Privacy and Security
Vulnerability Disclosure Program
Terms and Conditions
The RainFocus Vulnerability Disclosure Program Terms and Conditions ("Terms") cover your participation in the RainFocus Vulnerability Disclosure Program (the "Program"). These Terms are between you and RainFocus, LLC ("RainFocus," "us" or "we"). By submitting any vulnerabilities to RainFocus or otherwise participating in the Program in any manner, you accept these Terms.
Last Updated: 19 Feb, 2020
The Program enables users to submit vulnerabilities and exploitation techniques ("Vulnerabilities") to RainFocus about eligible RainFocus products and services ("Products"). RainFocus may change or cancel this Program at any time, for any reason. The current version of these Terms will be available at rainfocus.com/vulnerability-disclosure
Changes to These Terms
We may change these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the new Terms, you must not participate in the Program.
If you wish to opt-out of the Program, contact us at security@Rainfocus.com. Opting out will not affect any licenses granted to RainFocus in any Submissions provided by you.
You ARE eligible to participate in the Program if you meet all of the following criteria:
- You are 18 years of age or older. If you are at least 18 years old but are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to participating in this Program; and
- You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.
You ARE NOT eligible to participate in the Program if you meet any of the following criteria:
- You are a resident of any countries under U.S. sanctions or any other country that does not allow participation in this type of program;
- You are under the age of 18;
- Your organization does not allow you to participate in these types of programs;
- You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program;
- You are currently an employee of RainFocus, LLC or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
- Within the six months prior to providing us your Submission you were an employee of RainFocus Corporation or a RainFocus subsidiary;
- You currently (or within six months prior providing to us your Submission) perform services for RainFocus or in an external staff capacity that requires access to the RainFocus Corporate Network, such as agency temporary worker, vendor employee, business guest, or contractor; or
- You are or were involved in any part of the development, administration, and/or execution of this Program.
It is your responsibility to comply with any policies that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating in the Program. RainFocus disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter. There may be additional restrictions on your ability to enter depending upon your local law.
Submission Process & Coordinated Vulnerability Disclosure
If you believe you have identified a Vulnerability that meets the applicable requirements set forth in the Product Program Terms, you may submit it to RainFocus in accordance with the following process:
Each Vulnerability submitted to RainFocus shall be a "Submission." Submissions must be sent to security@Rainfocus.com. In the initial email, include the Vulnerability details and entitle the subject as “Finding for Vulnerability Disclosure Program”. Please also include as much of the following information as possible:
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- URL that contains the bug
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code
- Impact of the issue, including how an attacker could exploit the issue
You must follow Coordinated Vulnerability Disclosure (CVD) provided below when reporting all Vulnerabilities to RainFocus. Submissions that do not follow CVD or are considered incomplete may not be eligible for recognition. Not following CVD could disqualify you from participating in the Program in the future or subject you to legal action from RainFocus.
RainFocus is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify RainFocus at security@Rainfocus.com to ensure your Submission was received.
There are no restrictions on the number of qualified Submissions you can provide.
Coordinated Vulnerability Disclosure
Under the principle of Coordinated Vulnerability Disclosure (CVD), researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product/service; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately.
The researcher allows RainFocus the opportunity (at least 90 days) to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. RainFocus continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress. Upon release of an update, RainFocus may recognize the finder for the research and privately reporting the issue. If attacks are underway in the wild and the vendor is still working on the update, then both the researcher and RainFocus work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.
For more information on CVD, please review the information provided in the following links:
RainFocus is not claiming any ownership rights to your Submission; however, by providing any Submission to RainFocus, you:
- grant RainFocus the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, trade shows, and screen shots of the Submission in press releases) in all media (now known or later developed);
- agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
- understand and acknowledge that RainFocus may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
- understand that you are not guaranteed any credit for use of your Submission; and
- represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to RainFocus.
Confidentiality of Submissions / Restrictions on Disclosure
Protecting customers is RainFocus's highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are assessing and addressing each Vulnerability report, we require that all content in and related to Submissions remain confidential and not be disclosed to third parties or as part of paper reviews or conference submissions.
You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. RainFocus will notify you when the Vulnerability in your Submission is fixed.
VIOLATIONS OF THIS SECTION COULD DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE AND SUBJECT YOU TO LEGAL ACTION FROM RAINFOCUS.
Submission Review Process
After a Submission is sent to RainFocus in accordance with the requirements described above, RainFocus will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.
RainFocus retains sole discretion in determining which Submissions are qualified, according to the rules set forth in the Product Program Terms. If we receive multiple bug reports for the same issue from different parties, recognition will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to RainFocus, we may recognize the person submitting the duplicate report.
RainFocus may publicly recognize individuals who have responsibly disclosed vulnerabilities. RainFocus at it is discretion may recognize you on web properties or other printed materials unless you explicitly ask us not to include your name. Please let us know within 89 days of your Submission if you’d like to not be publicly recognized.
Code of Conduct
By participating in the Program, you will follow these rules:
- You agree to conduct security research on the following sites:
- For Vulnerabilities found on other sites than those listed above:
- Do not exploit the Vulnerability or cause any changes to the site, or impact the site in any way
- Immediately notify security@Rainfocus.com, following the Submission guidelines described above
- Where applicable, you may continue research on the list of approved sites listed above
- Don’t do anything illegal. Under no circumstances should these Terms be considered any sort of permission or license to engage in practices which would violate federal or state law, including the Computer Fraud and Abuse Act (“CFAA”).
- Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
- Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
- Don't engage in activity that is false or misleading.
- Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
- Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material, processing1 PII, etc.) or engage in activity that violates the privacy of others.
- Don't help others break these rules.
If you violate these Terms, you may be prohibited from participating in the Program in the future, any Submissions you have provided may be deemed to be ineligible for recognition, and you may be subject to legal action.
RAINFOCUS, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK, INCLUDING ANY RISKS YOU CREATE RELATING TO THIRD PARTIES. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
Limitation of Liability & Binding Arbitration
If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from RainFocus or any affiliates, resellers, distributors, third-party providers, and vendors, direct damages up to $100.00. You can't recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy does not fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.BINDING ARBITRATION AND CLASS ACTION WAIVER
We hope to never have a dispute. If we do have a dispute, you and we agree to try for 90 days to resolve it informally. If we can't, you and we agree to binding individual arbitration before the American Arbitration Association ("AAA") under the Federal Arbitration Act ("FAA") or similar arbitration regulation in applicable jurisdictions, and not to sue in court in front of a judge or jury.
Instead, a neutral arbitrator will decide and the arbitrator's decision will be final except for a limited right of review under the FAA. Class action lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where someone acts in a representative capacity aren't allowed. Nor is combining individual proceedings without the consent of all parties. "We," "our," and "us" includes RainFocus and RainFocus's affiliates.
These Terms and any applicable Product Program Terms are the entire agreement between you and RainFocus for your Participation in the Program. It supersedes any prior agreements between you and RainFocus regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law.
Other than your Submission, compliant with these terms, RainFocus does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to RainFocus through the Program or otherwise, RainFocus makes no assurances that your ideas will be treated as confidential or proprietary.