PROGRAM OVERVIEW
CHANGES TO THESE TERMS
PROGRAM ELIGIBILITY
SUBMISSION PROCESS & COORDINATED VULNERABILITY DISCLOSURE
SUBMISSION LICENSE
CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE
- Timeline
- Restrictions on disclosure
SUBMISSION REVIEW PROCESS
BOUNTY PAYMENTS
- Rewards
- Eligibility
PUBLIC RECOGNITION
PRIVACY
CODE OF CONDUCT
NO WARRANTIES
CHOICE OF LAW AND PLACE TO RESOLVE DISPUTES
MISCELLANEOUS
UNSOLICITED IDEAS
VULNERABILITY SUBMISSION

PROGRAM OVERVIEW

The Bug Bounty Program enables users to submit vulnerabilities and exploitation techniques (“Vulnerabilities”) to CUJO AI about eligible CUJO AI products and services (“Products”) for a chance to earn financial rewards in an amount determined by CUJO AI in its sole discretion (“Bounty”). In the event of a conflict between these Terms and the Product Program Terms for a particular Product, the Product Program Terms control for that particular Product only. The decisions made by CUJO AI regarding Bounties are final and binding. CUJO AI may change or cancel this Program at any time, for any reason.

The CUJO AI Bug Bounty Programs Terms and Conditions (“Terms”) cover your participation in the CUJO AI Bug Bounty Program (the “Program”). These Terms are between you and CUJO LLC (“CUJO AI,” “us” or “we”). By submitting any vulnerabilities to CUJO AI or otherwise participating in the Program in any manner, you accept these Terms.

CHANGES TO THESE TERMS

We may change these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don’t agree to the new Terms, you must not participate in the Program.
If you wish to opt-out of the Program and not be considered for Bounties, contact us at [email protected]. Opting out will not affect any licenses granted to CUJO AI in any Submissions provided by you.

PROGRAM ELIGIBILITY

You ARE eligible to participate in the Program if you meet all of the following criteria:

You are 14 years of age or older. If you are at least 14 years old but are considered a minor in your place of residence, you must obtain your parent’s or legal guardian’s permission prior to participating in this Program;
You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s rules for participating in this Program.

ATTENTION PUBLIC SECTOR EMPLOYEES: If you are a public sector employee (government and education), all Bounties must be awarded directly to your public sector organization and subject to receipt of a gift letter signed by your organization’s ethics officer, attorney, or designated executive/officer responsible for your organization’s gifts/ethics policy. CUJO AI seeks to ensure that by offering Bounties under this Program, it does not create any violation of the letter or spirit of a participant’s applicable gifts and ethics rules.

You ARE NOT eligible to participate in the Program if you meet any of the following criteria:

You are a resident of any countries under U.S. sanctions (see link for current sanctions list posted by the United States Treasury Department) or any other country that does not allow participation in this type of program;
You are under the age of 14;
Your organization does not allow you to participate in these types of programs;
You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program;
You are currently an employee of CUJO LLC or a CUJO LLC subsidiary or affiliate, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
Within the six months prior to providing us your Submission you were an employee of CUJO LLC or a CUJO AI subsidiary or affiliate; or
You currently (or within six months prior providing to us your Submission) perform services for CUJO AI or a CUJO AI subsidiary or affiliate in an external staff capacity that requires access to the CUJO AI Corporate Network, such as agency temporary worker, vendor employee, business guest, or contractor;
It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty. All payments will be made in compliance with local laws, regulations, and ethics rules. CUJO AI disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.
There may be additional restrictions on your ability to enter depending upon your local law.

SUBMISSION PROCESS & COORDINATED VULNERABILITY DISCLOSURE

If you believe you have identified a Vulnerability that meets the applicable requirements set forth in the Product Program Terms, you may submit it to CUJO AI through the process described in the Product Program Terms or, if none is provided, in accordance with the following process:

Each Vulnerability submitted to CUJO AI shall be a “Submission.” Submissions must be sent to [email protected]. In the initial email, specify that you submit to the Bounty Program, add the Vulnerability details, and specific product version numbers you used to validate your research.
Please also include as much of the following information as possible:
- Type of issue (buffer overflow, SQL injection, cross-site scripting, etc.)
- If known, the severity as defined in Common Vulnerability Severity Rating v3.1
- Product and version that contains the bug, or URL if it is an online service
- Any updates for the product you have installed/used
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue on a fresh install
- Proof-of-concept or exploit code
- Impact of the issue, including how an attacker could exploit the issue
A sample report is available here.
You must follow Coordinated Vulnerability Disclosure (CVD) when reporting all Vulnerabilities to CUJO AI. Submissions that do not follow CVD may not be eligible for Bounties and not following CVD could disqualify you from participating in the Program in the future.
Depending on the detail of your Submission, CUJO AI may award a Bounty of varying scale. Well-written reports and functional exploits are more likely to result in Bounties.
Those Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Bounties.
CUJO AI is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify CUJO AI at [email protected] to ensure your Submission was received.
There are no restrictions on the number of qualified Submissions you can provide and potentially be paid a Bounty for.
If you submit a Vulnerability for a product or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive Bounty payments if the product or service is later added to the Program.

SUBMISSION LICENSE

CUJO AI is not claiming any ownership rights to your Submission. However, by providing any Submission to CUJO AI, you:

grant CUJO AI the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);
agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
understand and acknowledge that CUJO AI may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
understand that you are not guaranteed any compensation or credit for use of your Submission; and
represent and warrant that your Submission is your own work, that you haven’t used information owned by another person or entity, and that you have the legal right to provide the Submission to CUJO AI.

CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE

Timeline

Protecting customers is CUJO AI’s highest priority. We endeavor to address each Vulnerability report in a timely manner.

While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions.

You will receive a non-automated response to your initial contact within two business days (European schedule), confirming receipt of your reported vulnerability. You will receive progress updates from CUJO LLC at least every week.

We aim to resolve critical issues within ten business (10) days of disclosure.

Restrictions on disclosure

We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is reported as fixed.

You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is reported as fixed.

CUJO AI will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. If you impose a fix timeline or Service Level Agreement (“SLA”) anytime throughout the case process, you will forfeit your bounty eligibility. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

SUBMISSION REVIEW PROCESS

After a Submission is sent to CUJO AI in accordance with the above terms, CUJO AI engineers will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.
CUJO AI retains sole discretion in determining which Submissions are qualified and the amount of any Bounty paid according to the rules set forth in the Program Terms. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to CUJO AI, we may award a differential to the person submitting the duplicate report.
If you report a Vulnerability without a functioning exploit, you may be eligible for a partial Bounty. If you submit the functioning exploit within 90 days of submitting the Vulnerability, we may, in our discretion, provide an additional Bounty payment (but are not obligated to do so).

BOUNTY PAYMENTS

Rewards

Our rewards are based on the domain affected, on the severity of a vulnerability calculated as defined by the Common Vulnerability Scoring System (CVSS) v3.1 and on the impact on the system(s) affected.

Domain	Maximum amount paid
In cujo.com website, another customer’s assets or in other CUJO AI assets	Up to $1,000 (one thousand USD)
In CUJO AI services/products (incl. firmware)	Up to $10,000 (ten thousand USD)

Eligibility

The decisions made by CUJO AI regarding Bounties are at CUJO AI’s sole discretion and are final and binding.
If we have determined in our sole discretion that your Submission is eligible for a Bounty under the applicable Product Program Terms, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Bounty.
If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.
Before receiving a Bounty, you may be required to complete and submit certain forms, e.g., Internal Revenue Service tax form (e.g., Form W-9, W-8BEN, 8233), and if you are you must do so within 30 calendar days of notification of validation. If you do not complete the required forms as instructed or do not return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until you have completed and submitted the fully executed required documentation.

If your Submission qualifies for a Bounty, please note:

you may not designate someone else as the Bounty recipient unless you are considered a minor in your place of residence;
if you are eligible for this Program but are considered a minor in your place of residence, we may award the Bounty to your parent/legal guardian on your behalf and require them to sign all required forms on your behalf. The Bounty will be added to the taxable income of your parent/legal guardian;
if you are unable or unwilling to accept your Bounty, we reserve the right to rescind it; and
if you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s).

NOTE: For public sector employees (government and education), all Bounties must be awarded directly to your public sector organization and subject to receipt of a gift letter signed by the organization’s ethics officer, attorney, or designated executive/officer responsible for the organization’s gifts/ethics policy. CUJO AI seeks to ensure that by offering Bounties under this Program, it does not create any violation of the letter or spirit of a participant’s applicable gifts and ethics rules.

PUBLIC RECOGNITION

CUJO AI may publicly recognize individuals who have been awarded Bounties. CUJO AI at it is discretion may recognize you on web properties or other printed materials unless you explicitly ask us not to include your name.

PRIVACY

See the CUJO AI Privacy Statement disclosures relating to the collection and use of your information in connection with the Program.

CODE OF CONDUCT

By participating in the Program, you will follow these rules:

Don’t do anything illegal.
Don’t engage in any activity that exploits, harms, or threatens to harm children.
Don’t send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
Don’t share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
Don’t engage in activity that is false or misleading.
Don’t engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
Don’t infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
Don’t help others break these rules.

If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.

NO WARRANTIES

CUJO AI, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
LIMITATION OF LIABILITY & BINDING ARBITRATION

If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from CUJO AI or any affiliates, resellers, distributors, third-party providers, and vendors, direct damages up to $100.00. You can’t recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn’t fully
compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.

CHOICE OF LAW AND PLACE TO RESOLVE DISPUTES

The laws of California govern all claims, regardless of conflict of laws principles, and You irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in California, for all disputes arising out of or relating to these Terms.

MISCELLANEOUS

These Terms, the CUJO AI Privacy Statement, and any applicable Product Program Terms are the entire agreement between you and CUJO AI for your Participation in the Program. It supersedes any prior agreements between you and CUJO AI regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court holds that we can’t enforce a part of these Terms as written, we may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms won’t change.

UNSOLICITED IDEAS

Other than your Submission, CUJO AI does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements (“Unsolicited Feedback”). If you send any Unsolicited Feedback to CUJO AI through the Program or otherwise, CUJO AI makes no assurances that your ideas will be treated as confidential or proprietary.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.

Cookie	Duration	Description
cli_user_preference	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
cookielawinfo-checkbox-advertisement	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie records the default button state of the corresponding category & the status of CCPA.
cujo_cerber_*	1 day	These cookies are set by your website's security and anti-spam plugin. Used to provide protection against hackers, provide technical functions.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__Secure-*	6 months	These cookies are set by Google to enable YouTube embedded videos and are used to detect spam, fraud, and abuse to help ensure advertisers are not incorrectly charged for fraudulent or otherwise invalid impressions or interactions with ads, and that YouTube creators in the YouTube Partner Program are remunerated fairly. More information about Google's cookies: https://policies.google.com/technologies/cookies/embedded
AEC	6 months	This cookie is set by Google to enable embedded YouTube videos. The cookie is used to detect spam, fraud, and abuse to help ensure advertisers are not incorrectly charged for fraudulent or otherwise invalid impressions or interactions with ads, and that YouTube creators in the YouTube Partner Program are remunerated fairly. More information about Google's cookies: https://policies.google.com/technologies/cookies/embedded
CONSENT	13 months	These cookies are set by Google to enable embedded YouTube videos. The cookie is used to save information about how the visitor uses the web site. More information about Google's cookies: https://policies.google.com/technologies/cookies/embedded
DV	10 minutes	These cookies are set by Google to enable embedded YouTube videos. The cookie stores the visitor's preferences and other information, including their chosen language, the number of search results shown on a page, as well as the choice of whether the filter Google SafeSearch should be activated or not. More information about Google's cookies: https://policies.google.com/technologies/cookies/embedded
SOCS	13 months	Cookie set by Google used to play embedded YouTube videos. Records the user's cookies choice. More information about Google's cookies: https://policies.google.com/technologies/cookies/embedded
Wp-Settings-*	6 months	Cookie set by WordPress used to store user preferences.

Cookie	Duration	Description
AnalyticsSyncHistory	30 days	A non-necessary cookie used to store information about the time a sync took place. Provider: LinkedIn More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
bcookie	1 year	Browser Identifier cookie to uniquely identify devices. Provider: LinkedIn More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
bscookie	1 year	Used to store logged in users verified by two factor authentication and previously logged in on LinkedIn. Provider: LinkedIn More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
JSESSIONID	session	Cookie set by LinkedIn used for Cross Site Request Forgery (CSRF) protection and URL signature validation. More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
lang	session	Cookie set by LinkedIn used to remember a user's language setting. More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
li_alerts	1 year	Cookie set by LinkedIn used to track impressions of LinkedIn alerts, such as the Cookie Banner and to implement cool off periods for display of alerts. More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
li_gc	6 months	Cookie set by LinkedIn used to store consent of guests regarding the use of cookies for non-essential purpose. More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
li_sugr	3 months	Cookie set by LinkedIn used to make a probabilistic match of a user's identity. More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
lidc	24 hours	Cookie set by LinkedIn used to facilitate data center selection More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table
UserMatchHistory	1 month	Used to provide ad delivery or ad retargeting, syncs the LinkedIn Ads ID. Provider: LinkedIn. More information about LinkedIn's cookies: https://www.linkedin.com/legal/l/cookie-table

Bug Bounty Program – Terms and Conditions

Table of Contents