Security at Esusu

• Please provide, as much as possible, detailed reports with reproducible steps.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• Multiple vulnerabilities caused by one underlying issue will only be responded to once.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program. Esusu disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter. There may be additional restrictions on your ability to enter the Program depending upon your local law.

Please submit your report by clicking on the “Contact Us” button or sending email to bugs@esusu.org. Your submission will be reviewed and validated by a member of the Esusu Security team. Providing clear and concise steps to reproduce the issue will help to expedite the response. As a bare minimum, please include in your report:

• List the URL and any affected parameters
• Describe the browser, OS, and/or app version
• Describe the perceived impact. How could the bug potentially be exploited?

• You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.
• You agree that You shall not, without the prior written consent of Esusu in each instance (i) use in advertising, publicity or otherwise the name of Esusu or its Affiliates or any trade name, trademark, trade device, service mark, symbol or any abbreviation, contraction or simulation thereof owned by Esusu or its Affiliates, or (ii) represent, directly or indirectly, any service or work provided by You as approved or endorsed by Esusu or its Affiliates.
• You agree that any and all information acquired or accessed by You as part of this exercise is confidential to Esusu and You shall hold the Confidential Information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.
• You acknowledge and agree that any and all information you encounter in the course of assessing our websites or publicly accessible assets is owned by Esusu or its third party providers, clients or customers. You have no rights, title or ownership to any information that you may encounter.
• You must not engage in activity that is harmful to you, the Program, or others (e.g., transmitting
  viruses, stalking, posting terrorist content, communicating hate speech, or advocating
  violence against others).
• You must not infringe upon the rights of others (e.g., unauthorized sharing of copyrighted
  material) or engage in activity that violates the privacy of others.
• Esusu may modify the terms of this policy or terminate the policy at any time.
• By clicking Submit Report, you consent to Your Information being transferred to and stored in the United States and acknowledge that you have read and accepted the Terms, Privacy Policy and Disclosure Guidelines presented to you when you created your account.
  Please use your own account for testing or research purposes. Do not attempt to gain access to another user’s account or confidential information.
• Please do not test for spam, social engineering or denial of service issues. Your testing must not violate any law, or disrupt or compromise any data that is not your own.

Other than your submission, Esusu does not consider or accept unsolicited proposals or ideas, including
without limitation ideas for new products, technologies, promotions, product names, product feedback
and product improvements (‘Unsolicited Feedback’). If you send any Unsolicited Feedback to Esusu
through the Program or otherwise, Esusu makes no assurances that your ideas will be treated as
confidential or proprietary.

ESUSU MAKES NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO
THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN
RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN
CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW.
NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

If you have any basis for recovering damages in connection with the Program (including breach of these
Terms), you agree that your exclusive remedy is to recover, from Esusu or any affiliates, resellers,
distributors, third-party providers, and vendors, direct damages up to $100.00. You can’t recover any
other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or
punitive. These limitations and exclusions apply even if this remedy doesn’t fully compensate you for
any losses or fails of its essential purpose or if we knew or should have known about the possibility of
the damages. To the maximum extent permitted by law, these limitations and exclusions apply to
anything or any claims related to these Terms and the Program.

If a dispute arises in connection with these Terms, you and Esusu agree to make good faith efforts to
resolve it informally for 60 days. If such efforts are unsuccessful, you and Esusu agree to binding
individual arbitration before the American Arbitration Association (‘AAA’) under the Federal Arbitration
Act (‘FAA’), and not to sue in court in front of a judge or jury. Instead, a neutral arbitrator will decide
and the arbitrator’s decision will be final except for a limited right of review under the FAA. Class action
lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where
someone acts in a representative capacity aren’t allowed. Nor is combining individual proceedings
without the consent of all parties.

• The AAA rules will govern payment of filing fees and the AAA’s and arbitrator’s fees and
  expenses.
• These Terms govern to the extent they conflict with the AAA’s Rules.
• You and Esusu agree to file any claim or dispute in arbitration within one year from when it first
  could be filed. Otherwise, it’s permanently barred.
• If the class action waiver is found to be illegal or unenforceable as to all or some parts of a
  dispute, then those parts won’t be arbitrated but will proceed in court, with the rest proceeding
  in arbitration. If any other provision of this section is found to be illegal or unenforceable, that
  provision will be severed but the rest of this section still applies.

The laws of the State of Delaware govern all claims, regardless of conflict of laws principles, except that the Federal Arbitration Act governs all provisions relating to arbitration. You and Esusu irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in New York County, New York for all disputes arising out of or relating to these Terms or the Program.

These Terms make up the entire agreement between you and Esusu for your participation in the Program. It supersedes any prior agreements between you and Esusu regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court or arbitrator holds that we can’t enforce a part of these Terms as written, we may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms won’t change.

Thank you for helping keep Esusu and the personal data of our employees and customers safe.