation for any losses or would fail of its essential purpose or if we knew or should have known about the possibility of the damages.

13. Governing Law and Disputes

a. This Program shall be governed by and construed according to the laws of the State of Israel, without regard to its choice of law principles. The competent courts of Tel Aviv shall have exclusive jurisdiction to hear any dispute relating to this Program or arising thereunder and no other courts will have jurisdiction whatsoever in respect of such disputes.

14. Miscellaneous

a. These Program Terms, together with Codium’s Terms of Use and Privacy Policy, form the entire agreement between You and Codium for Your Participation in the Program, and supersede any prior agreements between You and Codium regarding Your participation in the Program; and

b. Codium reserves the right to modify, suspend or terminate any part of the Program Terms and/or the Program at any time.

c. All parts of these Program Terms apply to the maximum extent permitted by relevant law. If a court holds that we can’t enforce a part of these Program Terms as written, we may replace such specific part of these Program Terms with similar terms to the extent enforceable under the relevant law.