System Vulnerability Reporting Agreement

Last updated on March 27, 2024

Recharge’s System Vulnerabilities Responsible Disclosure Agreement explains how individuals (“you”) can report suspected security bugs they discover to Recharge for a potential cash payout. We want to reward folks who help us keep Recharge secure.

By submitting suspected security bugs via the form below (“Vulnerability Report”), you hereby accept the terms and conditions under this Agreement. This System Vulnerabilities Responsible Disclosure Agreement (“Agreement”) is made and entered into as of the date you submit the Vulnerability Report (“Effective Date”), by and between Recharge Inc., (“Recharge”) and you.

The Recharge System Vulnerabilities Responsible Disclosure Agreement allows Recharge, in its sole discretion, to reward participants who discover bugs, exploits, or vulnerabilities and allow Recharge to remove such problems that might exist in services provided by Recharge. Under this program, people who participate in our program (“Participants”); discover bugs, vulnerabilities, and exploits; and report them to Recharge may be paid a reward for helping us improve the quality of our services.

Definitions

This Agreement utilizes the following definitions:

  • Bug – a software error, flaw, or failure or a fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. 
  • Exploit – a portion of the software, a collection of data, or a sequence of commands that takes advantage of a bug or vulnerability in a separate computer with the intent of causing unintended or unanticipated behavior to occur in that separate program.
  • Vulnerability – a weakness in computer security, internal controls, design, or implementation that allows an attacker to reduce the system’s information assurance or exploit it whether accidentally or intentionally in any way.

Reward Eligibility

You are eligible for an award under this program if:

  • You are either an individual independent participant or you work for an organization that permits you to participate. You are responsible for reviewing your employer’s policies that may impact your ability to participate in this program;
  • You are not the author of the code that’s been infected with the bug, nor were you otherwise involved in its integration into Recharge;
  • You did not create, or assist in the creation of, the bug about which you are reporting;
  • You are not a current employee or contractor of Recharge or its affiliates; and
  • You do not reside in a country that is under any current U.S. sanctions.
  • You did not violate any applicable laws, regulations, or agreements in your discovery of your reported vulnerability.
  • You have not reported the bug you submitted for review publicly.

The following issues are considered out of scope:

  • Link injection without evidence on how the vulnerability can be used to attack
  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Use of a known-vulnerable libraries or frameworks – for example an outdated JQuery or AngularJS (without a clear and working exploit)
  • Self-exploitation (cookie reuse, self cookie-bomb, self denial-of-service etc.)
  • Self Cross-site Scripting vulnerabilities without evidence on how the vulnerability can be used to attack another user
  • Lack of HTTPS
  • Reports about insecure SSL / TLS configuration
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • OPTIONS/TRACE/DELETE/PUT/WEBDAV or any other HTTP Methods accepted by the server which do not specifically show a valid attack scenario
  • Weak Certificate Hash Algorithm
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Tabnabbing
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction
  • Security bugs in getrecharge.com – this site runs on WordPress/WPEngine, so if you find vulnerabilities in the WPEngine service, please contact them directly for reporting details
  • Conducting non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure and employees of Recharge.

Reward Terms and Requirements

We offer a range of rewards and decide the appropriate award for qualified bug report submissions based on our discretion. Please note that all award decisions and amounts are final and at Recharge’s full discretion.

In the event a reward is issued, only one reward per submission will be issued. If multiple people contributed to the discovery or reporting of a bug and wish to share the reward, any such sharing will be the full responsibility of the submitting party to manage after the receipt of the single issued reward. If multiple people submit separate qualified reports claiming to have discovered the same bug, the person whose report we received first gets the reward. When a single bug manifests in multiple forms, it will be classified as a single vulnerability (and only one reward will be paid).

Recharge reserves the right to suspend, revise, or terminate this program at any time, with or without notice. Reward recipients are solely responsible for all taxes and associated responsibilities incurred as a result of receipt of a reward.

We are not responsible for reports that we do not receive or for submissions that we receive but are incomplete or unclear.

Our lack of response to your submission does not mean we are ignoring you. We may get numerous submissions, with only a small portion of them being material. We take our time to verify submissions.

In no event are you authorized to intentionally access Recharge customer data. 

We reserve the right to take appropriate measures, including notifying authorities and law enforcement.

Confidentiality and Ownership Rights

  • Confidentiality
    • “Confidential Information” means (a) any technical and non-technical information submitted and/or disclosed by you to Recharge related to Recharge’s infrastructure, network, storage, products, user interfaces, source code, specifications, or other Recharge properties (the “Recharge Assets”) and potential bugs, vulnerabilities, or other security weaknesses in Recharge’s Assets. 
    • You must not in any way disclose any of the Confidential Information to any third party outside of Recharge without Recharge’s prior written consent. 
    • You must not use, or cause anyone to use, any such Confidential Information for any purpose other than submitting a Vulnerability Report. Furthermore, you shall not disclose the existence of any discussions or consultations in progress between the parties to any form of public media.
  • Ownership
    • All Confidential Information and any Derivatives (defined below) are the sole and exclusive property of Recharge and no license or other rights to such Confidential Information, Derivatives or any intellectual property rights of Recharge are granted or implied hereby. For purposes of this Agreement, “Derivatives” shall mean: (a) for copyrightable or copyrighted material, any translation, abridgment, revision or other form in which an existing work may be recast, transformed or adapted; (b) for patentable or patented material, any improvement thereon; and (c) for material that is protected by trade secret, any new material derived from such existing trade secret material, including new material which may be protected under copyright, patent and/or trade secret laws. 
    • Recharge is not claiming any ownership rights to your bug submission. However, by providing the submission to Recharge, you hereby grant Recharge a non-exclusive, irrevocable, perpetual, royalty-free, worldwide, sub-licensable license to the intellectual property in your submission: (i) to use, review, assess, test, and otherwise analyze your submission; and (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your submission and all its content, in whole or in part.
    • You represent and warrant that: (i) your submission is your own work and was created by you independently without the assistance or involvement of another third-party; and (ii) your submission does not infringe on any third-party’s intellectual property right.
    • You warrant that you have the legal right to provide the information in your Vulnerability Report and the right to submit the Vulnerability Report.

General Terms

  • No Assignment. You shall not assign or transfer any rights or obligations under this Agreement without the prior written consent of Recharge. Any purported assignment or transfer of rights in violation of this Section is void.
  • Injunctive Relief. A breach by you of this Agreement will cause irreparable and continuing damage to Recharge for which money damages are insufficient, and Recharge shall be entitled to injunctive relief and/or a decree for specific performance, and such other relief as may be proper (including money damages if appropriate).
  • Indemnity. You agree to indemnify Recharge for any loss or damage suffered as a result of any breach of the terms of this Agreement, including any reasonable fees incurred by Recharge in the collection of such indemnity.
  • Governing Law; Forum. This Agreement shall be governed in all respects by the laws of the State of California, USA.  Each party irrevocably consents to the exclusive personal jurisdiction of the federal and state courts located in California, as applicable, for any matter arising out of or relating to this Agreement, except that in actions seeking to enforce any order or any judgment of such federal or state courts located in California, such personal jurisdiction shall be nonexclusive. Additionally, notwithstanding anything in the foregoing to the contrary, a claim for equitable relief arising out of or related to this Agreement may be brought in any court of competent jurisdiction.
  • Severability. If a court of law holds any provision of this Agreement to be illegal, invalid or unenforceable, (a) that provision shall be deemed amended to achieve an economic effect that is as near as possible to that provided by the original provision and (b) the legality, validity and enforceability of the remaining provisions of this Agreement shall not be affected thereby.
  • Waiver; Modification. If a party waives any term, provision or a party’s breach of this Agreement, such waiver shall not be effective unless it is in writing and signed by the party against whom such waiver is asserted.  No waiver by a party of a breach of this Agreement by the other party shall constitute a waiver of any other or subsequent breach by such other party.  This Agreement may be modified only if authorized representatives of both parties consent in writing.
  • Entire Agreement. This Agreement and any documentation or instruction provided by Recharge to you (including through HackerOne) constitutes the entire Agreement and supersedes all prior or contemporaneous agreements concerning your vulnerability reporting.