Legal

QNAP SECURITY BOUNTY PROGRAM TERMS AND CONDITIONS

QL-TC-0004-230117

Revised on 2023.01.17

The QNAP Security Bounty Program Terms and Conditions ("T&C") is between QNAP Systems, Inc. ("QNAP," "we" or "us") and any individuals, entities or organizations who participate (“Participants,” “you” or “your”) in the QNAP Security Bounty Program ("Program"). By submitting any vulnerabilities report to QNAP or otherwise participating in the Program in any manner (“Submission”), you fully understand and accept this T&C.

QNAP has an uncompromising commitment to information security and has partnered with the security research community to identify and fix vulnerabilities to keep our users, products, and the internet safer. To thank those contributing, QNAP provides rewards through our security bounty program.

1. Program Scope
   1. This Program only accepts security vulnerabilities of QNAP Operating Systems, Applications, and Cloud Services which have been officially released. You shall refer to our Program website (https://www.qnap.com/go/security-bounty-program/#scope)for further details of Program Scope. Beta versions are not included in the Program.
   2. Out-of-scope vulnerabilities will not be eligible for a reward, with exceptions made for critical vulnerabilities depending on the situation.
   3. Unsolicited proposals or ideas, including but not limited to reminders for present technologies, advice for cyber security strategy, and product feedback/improvements are not accepted under this program.
   4. QNAP makes no assurances that your Submission with out-of-scope content mentioned above will be treated as confidential or proprietary.
2. Program Restrictions
   1. Actions that may potentially damage or detrimentally affect QNAP servers or data are prohibited.
   2. Vulnerability reports are particularly not accepted if they describe or involve Restrictions of Program Scope stated on our Program website (https://www.qnap.com/go/security-bounty-program/#scope).
   3. By participating in this Program, the following actions are especially forbidden:
      1. Violate or assist to violate any local or Taiwanese laws/regulations;
      2. Engaging in activities which may be linked to exploitation, abuse, smuggling, or pornography of children;
      3. Sharing inappropriate content or material, including but not limited to nudity, bestiality, pornography, or criminal activity;
      4. Infringing the civil rights, intellectual property rights, or privacy of others.
   4. By violating any terms of Section 2, you will be prohibited from participating in the Program in the future, and any Submissions you have provided will be deemed to be ineligible for Bounty payments.
   5. QNAP disclaims any liability or responsibility arising upon actions of Participants related to Section 2.2 & 2.3 Participants shall be fully responsible for such action.
3. Eligibilities
   1. Anyone who is currently an employee or contractor of QNAP or affiliate of QNAP shall not be eligible to this Program.
   2. If you are an employee of public sector (government or education), it is your sole responsibility to comply with any work/employee/service polices or gifts and ethics rules that may affect your eligibility to participate in the Program. If any of such policies are breached, your participation of this Program and eligibility of Bounty reward may be disqualified. All payments will be made in compliance with local laws, regulations, and ethics rules. QNAP disclaims any liability or responsibility for disputes arising between an employee and their employer related to this issue.
   3. There may be additional restrictions on your eligibility depending upon your local law.
4. Reward Qualifications
   1. You are qualified for the reward if and only if:
      1. you are the first researcher to report the vulnerabilities; and
      2. you do have Not publicly shared/uploaded any files and/or details related to the vulnerability to any publicly-accessible websites; and
      3. the reported vulnerability is confirmed to be verifiable, replicable, and a valid security issue by the QNAP PSIRT team; and
      4. you agree all the terms and conditions of the Program.
   2. The reward may be increased based on:
      1. Quality of the description: Higher rewards may be paid for clear, well-written bug bounty reports;
      2. Quality of the proof of concept: Higher rewards may be paid if testing code, scripts and detailed instructions are included;
      3. Quality of the fix: Higher rewards may be paid if suggestions on fixing the issue are provided.
   3. The determination of reward qualification for all Submission is fully governed by QNAP.
5. Submission Requirements
   1. The following documents or contents are necessary for your submission/report:
      1. A short description of the possible damage;
      2. Clear instructions for the exact location of the vulnerabilities;
      3. PoC (proof of concept) step-by-step instructions to reproduce the exploit.
   2. The PoC document could also be attached with a commentary video if it is helpful for explanation of the exploit and vulnerability.
   3. You are required to comply with the confidentiality requirements and follow the guidelines and process about submission of vulnerability report stated on our Program website (https://www.qnap.com/go/security-bounty-program/#report).
6. Submission License
   QNAP does NOT claim any ownership or intellectual property rights toward your Submission. Nevertheless, by providing any Submission to QNAP, no matter it is qualified for the reward or not, you:
   1. grant to QNAP a worldwide, free of charge, perpetual, non-exclusive, irrevocable, sub-licensable license under all intellectual property in your Submission:
      1. to use, evaluate, review, examine, and otherwise analyze your Submission; and
      2. to wholly or partly duplicate, modify, create derivative works and adaptations, distribute, publicly perform, and otherwise commercialize your Submission and all its content; and
      3. to feature your Submission and all its content wholly or partly in accordance with the marketing, sale, or promotion of QNAP in all sorts of media whether now known or later developed; and
   2. agree to sign any documentation which may be required for us to confirm the license and rights you granted above; and
   3. represent and warrant that your Submission is your own work, and you have the legal right to provide the Submission to QNAP.
7. Bounty Payment
   1. The Bounty reward will be transmitted within 3 months after we confirm the qualification and severity level of your Submission.
   2. All reward will be transmitted through PayPal in US Dollars only.
   3. You are required to sign a consent letter provided by QNAP for confirming the amount of reward and the acceptance of this T&C before the Bounty reward is transmitted.
   4. Participants shall be solely accountable for all applicable taxes related to the Bounty reward.
8. Confidentiality
   1. All the content of the Submission shall remain confidential before all the vulnerabilities, security risks, or possible damages referred in the Submission are detected and fixed by QNAP. It is the Participants’ responsibility to NOT disclose or publish any contents of the Submission in public or toward any other parties, unless a notice of approval from QNAP or a corresponding Security Advisory article is posted on our website (https://www.qnap.com/go/security-advisories).
   2. The Bounty Payment shall not be regarded as the notice of approval mentioned in Section 8.1.
   3. The Submission will be disqualified, and any received reward will be retrieved if the Participants violate any terms of Section 8.
9. Privacy
   1. All the data and personal information contained in this Program will be governed under GDPR and QNAP Privacy Policy (https://www.qnap.com/go/legal/qnap-privacy-policy).
   2. QNAP will not disclose or publish the names or any personal information regarding to the Program and Submission, unless a prior consent by the Participants.
10. Limitation Of Liability
    IN NO EVENT AND IN NO CIRCUMSTANCES SHALL QNAP AND ITS AFFILITES BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE PARTICIPATION OF THIS PROGRAM OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS T&C, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF T&C OR BREACH OF WARRANTY OF QNAP, AND EVEN IF HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
11. Resolve of Disputes
    Any litigation or disputes arising out of this Program/T&C shall be construed and controlled by the laws of Taiwan and shall be subject to the jurisdiction of the District Court of Taipei, Taiwan.
12. General Conditions
    1. All process of the Program included but not limited to the decision of severity level, qualification of submission, reward amount, and all the other contents included in this T&C, will be entirely determined and governed by QNAP.
    2. The policy, guidelines, qualification requirements, eligibility requirements or T&C may change without advanced notice. We may also stop the Program at any time.
    3. QNAP does not guarantee any compensation or credit for use of your Submission.
    4. Any breach of this T&C may be resulted in the ineligibility for your Submission, prohibition from this Program in the future, or violation of legal liabilities by QNAP’s own discretion or under any applicable laws.
    5. Individuals/organizations on or residents who are from the countries in the sanction list of the Taiwan government are not eligible to the reward. Notwithstanding the foregoing, the participation to this Program is still welcomed.
    6. This T&C is executed in multi-languages. In case of any conflict or inconsistency, the English version shall always prevail.