General Terms
Brief description of the Remedy T&C and general rules.
Organizations
| Title | Description |
|---|---|
Proof of duplicate | If the organization closes the report as a duplicate, it must provide proof in the form of a screenshot of the original report or via the ZK Proof of Duplicate tool per request. |
Explanation of report actions | The organization must provide explicit clarification in case of report rejection or severity change. |
Response times | The organization is obliged to follow the defined response timeframes. |
Program scope | Program scope serves as the primary reference and the only source of truth. This includes out-of-scope vulnerabilities, payout amounts for each severity level, program rules, and other relevant guidelines. |
Rewards | The organization must reward valid reports. The payout amount should align with the range specified for the severity type. |
Reports not eligible for payout | Organizations might not pay for reports that are:
Please refer to the following guidelines for definitions. |
New impact of a known issue | If a Security Researcher identifies a bug that a Program owner is already aware of but determines that it has a higher severity level than previously assessed, the reported bug should be considered eligible for a bounty. |
Unethical behaviour | Please refer to the Remedy T&C to learn about prohibited behavior and actions on the Remedy platform. |
Triagers
| Actions | Description |
|---|---|
Reopening closed reports | Remedy triager can reopen closed reports if they were closed unfairly or by mistake. |
Report assignment and review Period | Remedy triagers have up to 14 days to assign and review the report. |
Escalation to the organization team for bug validation | Remedy triagers can escalate the report to the organization if they need the organization team's input. For example, if more information on the organization’s internal system configuration is needed to determine the bug’s severity or validity |
Explanation of report actions: | The Remedy triagers must provide explicit clarification in case of report rejection or report severity change. |
Out of scope escalation | Remedy triagers can escalate out of scope reports to the organization team if they determine that the reported vulnerability requires attention. |
Security researchers
| Title | Description |
|---|---|
Responsible public disclosure | The security researcher shall wait at least 45 days since the Program owner determined the Report was out of scope or did not require a fix before publicly disclosing any details. In any case, the security researcher has a right to publicly disclose any details if the organization doesn’t resolve or close the report within 45 days after the submission. |
Stalled communication | The report may be closed after 45 days of inactivity from the security researcher. |
Unethical behaivior | Please refer to the Remedy T&C to learn about prohibited behavior and actions for security researchers on the Remedy platform. |
Transfer of the ownership of the report | The report’s ownership is transferred to the organization in seven days after the security researcher receives the payout if there are no disputes. |
Access termination | The Platform reserves the right to disable any username or password, to restrict, suspend, or terminate the access of Users to the Platform or any part of the Platform or any of its features at any time at the sole discretion of the Platform for any or no reason without any prior notice. |
In case of repeated violation of the Terms & Conditions and publicly stated rules, the Remedy team reserves the right to delist a program after notice.
Last updated