Bug Bounty Program
CHEQUER Co., Ltd. (hereinafter referred to as the "Company") commences the implementation of the CHEQUER Bug Bounty Program (hereinafter referred to as the "Program"), which provides rewards for reporting bug bounty vulnerabilities to the Company. Individuals who wish to participate in the Program and receive compensation must adhere to the following terms and conditions and are deemed to have agreed to the following terms and conditions while reporting a bug bounty.
Article 1 (Purpose)
The purpose of this program is to provide better safety and security to users of the Company services (hereinafter referred to as "users") through early detection, fixing, and improvement of vulnerabilities and bugs in Company services.
Article 2 (Eligibility for Participation, Method of Participation, etc.)
- To participate in the Program, participants (“Participants”) must meet the following qualifications:
- Must be able to communicate in Korean or English.
- Must be a person who does not reside in a country subject to economic sanctions in the Republic of Korea, the United States, or other countries or regions subject to economic sanctions at the time of award payment.
- In order for Participants to participate in this program, they must report on the website designated by the Company.
- All necessary expenses required to participate in this program are to be borne by the participant.
- Any necessary communication regarding the operation of this program is to be done via e-mail.
Article 3 (Scope)
The following CHEQUER services are covered in the program:
Note that the program is limited to the aforementioned services, and any reports that do not cover these services would be ineligible for a reward.
Article 4 (Period)
- This program is always open. However, if necessary, the Company may terminate this program without prior notice.
- In accordance with Article 1, even after the program has been terminated, the company will review and respond to the results if any reported vulnerabilities are received before the termination of the program.
Article 5 (Method of reporting)
Bug Bounty reports must be made via the Bug Bounty reporting website. Participants reporting risks via methods other than the Bug Bounty reporting website are excluded from reward payment.
Article 6 (Submission Review and Rewards)
The Company, at its discretion, shall determine an award based on the severity of the risk reported.
- The following vulnerabilities are not eligible for rewards:
|Enumerate accounts/emails using brute force attack||If the vulnerability is not reproduced|
|Publicly-known Vulnerabilities||A Zero Day Vulnerability that has not been corrected|
|URL Redirection||Clickjacking/UI Redressing|
|Physical attacks||Missing cookie flags|
|HTTP Host Header XSS||"Self" XSS|
|Denial-of-Service(DoS) Attack||Exposing the server's application information|
|Missing Security HTTP Headers||Client-side autocomplete or saved passwords/credentials|
|Page tampering using error pages||Security, CSP header related vulnerabilities|
|All applications not part of the CHEQUER services||Social Engineering attacks|
|Internal Scanning, Exploitation or Data Leakage||Other vulnerabilities deemed to be free from any security threats|
|If the vulnerability is not reproduced at the time of reporting||If the vulnerability is replicated and the Company is already aware of it|
|In case of violation of the terms and conditions of this program|
- In case the Company receives duplicate reports of the vulnerability, the reports will be considered as one.
- If multiple Participants report the same vulnerability, the reward will be awarded only for the first report received by the Company.
- If the Company determines that the reported vulnerability is subject to a reward, information received in accordance with the reward method is requested by the company through the e-mail address of the Participant written at the time of reporting, and the participant is obliged to reply with the accurate information. If the participant does not provide the requested information within 30 days of the company's request, he/she will be deemed to have waived his/her right to receive the award.
- In the event that the participant does not receive all or part of the reward (may result from a discrepancy in the information provided) despite the appropriate reward delivery procedure conducted by the Company based on the given information by the participant, pursuant to Article 4, the Company’s obligation to pay the reward ceases to exist.
- If the participant violates these terms and conditions, the Company holds the right to refuse the reward payment or may demand the return of the reward paid to the participant.
Article 7 (Prohibited Matters)
- Participants must not:
- Perform any act that infringes on others' rights or violates other laws and regulations.
- Scan services with an automated program.
- Denial of Service (DoS) attack that overloads the service.
- Physical attacks on company assets or data centers.
- Perform any act of viewing, deleting, modifying, or disclosing user data by exploiting the discovered vulnerability.
- Perform any act of viewing, deleting, modifying, or disclosing the source code, etc., by using the discovered vulnerability.
- Perform any other act contrary to the purpose and purpose of this program.
- The company may disqualify Participants from participating in this program for violating the terms mentioned in the aforementioned section.
Article 8 (Rights)
- In the event that a participant invents, devises, or creates a design or authors a written work (hereinafter referred to as "invention") in reviewing the vulnerability verification and correction plan, all rights, including copyrights for inventions, etc., are transferred to the Company through the reporting website, and the Company is free to exercise and dispose of its rights.
- The participant understands and acknowledges that pursuant to Article 1, the Company may develop materials similar to or identical to the submissions and waives any claims that may arise due to similarity to the submissions of the Participant.
Article 9 (Handling of Confidential Information)
Participants must treat vulnerabilities and the information learned through vulnerabilities (such as details on attack methods) as confidential information. The Participants shall not disclose, leak, or publish the information to any third-party entity without the Company's clear written consent. If a participant wishes to disclose the information, the Company will perform a review of the content, and it will be up to the discretion of the Company whether to disclose the information or not.
Article 10 (Handling of Personal Information)
- The Company strives to protect personal information as prescribed by relevant laws and regulations such as the Personal Information Protection Act.
- The Company may use the personal information [email, name, affiliation] provided by Participants for this program to effectively conduct the program and to facilitate other necessary administrative processes.
- The Company retains the personal information received from the participant for 3 years from the date of the participant's final report or for the retention period in accordance with relevant laws and regulations.
Article 11 (Indemnification)
- Participants may participate in this program at their own risk, and the Company shall not responsible for any damages suffered by the participant as a result of their participation in this program, except for reasons attributable to the Participants.
- The Company shall not be involved in any disputes between Participants or between Participants and third parties related to this program. The Participants are solely responsible for resolving the disputes and the expenses incurred.
Article 12 (Change of Terms and Conditions)
- The Company may revise or amend the contents of the mentioned terms and conditions to the extent that it does not violate the relevant laws and regulations.
- If the Company revises these terms and conditions, it will notify the users in advance by specifying the date of application.
- Even after the Company has notified the revised terms in accordance with the aforementioned section, if the participant does not explicitly express his/her refusal within the set period, the participant shall be deemed to have agreed to the revised terms and conditions.
- If the revised terms and conditions are announced, and the bug bounty report is received after the effective date, the participant shall be deemed to have agreed to the revised terms and conditions.
- If the participant does not agree to the application of the amended terms, he/she will not be qualified for the program.
Article 13 (Governing Law and Jurisdiction)
- Lawsuits filed between the Company and Participants shall be governed by the laws of the Republic of Korea.
- The court of competent jurisdiction for litigation regarding disputes between the Company and Participants is determined in accordance with the Civil Procedure Act.
- In the case of a participant who has an address or residence abroad, litigation regarding a dispute between the Company and the participant shall be governed by the Seoul Central District Court, Republic of Korea, notwithstanding the aforementioned section.
Article 14 (Program Inquiries)
All inquiries regarding this program are received at firstname.lastname@example.org. Inquiries by any other means are not accepted.
Terms and Conditions Enactment Date: 2022-07-29
Terms and Conditions Revision Date: 2022-10-04