Bug Bounty Program Terms and Conditions

Last modified: October 30, 2020

WHAT IS A BUG BOUNTY PROGRAM?

A bug bounty program (“Program”) permits independent researchers to report the discovered security issues, bugs or vulnerabilities in Planner 5D services (“Bug”) for a chance to earn rewards in the amount determined by Planner 5D for being the first one to discover a Bug, subject to compliance with eligibility and participation requirements (“Bounty”).

Before reporting a Bug, please review these Bug Bounty Program Terms and Conditions (“Terms”). These Terms are concluded between You and UAB Planner5D (“Planner 5D”). By submitting any Bug to Planner 5D or otherwise participating in the Program, You agree to comply with these Terms. All matters not covered by these Terms shall be governed by the provisions of the Terms of Service. In case of any inconsistency or discrepancy between the Terms of Service and these Terms with regard to the Program, the Terms shall prevail.

If You do not agree with these Terms, please do not send any Submission (as defined below) to Planner 5D or otherwise participate in this Program.

ELIGIBILITY REQUIREMENTS

To be eligible to participate in the Program You shall comply with all of the following requirements:

  1. You are at least 16 years of age or older. If You are 16 years of age, but are considered a minor in Your place of residence, You must obtain Your parent’s or legal guardian’s written consent to participate in this Program; failure to provide such consent upon Planner 5D request will lead to Your disqualification from the Program;
  2. You are an individual researcher participating in the Program in Your own capacity; if You work for an organization, it is Your responsibility to comply with Your employer’s rules and policies that would affect Your eligibility to participate in the Program;
  3. You are not an employee or an external staff member of Planner 5D or its affiliate;
  4. You are not an immediate family member of an employee or an external staff member of Planner 5D or its affiliate;
  5. You act in compliance with the national, state and local laws and regulations;
  6. You are neither residing in a country which is in the EU or the USA trade or economic sanctions list, neither you are a person subjected to sanctions or restrictions imposed by the EU or the USA.

SUBMISSIONS

When performing Your research, You shall always act in good faith, You shall neither modify any files or data, nor intentionally view or access any data beyond what is needed to prove the vulnerability. Planner 5D does not allow any actions that could negatively impact Planner 5D’s services or experience on Planner 5D’s website or app.

The Bugs identified by You shall be sent to security@planner5d.com. Once the Bug is sent to Planner 5D, it becomes a “Submission”. For all Submissions, please include full description of the vulnerability being reported, including the exploitability and impact, evidence and explanation of all steps required to reproduce the Submission. Please refer to the box below to make sure Your Submission is eligible. Depending on the detail of Your Submission, Planner 5D may award a Bounty of varying scale. Planner 5D will make its best efforts to respond to Your Submission promptly. However, the time of response may vary depending on the complexity and completeness of Your Submission.

By providing a Submission or agreeing to the Program Terms, You agree that You may not publicly disclose Your findings or the contents of Your Submission to any third parties in any way without Planner 5D’s prior written approval.

Bugs that are eligible for submission:

Severity:

Bugs:

Maximum Bounty payout:

Critical

  • Privilege escalation
  • Injection (SQL, code, file, e-mail, HTTP header)
  • Server-side remote code execution (RCE)
  • Disclosure of sensitive or personally identifiable information - no victim action is required, for example select data from database
  • Other security vulnerabilities determined to be high severity

up to 1000 USD

High

  • Memory safety
  • Disclosure of sensitive or personally identifiable information - victim action is required, for example: navigating through website and opening page with Stored Cross-Site Scripting
  • Stored Cross-Site Scripting
  • Payments issue that happens to most users
  • Other security vulnerabilities determined to be high severity

up to 250 USD

Medium

  • HTTP response splitting
  • Stored Cross-Site Scripting
  • App crash that affects most of users
  • Other security vulnerabilities determined to be medium severity

up to 50 USD

Low

  • All types of Cross-Site Scripting (XSS) except stored XSS
  • All types of Cross-Site Request Forgery (CSRF)
  • Stale cookies
  • Other security vulnerability determined to be low severity
  • Paid feature does not work after purchase
  • Website is not loading / working for some specific URIs (for example showing white page)
  • Bad translations
  • Payments issue that happens in rare edge cases or due to halted server
  • 2D / 3D editor issues that cause incorrect materials, colors, sizes or control problems
  • Other app or website issues - will be decided on case by case basis

up to 10 HD Renders

Bugs that are not eligible for submission:

  • Previously submitted bugs
  • Any other submission determined to be medium or low severity, based on unlikely or theoretical attack vectors, requiring significant user interaction, or resulting in minimal impact

BOUNTY PAYMENTS

A Bounty to the Program participant is paid in proportion to the severity of the identified Bug. Only Bugs acknowledged by Planner 5D are rewarded.

You may be eligible to receive a Bounty payment if:

  1. You are the first person to submit a Bug;
  2. The Bug You’ve submitted is determined to be a valid security issue by Planner 5D; and
  3. You have complied with all Program Terms.

The amount of Bounty payments, if any, will be determined by Planner 5D, in Planner 5D’s sole discretion, depending on the sensitivity of the data impacted, ease of exploit and overall risk to Planner 5D services. The decisions made by Planner 5D regarding the Bounty payments are final and binding.

If Planner 5D determines that Your Submission is eligible for a Bounty payment, Planner 5D will notify You of the Bounty amount and will request You to provide certain information to be able to process Your Bounty payment in compliance with applicable legal requirements.

The awarded Bounty payments will be made in Euro or USD either (i) to Your valid PayPal account or (ii) to the Your bank account notified by You to Planner 5D. Planner 5D will not be liable for the delay in payments due to inaccuracy of the provided data. Planner 5D will not be able to process the payment until the requested information is provided by You. You may waive the Bounty payment if You do not wish to receive a Bounty or do not want to provide the requested information. You agree that Planner 5D will process the provided information in order to make a Bounty payment under the Program in accordance with the Terms. Planner 5D ensures the security of the data obtained through Your participation in the Program. The personal data shall be used to the extent it is required in order to implement the present Terms.

You will be responsible for any tax implications related to Bounty payments You receive, as determined by the laws of Your jurisdiction of residence or citizenship.

SUBMISSION LICENSE

As a condition of participation in the Program, by providing any Submission to Planner 5D You grant Planner 5D, its subsidiaries and affiliates the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in Your Submission: (i) to use, review, assess, test, and otherwise analyze Your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of Your Submission and all its content, in whole or in part; and (iii) to use Your Submission and all of its content for the marketing, sale, or promotion purposes. You agree to sign any documentation that may be required for Planner 5D or its designees to confirm the rights You granted above. You understand and acknowledge that Planner 5D may have developed or commissioned materials similar or identical to Your Submission, and You waive any claims you may have resulting from any similarities to Your Submission. You understand that You are not guaranteed any compensation or credit for use of Your Submission. You represent and warrant that Your Submission is Your own work, that You have not used information owned by another person or entity, and that You have the legal right to provide the Submission to Planner 5D.

CONFIDENTIALITY

Any information you receive or collect about Planner 5D or its services and tools through the Program (“Confidential Information”) must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding Your Submission and information You obtain when researching the Planner 5D site, services or apps, without Planner 5D’s prior written consent.

TERMINATION

Planner 5D may immediately terminate Your participation in the Program and disqualify You, if one of the following occurs:

  • You breach any provision of these Terms;
  • Your participation in the Program could adversely impact Planner 5D, its services, products or users;
  • You are not acting in good faith when investigating and reporting vulnerabilities to Planner 5D.

If You wish to opt-out of the Program and not be considered for the Bounties, contact Planner 5D at security@planner5d.com.

CHANGES TO THE PROGRAM AND TERMS

Planner 5D may at its sole discretion change or cancel the Program at any time for any reason, without notice to You.

Planner 5D may at its sole discretion amend the Program Terms at any time by posting the amended version of Terms on www.planner5d.com. By continuing to participate in the Program after Planner5D posts any such changes, You accept the Program Terms, as modified.

NO WARRANTIES

TO THE FULLEST EXTENT PROVIDED BY LAW PLANNER 5D, ITS SUBSIDIARIES AND ITS AFFILIATES HEREBY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. THE FOREGOING DOES NOT AFFECT ANY WARRANTIES THAT CANNOT BE EXCLUDED OR LIMITED UNDER THE APPLICABLE LAW.

LIMITATION OF LIABILITY

TO THE FULLEST EXTENT PROVIDED BY LAW, IN NO EVENT WILL PLANNER 5D, ITS SUBSIDIARIES AND AFFILIATES, OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS, OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF OR IN CONNECTION WITH YOUR PARTICIPATION IN THE PROGRAM.

YOU HEREBY EXPRESSLY WAIVE ALL RIGHTS TO SEEK, PUNITIVE, INCIDENTAL, CONSEQUENTIAL OR SPECIAL DAMAGES, LOST PROFITS AND/OR ANY OTHER DAMAGES, OTHER THAN ACTUAL EXPENSES NOT TO EXCEED 10 (TEN) EURO, AND/OR ANY RIGHTS TO HAVE DAMAGES MULTIPLIED OR OTHERWISE INCREASED.

GOVERNING LAW

These Terms are construed in accordance with and shall be governed by the Laws of Lithuania without giving effect to any conflict of law or choice of law provisions.

DISPUTE RESOLUTION

As a condition of participating in the Program, You agree that any and all claims, disputes that cannot be resolved between the parties, and causes of action arising out of or connected with this Program, shall be resolved individually, without resort to any form of class action, exclusively before a court located in Vilnius, Lithuania having appropriate jurisdiction.

MISCELLANEOUS

The invalidity, illegality or unenforceability of these Terms or any provision thereof shall not affect the validity or enforceability of any other provision of these Terms. If any provision of these Terms is determined to be invalid, illegal or unenforceable, the other provisions will remain in effect and will be construed in accordance with their terms as if the invalid or illegal provision was not contained herein.