Disclosure Terms
Agreement to These Terms
These Disclosure Terms (“Terms”) govern your participation in the SikkerKey Vulnerability Disclosure Program (the “Program”). By submitting a report through the Program, or by indicating your agreement when you submit, you accept and agree to be bound by these Terms. If you do not agree, do not submit a report.
These Terms are in addition to SikkerKey’s Terms of Service. Where they conflict on a matter specific to the Program, these Terms control.
Definitions
Throughout these Terms:
- “SikkerKey”, “we”, or “us” refers to SikkerKey and the systems and services it operates.
- “Researcher” or “you” refers to any person who submits a report to, or otherwise participates in, the Program.
- “Report” refers to a submission describing a suspected vulnerability, including any text, steps, and attachments you provide.
- “In-Scope Systems” refers to the systems listed in Section 02.
- “Vulnerability” refers to a security weakness in an In-Scope System that you can demonstrate with a working proof of concept.
Scope
The following systems are in scope for the Program:
- sikkerkey.com
- app.sikkerkey.com
- api.sikkerkey.com
- machines.sikkerkey.com
Everything not listed above is out of scope, including third-party services SikkerKey relies on. Testing outside the In-Scope Systems is not authorized under these Terms and is not covered by the safe harbor in Section 04.
Rules of Engagement
While testing an In-Scope System, you must, at all times:
- test only against accounts and data that belong to you
- access only the minimum data needed to demonstrate a vulnerability, and stop as soon as it is demonstrated
- never access, modify, delete, exfiltrate, or retain data that is not yours
- never degrade, disrupt, or deny the service, including through denial-of-service or volumetric testing, or high-volume automated scanning
- never use social engineering, phishing, or physical attacks against SikkerKey, its staff, its users, or its partners
- comply with all applicable laws
Any activity outside these rules is unauthorized and falls outside the safe harbor in Section 04.
Authorization & Safe Harbor
If you make a good-faith effort to comply with these Terms, we consider your security research authorized. We will not bring or support legal action against you for that research, and we will not report it to law enforcement. If a third party brings a claim against you for activity that complied with these Terms, we will make it known that your activity was authorized.
This safe harbor does not apply to activity that violates these Terms or any applicable law, or that harms SikkerKey, its users, or third parties. Nothing in this section waives any right or remedy with respect to activity outside these Terms.
Confidentiality & Disclosure
You agree to keep each Report, and the vulnerability it describes, confidential, and not to disclose it publicly or to any third party until the earliest of: SikkerKey confirming that the issue has been remediated; SikkerKey giving you written permission to disclose; or 90 days after you submitted the Report.
Where remediation is complex, we may ask you to delay disclosure beyond that period; any such extension is by mutual agreement. We will work with you in good faith toward a coordinated public disclosure and will not unreasonably withhold consent once an issue is resolved. This section governs the timing of your disclosure only and does not commit SikkerKey to any response or remediation timeframe.
Recognition
The Program is a vulnerability disclosure program, not a bug bounty. It does not offer monetary rewards, and no payment or other compensation is owed for submitting a Report.
We genuinely appreciate the researchers who take the time to report issues responsibly. Where a Report helps us improve the security of the service, we may, at our discretion and with your consent, publicly credit you for the finding. Any recognition of this kind is non-monetary and offered as a thank-you, not as an obligation.
Your Submission
By submitting a Report, you represent and warrant that you are its author and have the right to submit it, that it contains no confidential information belonging to a third party, no malware, and no unlawful content, and that you were not paid or directed by a third party to test the In-Scope Systems in violation of these Terms.
You grant SikkerKey a perpetual, irrevocable, worldwide, royalty-free license to use, reproduce, adapt, and act on the Report and its contents for any purpose, including investigation, remediation, and the security of the service. You agree that the Report is not confidential as against SikkerKey.
Personal Data
We process the name, email address, and any other personal data you provide solely to review and respond to your Report and to operate the Program. The lawful basis is our legitimate interest in the security of the service. We handle personal data in accordance with our Privacy Policy and applicable data protection law, including the General Data Protection Regulation.
We keep a Report and the personal data it contains only as long as we need it to operate the Program: a Report is deleted within 12 months of being closed, and every Report, together with its attachments, is permanently deleted no later than 18 months after it was submitted.
Eligibility
To participate, you must be at least 18 years old, or the age of majority in your jurisdiction, acting on your own behalf, and not located in or a resident of a jurisdiction subject to comprehensive trade sanctions. Current SikkerKey employees and contractors, and their immediate family members, are not eligible to participate.
No Warranty
The Program is provided on an “as is” and “as available” basis. Participation is voluntary and at your own risk. SikkerKey is under no obligation to review, respond to, or act on any Report. To the maximum extent permitted by law, SikkerKey is not liable for any damages arising from your participation in the Program.
Changes to the Program
We may modify these Terms or discontinue the Program at any time, effective when posted on this page. The Terms in effect when you submit a Report govern that Report. Continuing to participate after a change takes effect constitutes acceptance of the updated Terms.
Governing Law
These Terms are governed by and construed in accordance with the laws of the Kingdom of Denmark, without regard to conflict of law principles. Any disputes arising from or in connection with these Terms are subject to the exclusive jurisdiction of the courts of Denmark. For Researchers located in the European Union, this does not affect your mandatory rights under the law of your country of residence.
Contact
Questions about the Program or these Terms:
SikkerKey
Email: [email protected]