Xplora Vulnerability Disclosure Policy

About Program

The Program enables eligible participants to submit vulnerabilities and exploitation techniques ("Vulnerabilities") to Xplora about Xplora products and services ("Products") in accordance with these terms and conditions for a chance to earn rewards. The amount of a reward is determined by Xplora at its sole and absolute discretion ("Bounty"). The decisions made by Xplora regarding Bounty are final and binding.

Change of Terms

Xplora may change or cancel this Program at any time, for any reason. If Xplora changes these Terms, by continuing to participate in the Program you are deemed to have accepted the changes. You may opt-out of the Program by contacting us at secure@xplora.com.

Program Eligibility

To be eligible to participate in the Program, the issue must occur on the latest publicly available versions of the Product with a standard configuration. Also, you must:

• be 18 years old or older;
• be the first party to report the issue to Xplora;
• not disclose the issue publicly before Xplora release update to fix the issues;
• not be subject to legal obligations that prevent you from doing so. For example, your employment contract or ethical rules;
• not be a sanctioned person or a citizen of a sanctioned country under applicable law;
• not be in violation of any applicable laws or regulations;
• not be an immediate family member of a person employed by Xplora or an ex-employee of Xplora within the six months prior to providing us with your Submission;
• and not be involved in any part of the development, administration, and/or execution of this Program and Product.

These eligibility requirements are meant to protect customers until an update is available, ensure Xplora can quickly verify reports and create necessary updates, and properly reward those reporters.

Submission

Vulnerabilities submitted to Xplora must be submitted by sending an email to secure@xplora.com with the full description of the Vulnerability and must be specified along with the name of the relevant Product affected, including as much of the following information as possible:

• Type of issue (SQL injection, cross-site scripting, buffer overflow, etc)
• provide all steps required to reproduce the exploit of the vulnerability;
• proof of concept or exploit code;
• saved attack logs;
• any special configuration required to reproduce the issue;
• URLs and/or applications affected; and
• describe the potential impact of the issue, and how an attacker could exploit it.

Incomplete information and complexity of the Vulnerability may affect the review time of the Vulnerability, whether to award a Bounty and/or the amount of a Bounty.

Bounty Payments

The decisions made by Xplora regarding Bounties are final and binding. If Xplora has determined that your Submission is eligible for a Bounty under the Program Terms, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Bounty.

If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.

Before receiving a Bounty, you are required to complete any forms that may be required by us and/or applicable laws and regulations. We cannot process payment until you have completed and submitted the fully executed required documentation(s).

When determining the amount of and if to award a Bounty, Xplora will take into account the level of risk, the complexity of the Vulnerability, the details of the submission and the impact of the Vulnerability.

If your Submission qualifies for a Bounty, please note:

• you may not designate someone else to receive your Bounty payout unless you are considered a minor in your place of residence;
• you must submit a valid invoice to us using the invoice template and/or format requirements provided by us;
• if you are eligible for this Program but are considered a minor in your place of residence, we may award the Bounty to your parent/legal guardian on your behalf and require them to sign all required forms on your behalf. The Bounty will be added to the taxable income of your parent/legal guardian; and,
• if you are unable or unwilling to accept your Bounty, we reserve the right to rescind it.

If the requirements are met in full and the invoice contains the correct information we require to pay you, we will use reasonable efforts to pay the accepted and undisputed invoice within 30 days of the date of the invoice.

Bounties are paid in Euro to your nominated bank account. You will be responsible for any tax obligations and transaction fees as a result of any Bounty paid out.

Obligations

You shall:

• only participate in the Program solely for the intended purpose of disclosing Vulnerabilities to Xplora as described in these Terms and any related documentation;
• participate in the Program for lawful purposes only and shall comply with all applicable laws and regulations;
• only access, disclose or modify your own customer data and be solely responsible for the accuracy, completeness, appropriateness, and legality of any data or Vulnerabilities you upload and/or provide through your participation in the Program; and,
• keep confidential Vulnerabilities and not disclose to any third parties any other data and/or information accessed and/or obtained through or in connection with your participation in the Program or through the process of discovering Vulnerabilities below.

You shall not:

• use scanning, denial of service, spamming and related techniques and/or attacks, which may harm, cause degradation of or otherwise influence the integrity or reliability of the Products or data of Xplora, its customers and/or its users of its Products;
• attempt to gain access to another users account and/or data;
• access the Program for purposes of monitoring its availability, performance or functionality of Xplora, except for the sole purpose of discovery and submission of Vulnerabilities;
• transmit any viruses or exploits through your use of the Program, except for the sole purpose of discovery and submission of Vulnerabilities and subject to compliance with these Terms;
• upload, input, access, store, distribute or any material, including without limitation any data you input and/or provide during the course of your participation in the Program that: (i) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; (ii) facilitates illegal activity; or (iii) is otherwise illegal (including without limitation infringement of any third party intellectual property rights or any other rights) or causes damage or injury to any person or property;
• access all or any part of the Products and related documentation in order to build a product or service which competes in whole or part with these services and/or the documentation;
• access and/or use the Products and/or Documentation to provide services to third parties;
• reverse engineer, decompile, disassemble, modify, license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or otherwise make the Products and/or related documentation available to any third party;
• attempt to obtain, or assist third parties in obtaining, access to the Products and/or related documentation; and
• upload or input through the Products or otherwise disclose to Xplora or its affiliates, any information which you do not have the rights to and/or which you are under an existing contractual or other legal obligation to maintain in confidence.

We reserve the right, without liability or prejudice to our other rights, to disable your access to the Program in the event of your breach of this Term and/or access to any material that breaches the provisions of this section. We may further deem you to be ineligible for a Bounty payment.

Intellectual Property Rights

You acknowledge and agree that Xplora shall be granted a non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to use, copy, publish, review, assess, test, adapt, modify and otherwise analyse the Vulnerabilities and/or any feedback related to the Vulnerabilities including any Intellectual Property Rights therein, submitted to Xplora via the Program and all related software, applications, documentation, and materials. You represent and warrant that your submission of any Vulnerabilities is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Vulnerabilities to Xplora.

Except for your limited right to participate in the Program subject to and in accordance with these Terms, nothing in these Terms grants you any rights to, or in, patents, copyrights, database rights, trade secrets, trade names, trademarks (whether registered or unregistered), or any other rights or licences in respect of our software, these services and related documents and/or any updates, developments or improvements thereto which are expressly reserved by us.

You agree that the Vulnerability shall be deemed the Confidential Information of Xplora and you shall not publish, discuss or disclose the Vulnerability to any third parties in order to provide Xplora with an opportunity to fix the Vulnerability. You may publish and discuss the Vulnerability only after receiving notice that the Vulnerability is fixed, subject to the prior written consent of Xplora, which shall not be unreasonably withheld.

Failure to comply with these "Intellectual Property Rights" and the requirement of confidentiality may jeopardise the Bounty and also create a risk of legal action, and you agree to indemnify Xplora for any losses as a result of such breach of this clause.

For the purposes of "Intellectual Property Rights" means: including without limitation, rights in patents, trademarks, service marks, trade names, other trade-identifying symbols and inventions, copyrights, design rights, database rights, rights in know-how, trade secrets and any other intellectual property rights arising anywhere in the world, whether registered or unregistered and including applications for the grant of any such rights.

Your Information

You will provide us with all information we may reasonably require for you to participate in the Program and, where relevant, receive a Bounty award. Except for our obligations under our privacy policy and applicable data protection laws with respect to our processing of any personal data you may provide us through your participation in the Program, we disclaim all liability of any kind in respect of (i) any information, data or materials you upload and/or provided through your participation in the Program, (ii) third party information, (iii) any other material or services which may be accessed when participating in the Program, and/or (v) for any fraud committed in connection with the Program.

No Warranties

THE PROGRAM IS PROVIDED "AS IS". TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, WE EXPRESSLY DISCLAIM ALL REPRESENTATIONS AND WARRANTIES IN CONNECTION WITH THE PROGRAM, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OF INTELLECTUAL PROPERTY, ACCURACY, COMPLETENESS, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING BY STATUTE OR OTHERWISE IN LAW OR FROM COURSE OF DEALING, COURSE OF PERFORMANCE OR USE OF TRADE WHICH ARE HEREBY EXCLUDED AND YOU UNDERSTAND YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK.

Limitation of Liability and Disclaimer

THE PROGRAM MAY CONTAIN LINKS TO WEBSITES OR SERVICES OPERATED BY THIRD PARTIES AND THESE LINKS ARE FOR CONVENIENCE ONLY. WE ARE NOT RESPONSIBLE FOR AND DISCLAIM ANY AND ALL LIABILITY FOR SUCH WEBSITES AND SERVICES CONTENT AND PRIVACY POLICIES AND DO NOT ENDORSE ANY LINKED MATERIAL. TO THE MAXIMUM EXTENT PERMITTED BY LAW (A) WE SHALL NOT BE LIABLE TO YOU FOR ANY DAMAGES, CLAIMS, EXPENSES OR OTHER COSTS (INCLUDING, WITHOUT LIMITATION, ATTORNEYS' FEES) YOU SUFFER OR INCUR AS A RESULT OF THIRD-PARTY CLAIMS RELATING TO YOUR USE OF THE PROGRAM, (B) UNDER NO CIRCUMSTANCES WILL WE BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES, AND (C) OUR MAXIMUM AGGREGATE LIABILITY TO YOU ARISING OUT OF OR IN CONNECTION WITH THESE TERMS SHALL BE LIMITED TO EURO100, REGARDLESS OF THE CAUSE. WE DO NOT EXCLUDE OR LIMIT OUR LIABILITY FOR DEATH OR PERSONAL INJURY CAUSED BY OUR NEGLIGENCE, FOR FRAUD OR FOR ANY OTHER LIABILITY WHICH CANNOT BE LIMITED OR EXCLUDED BY APPLICABLE LAW.

Issues

If you encounter any issues with your participation in the Program or wish to remove your details, please contact us at secure@xplora.com.

Applicability of Terms of Use

These Terms shall apply for as long as you are permitted access to use the Program pursuant to these Terms. Cancellation of the Program and/or termination of these Terms and/or where you opt out of the Program shall not affect Xplora's rights and your obligations under these Terms prior to such cancellation or termination, which shall continue to apply, unless otherwise agreed in writing.

General

These Terms shall be governed by and interpreted in accordance with the laws of Norway (excluding any rules governing choice of laws) and the parties agree to submit to the exclusive jurisdiction of the Norwegian Courts. These Terms will be binding on and will inure to the benefit of the legal representatives, successors and assigns of the parties hereto. These Terms (and any policies referenced herein and incorporated by reference) constitute the entire agreement between you and us with respect to the subject matter hereof, and you have not relied upon any promises or representations by us with respect to the subject matter except as set forth herein. You shall not assign these Terms or assign any rights or delegate any obligations hereunder, in whole or in part, whether voluntarily or by operation of law. The governing language of these Terms is English.