Vulnerability disclosure terms

These Vulnerability Disclosure Programme (“VDP”) Terms set out the terms and conditions applicable to our Programme that allows unsolicited including setting out the Conduct you must adhere to in order to qualify for a Reward.

By submitting Findings relating to a potential Vulnerability you (referred to as “you” or the “Researcher” in these Terms) acknowledge that you accept these Terms and our Privacy Policy and you agree to be bound by them. If you do not accept them, you should not submit any Findings.

DEFINITIONS
Some of the capitalised terms used in these VDP Terms are defined in the Appendix.

INFORMATION ABOUT US
The manager of this VDP is TruTrip. TruTrip’s details are as follows:

UPDATE AND MODIFICATION OF TERMS OF USE
TruTrip reserves the right to modify these Terms and the Privacy Policy at any time without giving prior notice. You should carefully read these Terms before submitting any Findings. In all circumstances, the acceptance of these Terms is an essential first step towards submitting any Findings. The most current Terms will be available at all times on our website or by emailing us at [email protected]

AUTHORITY
By submitting a Finding under this VDP, you represent and warrant that:

1. you are at least 18 years of age or if you are under 18 years old, your parents or legal guardian agree to these Terms on your behalf;
2. you have read, understood and agreed to these Terms which include our Privacy Policy;
3. where you accept or agree to these Terms on behalf of a company or other legal entity, you have the full capacity and authority to enter into this agreement on behalf of such company or legal entity, and in such event, “you” and “your” will refer and apply to that company or legal entity;
4. all information you submit is accurate, current, and complete;
5. you will maintain the accuracy and completeness of such information;
6. you possess the legal authority to create a binding legal obligation;
7. you are legally permitted to submit a Finding under this VDP and take full responsibility the submission and process.

In the event you are under 18 years old, we will require additional information confirming the same representations and warrants are agreed by your parents/legal guardians.

CONDUCT
In submitting a Finding, you agree, accept and acknowledge to have followed the following conduct conditions.

You shall:

1. Act responsibly for the sole purpose of reporting suspected vulnerabilities and safeguarding users from damage, harm or loss.
2. Avoid causing any kind of damage, harm or loss to individuals or organisations (e.g. you should not attempt to test, reproduce or verify the suspected vulnerability, or take any action which may cause interruption or degradation of any Services).
3. Conduct yourself in accordance with applicable laws and regulations at all times. If you have any doubt about such laws or regulations, please seek and obtain professional legal advice. Under no circumstances should you attempt to exfiltrate any computer data or publish details of any suspected vulnerability.
4. Upon detection of a suspected vulnerability, notify us immediately or as soon as practicable by submitting a report. You may encrypt your emails to us using our PGP key.
5. Provide adequate information in the suspected vulnerability report so that we may work with you on validating the suspected vulnerability.

You shall NOT

1. Act in any way which may contravene applicable laws and regulations (e.g. the Computer Misuse Act).
2. Publish or publicly disclose any suspected vulnerability to any third party before it is resolved as malicious actors may exploit the suspected vulnerability to cause damage, harm or loss to individuals and organisations.
3. Deploy destructive, disruptive or other unlawful means to detect vulnerabilities (e.g. attacks on physical security, social engineering, denial of service, brute force attacks).
4. Exploit, test or otherwise use any suspected vulnerability (e.g. taking any step(s) to access, copy, create, delete, modify, manipulate or download any data or programme, build system backdoor(s), modify system configuration(s), facilitate or share system access)

SUBMISSION OF FINDINGS
By submitting a Finding(s) you represent that neither the Findings or our use of the Findings will infringe, misappropriate, or violate a third party’s intellectual property rights, or rights of publicity or privacy, or result in the violation of any applicable law or regulation, including export control laws.

All submissions shall be via TruTrip’s submission form or via email to [email protected]. If you believe a submission needs to be encrypted, please let us know to obtain an encryption key.

For a submission to be accepted, you must include as a minimum

• Title: <one line description of the issue, usually the vulnerability type and what asset/service/etc. is affected>
• Summary: <brief description of the vulnerability and why it matters>
• Reproduction Steps: <step by step instructions on how to show the existence of the vulnerability>
• Impact / Attack Scenario: <how would this be exploited, and what would be the impact to your organization?>

REWARDS
You may be entitled to a monetary Reward for submitting a Finding. The value, in SINGAPORE DOLLARs, of the Reward is typically associated with the assessment of impact as follows:

You shall not be eligible for a Reward for Findings related to a Duplicate or Excluded Finding. TruTrip reserves the right to determine severity classifications, report validity, duplications, exclusions, and out-of-scope Findings in its sole discretion.

Reward value is set at the total and absolute discretion of TruTrip. TruTrip reserves the right to decrease or increase any Reward. Prior Rewards are not precedent for future payments.

You may remain anonymous by using a pseudonym. To be eligible to receive a Reward, however, you must provide TruTrip with accurate, complete, and up-to-date information about you, including your address and any other information that We reasonably request to allow Us to legally send any Reward to you. If you do not provide the reasonably required payment information within 21 days of request, You shall forfeit all Reward rights and claims.

TruTrip shall endeavour to process Reward(s) within 14 days of submission subject to all the required information being provided. However, no legal proceedings will be brought for unpaid Rewards relating to your Findings before the expiration of sixty (60) days after submission. No legal proceedings may be brought more than one (1) year after a submission was received.

EXCLUSIONS
We will not issue Rewards for

• Findings already identified.
• Findings relating to 3rd-party systems.
• Findings which enumerate already claimed handles, emails and other such information. This reveals no sensitive information, regardless of whether the associated profiles are public or private.
• Findings related to Distributed Denial of Service (DDos).

CONFIDENTIALITY
All Findings must be kept and treated as Confidential Information and cannot be disclosed publicly or to any third parties, until we have investigated and resolved the relevant issue you reported.

Any violation of this Confidentiality requirement shall disqualify you from any current and future participation in this VDP. For clarification, any violation of these confidentiality requirements shall mean you automatically DO NOT qualify for any Reward.

INTELLECTUAL PROPERTY
By making a Submission you hereby grant to TruTrip a perpetual, irrevocable, non-exclusive, transferable, sublicensable, worldwide, royalty-free license to use, copy, reproduce, display, modify, adapt, transmit, and distribute copies of that Submission.

INDEPENDENT PARTIES
You warrant:

1. You are not employees or legal representatives of TruTrip for any purpose.
2. You do not have the authority to enter into any contracts in the name of or on behalf of TruTrip
3. These Terms shall not constitute, create, or in any way be interpreted as a joint venture, partnership, or business organization of any kind.

INDEPENDENCE OF CLAUSES
If any provision in these Terms of Use is held to be illegal, invalid or unenforceable in whole or in part in any jurisdiction, these Terms of Use shall, as to such jurisdiction, continue to be valid as to its other provisions and the remainder of the affected provision. The legality, validity and enforceability of such provision in any other jurisdiction shall be unaffected.

GOVERNING LAW AND JURISDICTION

1. These Terms of Use shall be governed, construed and enforced in accordance with the laws of Singapore.
2. Any dispute arising out of or in connection with these Terms of Use, including any question regarding their existence, validity or termination, shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre in accordance with the Arbitration Rules of the Singapore International Arbitration Centre for the time being in force, which rules are deemed to be incorporated by reference in this Clause 12.2. The seat of the arbitration shall be Singapore. The Tribunal shall consist of one (1) arbitrator. The language of the arbitration shall be English.
3. You consent to service of process out of any court (where applicable) by the same being left at your address indicated on the Platform (or sent by registered mail to this address), or by e-mail to your e-mail address indicated to TruTrip or on the Platform. You so consent regardless of whether or not personal service is required or otherwise. Where service of process is sent by registered mail, the service shall be deemed to be made in the absence of any evidence to the contrary by the third day. Nothing in this paragraph shall affect TruTrip’s right to serve legal process in any other manner permitted by law.

APPENDIX – DEFINITIONS