Version 1
Terms for Security Partners

1. Purpose and Acceptance

The purpose of the Program is to encourage the discovery and reporting of security vulnerabilities to strengthen the security of our platform. These terms form the basis of the agreement between Corporate and a Researcher.

---

2. Authorization and "Safe Harbor"

As long as your security research is conducted exclusively in accordance with these terms and applicable laws, we will consider your activity to be authorized. Corporate will not initiate or support legal action against you in connection with your research under this program.

---

3. Program Scope

3.1. In-Scope Systems

The Program exclusively covers vulnerabilities found in the following systems owned by Corporate:

• The Corporate Framework (test.corporate.app).
• The Corporate Framework API (api.test.corporate.app).
• The Corporate website (www.corporate.net).
• The Corporate IdP (idp.corporate.net).
• The Developer Hub (developers.corporate.net).
• The Partner Portal (partners.corporate.net).
• The Support Portal (support.corporate.net).

3.2. Out-of-Scope Systems and Actions

The following are strictly prohibited and are not covered by this agreement:

• Attacks against applications built and operated by our customers or partners.
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
• Physical attacks against Corporate's offices or data centers.
• Social engineering, phishing, or other attacks targeting Corporate's employees, partners, or customers.
• Using vulnerabilities to access, modify, delete, or store data that does not belong to you.
• Third-party services that we use.

---

4. Rules of Engagement

As a Researcher, you must at all times:

• Avoid violating the privacy of our users. You must only interact with test accounts that you own.
• Avoid disrupting or degrading our services.
• Provide us with a reasonable amount of time to fix a reported vulnerability before you publish any information about it (Responsible Disclosure).
• Not exploit a vulnerability for any purpose other than to demonstrate its existence to Corporate.

---

5. Reporting Process

For a report to be acknowledged under the program, it must:

• Be submitted in writing via the Partner Portal or via email to security@corporate.net, preferably encrypted with our PGP key.
• Be the first report of the specific vulnerability.
• Contain a detailed technical description of the vulnerability and the steps required to reproduce it (Proof-of-Concept).
• Describe the potential impact of the vulnerability.

---

6. Validation, Rewards, and Recognition

6.1. Validation

Upon receiving a report, Corporate will validate the vulnerability and determine its severity and impact. This assessment is final and is made at the sole discretion of Corporate.

6.2. Reward (Bounty)

Corporate may, at its sole discretion, award a monetary reward (bounty) for reported vulnerabilities. The size of the bounty depends on the severity of the vulnerability and the quality of the report. Not all vulnerabilities are eligible for a reward.

6.3. Recognition

With your permission, we will recognize your contribution on our Acknowledgments page (Hall of Fame).

---

7. Confidentiality and Disclosure

You must treat all information about discovered vulnerabilities as strictly confidential and may not share it with third parties without written consent from Corporate.

---

8. General Provisions

Corporate reserves the right to change or terminate these terms at any time.

These Terms are governed by and shall be construed in accordance with the laws of the country where Corporate has its headquarter, without regard to principles of conflict of laws.

Any dispute arising from these Terms shall be subject to the exclusive jurisdiction of the courts at the location where Corporate has its headquarter at any given time.