Terms and conditions (T&C)

These General Terms and Conditions define the conditions which apply between Nybble, a simplified joint stock company with a share capital of 27,500 euros, whose head office is located at 1137A Avenue des Champs Blancs, 35510 Cesson Sévigné, registered in the Rennes trade and companies register, under the number 891 345 241 (the "Company") and any natural person registering on the Company's platform (the "User") accessible via the address: https://hub.nybble-analytics.io (the "Platform"). The Platform is designed to help organizations process their security alerts and offers two (2) different types of services: (i) Alert Processing, and (ii) Threat Bounty (together, the "Services") to which a company or organization may subscribe (the "Client").

A User can be either (i) a Client User, or (ii) a Nybbler (security analyst in common law). Certain specific stipulations of these T&Cs will apply either to a Client User or to a Nybbler and a User must refer to the stipulations that apply to them. All capitalized terms used herein have the meaning given to them in Appendix 1.

1.Prerequisites

1.1.Age requirement

Access to the Platform is prohibited for minors (below a certain age which may differ depending on the nationality of the User).

1.2.Code of conduct and compliant use of the Platform

Each User must (i) behave in a professional, respectful, and courteous manner when interacting with the Company and/or between Users, and (ii) not make inappropriate or derivative use of the Platform in relation to its purpose as such. as described in these T&Cs. Any inappropriate or abusive behavior or any non-compliant use of the Platform by a User will not be tolerated by the Company. In such circumstances, the Company may, at its sole discretion, terminate a User's access and/or use of the Platform temporarily or permanently. The Company reserves the right to increase or lessen the severity of these measures and sanctions depending on the nature of the breach and without considering previous breaches.

2.User Status

2.1.Independence of the Nybblers

Nybblers are not employees, contractors, or agents of the Company, but independent third parties who wish to participate, on an occasional and non-exclusive basis, in the Processing of Customer Alerts and in Threat Bounty campaigns. No stipulation herein shall be interpreted as creating dependence or subordination, direct or indirect, with the Company or a Client.

2.2.Authority of Client Users

If access to the Platform is intended for the use of the Services on behalf of a Client, Users warrant that they have been duly appointed to represent the Client and any action or omission of the Client User will be considered in the same as if it were the acts and omissions of the Client himself. The Company reserves the right to request, at any time, additional documents attesting to the delegation of authority of the person authorized to represent the Client.

2.3.Conflict of interest.

The situation in which a Client User is also registered on the Platform as a Nybbler may lead to a conflict of interest. In such circumstances, the Nybbler agrees not to participate in the Client's Threat Bounty campaigns, unless the Client has been informed in advance and has expressly authorized the Nybbler to proceed. This situation also applies to the Alert Processing service.

3.Registration Process (Nybblers)

Note: the registration of Client Users is carried out by the Company at their request, but remains subject to acceptance of these same T&Cs.

3.1.Creating a User account

Users must provide certain information when completing the registration form available on the Platform. Users are responsible for updating their personal information and expressly acknowledge that the Company cannot be held responsible for any false declaration concerning their identity. If any information turns out to be false, incomplete, or obsolete, the Company reserves the right to refuse or cancel registration and/or interrupt access to the Platform.

3.2.Nybbler Wallet

Subject to providing the required information, the Nybbler will have a virtual Wallet on the Platform for the payment of their Rewards (Threat Bounty or Processing of Security Alerts). At the end of the month, a balance of this wallet is made via an invoice, provided that the Nybbler has previously accepted the invoicing mandate described in article 5.1

4.Services

4.1.Role of users

4.1.1.Nybblers participating in a Threat Bounty campaign

When invited to a Threat Bounty campaign, Nybblers are free to decide whether they wish to participate and determine at their sole discretion the means to be implemented to find compromises (action called Threat Hunting), subject to the compliance with campaign rules and non-alteration of Client systems. When drafting the reports, the Nybbler acknowledges being tacitly bound by the rules of the Threat Bounty campaign set out by the Client without the need to expressly accept these rules. The Nybbler accepts that the rules of the Threat Bounty campaign have contractual value between him and the Client and cannot therefore contest the admissibility, opposability and/or enforceability of these rules.

4.1.2.Participation of Nybblers in the processing of security alerts

When they have the appropriate profile, Nybblers are free to decide if they wish to participate in the processing of alerts and determine at their sole discretion the means to implement to achieve this, subject to compliance with the rules of the Platform concerning this service.

4.1.3.Managing a campaign by Client users

Client Users who have the authority to represent and engage the Client in the management of the Services (the "Client Representative") designate the Client Users of their choice for the management of the Client's Threat Bounty campaign, including the Nybblers selection. The Customer Representative may define a role with specific access rights for each User based on their function and planned involvement. The Threat Bounty campaign is described by the Client User in the descriptive/dedicated sheet online on the Platform, in particular the scope, the configuration of public or private mode, access to the systems, eligibility, frequency, Rewards, etc. Once a Threat Bounty campaign is published and a Hunting Report is submitted by a Nybbler, the Client User can validate said report and reward the Nybbler as described in article 4.2.

4.1.4.Management of alerts by Client users

Client Users who have the authority to represent and engage the Client in the management of the Services (the "Customer Representative") designate the Client Users of their choice for the management of the processing of Client alerts. The Client Representative is responsible for the accuracy of the context information transmitted to the platform for the processing of the security alert by the Nybbler (known false positives, management rules, authorized or refused technologies, etc.) The Client User is free, at their convenience, to give an opinion (rated from 0 to 5) on all or part of their alerts processed by the Nybbler community, according to criteria defined in the Platform documentation.

4.2.Threat Hunting and its reports

4.2.1.Nybblers Scope

Nybblers do not need to consult the Client before carrying out the Threat Hunting and will act at their discretion to carry it out as long as they act within the rules of the Threat Bounty campaign defined by the Client. Nybblers understand and accept that Threat Hunting can only be carried out in compliance with the strict rules of the Threat Bounty campaign of the Client concerned and that failure to comply with these rules could result in their civil and/or criminal liability.

As such, Nybblers agree to the following:

Strictly limit their action to the perimeter defined in the Threat Bounty campaign concerned.
Comply with any data privacy policy set out in a Threat Bounty campaign.
Keep strictly confidential the Client's information to which they may have had access during Threat Hunting, including compromises and, where applicable, any Personal Data, (together the "Data"), which means that the Nybbler must:
Use the Data only for purposes strictly necessary for the proper execution of Threat Hunting
Do not communicate the Data to a third party in any manner or by any means (including oral, paper, digital).
Report any obvious anomaly to the Company if the Nybblers notice security vulnerabilities on the Platform as well as to the Client for any obvious anomaly observed during Threat Hunting
Do not use the Data for the development, production or marketing of a system that infringes the Client's rights, its activity and/or competes with it directly or indirectly.
Guarantee respect for the Client's Intellectual Property Rights, at all times and in particular, during the execution of Threat Hunting, including but not limited to the software used and operating licenses.
Do not participate in a private Threat Bounty campaign to which they have not been invited by a Client.

The Nybblers acknowledge and accept that the Company acts as an intermediary and does not intervene in any way in the relationship with the Client. If Nybblers have contact with Clients, they remain solely responsible for the content of their exchanges with the Client.

4.2.2.Customer User Participation

The Client User must carry out and maintain the backup of his data, files, media against destruction, loss, or alteration. He also guarantees the proper functioning of the system used during the Threat Bounty campaign. The Client User expressly acknowledges that he will not be consulted before Threat Hunting during the period defined in the Threat Bounty campaign. In other words, the Nybbler will search for compromises on the Client system during the period defined in the Threat Bounty campaign without consulting the Client User.

4.2.3.Collaboration between Nybblers and Client users

Client Users make good faith efforts to maintain timely and transparent communication with Nybblers and Nybblers make good faith efforts to clarify and substantiate Hunting Reports submitted at the request of Client Users.

The Client User will determine whether the compromises are valid and their level of severity. Nybblers who were the first to discover a valid compromise and who established a clear Hunting Report with a severity level consistent with the Threat Bounty campaign in question will be rewarded by the Client in the form of Rewards. The Company will not be responsible for any Rewards not paid to Nybblers.

As part of a Threat Bounty campaign, subject to compliance by the Nybbler with the rules set by the Client and the T&Cs, the Client User acknowledges that (i) the searches carried out by the Nybblers are authorized and carried out with consent expressly from the Customer and under his sole responsibility; and (ii) the acts carried out by the Nybblers cannot be subject to criminal or civil prosecution.

4.3.Handling security alerts

4.3.1.Nybblers Scope

Nybblers do not need to consult the Client before carrying out the qualification of the alerts and will act at their discretion to carry it out as long as they act within the framework of the rules of the Platform. Nybblers understand and accept that the qualification of alerts can only be carried out in compliance with the strict rules of the Platform and that non-compliance with these rules could result in their civil and/or criminal liability.

As such, Nybblers agree to the following:

Strictly limit their action to the perimeter defined in the Threat Bounty campaign concerned.
Respect the level of confidentiality of the data present in the alert defined via the TLP/PAP markings present therein. In other words, the Nybbler must read the requested levels and select these tools/sites used during qualification so as not to disseminate the data outside the authorized scope via TLP/PAP markings.
Keep strictly confidential the Customer's information to which they may have had access during the qualification of the alert, including compromises and, where applicable, any Personal Data, (together the "Data"), which means that the Nybbler must:
Use the Data only for purposes strictly necessary for the proper execution of the alert qualification.
Do not communicate the Data to a third party in any manner or by any means (including oral, paper, digital).
Report any obvious anomaly to the Company if the Nybblers notice security vulnerabilities on the Platform as well as to the Client for any obvious anomaly noted during the alert qualification.
Do not use the Data for the development, production or marketing of a system that infringes the Client's rights, its activity and/or competes with it directly or indirectly.
Guarantee respect for the Client's Intellectual Property Rights, always and in particular, during the execution of the alert qualification, including but not limited to the software used and operating licenses.

4.3.2.Customer User Participation

The Client User must carry out and maintain the backup of his data, files, media against destruction, loss, or alteration. He is also responsible for the proper functioning of the system used when qualifying alerts. The Client User expressly acknowledges that he will not be consulted by the Nybbler during the qualification of alerts. The Client User is also responsible for the compliance and level of confidentiality of the information provided on the Platform (called "context information") which serves as an aid to the qualification of the alert by the Nybbler.

4.3.3.Collaboration between Nybblers and Client users

There is no collaboration between Nybblers and Client Users. Any communication or need for collaboration goes through the Nybble teams.

4.4.Security

4.4.1.Misuse of the Platform

Users must inform the Company without delay, by any means, of any error, defect, or irregularity that they notice when using the Platform, as soon as they become aware of it. The User must not attempt to modify the headers or attempt to manipulate the pages of the Platform in such a way as to disguise, hijack or modify the Platform. It is also prohibited to create a work or site derived from all or part of this Platform, or to resell or redistribute the Company's data.

4.4.2.Means of authentication

The username/password combination allowing Users to access their account is strictly personal and confidential. They therefore undertake to keep them secret and not to communicate them to third parties in any form whatsoever. The User acknowledges that any use of the Platform is under his or her full responsibility. Consequently, the User acknowledges that the actions carried out on his account are presumed to be carried out by him and will be invoiced to him, it being his responsibility to provide proof to the contrary. The Company reserves the right to suspend Users' access to their account in the event of proven compromise or in the event of suspicion of compromise of their means of authentication.

4.4.3.Technical means to access the Platform

It is up to Users to equip themselves appropriately, particularly in terms of computer and electronic communications, to access the Platform and associated Services and to take all appropriate measures to protect themselves, the Company and the systems tested against any attack or damage that could affect data, software or content stored on the Platform. The Company is not responsible for the depreciation of a User's computer media. Furthermore, the User acknowledges knowing and understanding the Internet and its limits and, in particular, its functional characteristics and technical performance, the risks of interruption, response times for consulting, querying or transferring information or the inherent risks to any data transfer. The Company is not responsible for the unavailability of networks that are not entirely under its direct control.

4.4.4.Responsibility of Nybblers

The Nybblers undertake not to hinder the proper functioning of the Platform in any way whatsoever, by transmitting any element likely to contain a virus or malicious program likely to damage or affect the Platform and/or the Services. and, more broadly, the information system of the Company and one of its Clients or commercial partners. All costs and authorizations necessary to connect, access and use the Platform are and remain the sole responsibility of the Nybbler.

4.5.Availability of the Platform

4.5.1.Maintenance of the Platform

Except in cases of Force Majeure, the Company ensures, within the framework of an obligation of means, the availability and accessibility of the Platform. However, control and maintenance operations can be carried out at any time. The Company cannot be held responsible for the consequences resulting from this for the User.

4.6.Suspension / Termination

The Company reserves the right to temporarily suspend all, or part of the Platform and the Users' account for reasons related to the security of the Platform and/or the Services, the security of the Users or a proven or presumed violation by the Users of any of their obligations hereunder. The Company also reserves the right to unilaterally terminate these T&Cs for serious and/or repeated breaches by a User of any of their obligations hereunder. This termination will take place automatically, without delay and without prejudice to any damages that the Company may seek.

A User may, at any time, without notice and without having to justify the reasons, deactivate their account. Deactivation of the User's account will result in the immediate termination of these T&Cs.

5.Financial conditions

5.1.Billing mandate

To enable the Company to invoice in their name and on their behalf the Rewards awarded to them, Nybblers expressly and unconditionally accept the terms of the Billing Mandate (Appendix 2). It is expressly agreed that the Billing Mandate must be duly completed and accepted by the Nybblers on their personal account. Otherwise, any operation initiated by the Nybblers will not give rise to payment.

5.2.Rewards for Threat Bounty

Nybblers will collect Rewards awarded by the Client User into their virtual Wallet account, at the discretion of the Client User and in accordance with the relevant Threat Bounty campaign. The Company will issue an invoice, in the name of the Nybblers, at the end of the month, with all the rewards obtained during the past month. Rewards are expressed in euros, including VAT.

5.3.Rewards for processing alerts

The Company will issue an invoice, in the name of the Nybblers, corresponding to the number of alerts processed in the past month, according to the commission currently in force in the Platform. The amount will be paid directly to the Nybbler via the payment method provided during registration. Rewards are expressed in euros, including VAT.

In case of rewards for Threat Bounty and alert processing, only 1 invoice will be issued, and 1 payment will be made.

5.4.Nybblers Status

Nybblers are informed that their activity on the Platform may be subject to affiliation with a specific legal status. Nybblers will therefore have to obtain information and complete the necessary formalities to acquire the legal status corresponding to their situation. Nybblers are also informed that income earned from their activity on the Platform is subject to various legal, social, accounting and tax obligations, depending on tax jurisdiction. Nybblers expressly acknowledge that it is their sole responsibility to inform themselves of these obligations and to comply with them. Nybblers will have to make all declarations required by the tax administrations and social security organizations to which they belong, depending on their status and their country of residence in and outside the European Union.

5.5.Obligations of the Company towards Nybblers

The Company cannot under any circumstances be involved in any of the above procedures and its liability cannot, under any circumstances and for any reason whatsoever, be sought under any of these legal obligations, social, accounting and tax. The Company's obligations are strictly limited to:

inform the Nybblers of the existence of these obligations which must be carried out by the Nybblers, at their own expense, and
provide them with a document summarizing all transactions carried out on the Platform.

6.Intellectual property

6.1.The platform's IPRs

The Company remains the exclusive owner of all IPR relating to the Platform and the Materials. For the purposes hereof, the term "Material" means all materials made available to the Customer by the Company (including, but not limited to, all accessible information, text, photos, images, sounds, data, databases, downloadable Threat Bounty reports, and software and other technology made available).

The User may under no circumstances store, reproduce, represent, modify, transmit, publish, adapt on any medium whatsoever, by any means whatsoever, or use in any manner whatsoever, the elements of the Platform and /or Materials without the prior written authorization of the Company.

Each party is and will remain the owner, as far as it is concerned, of its distinctive signs, namely brands, corporate and other names, trade names, trademarks, and domain names. The reproduction, imitation, or affixing, in whole or in part, of brands or designs belonging to the Company is strictly prohibited without its prior written consent.

The User must respect all notices relating to Intellectual Property Rights appearing on the Platform and/or the Materials and must not alter, delete, modify, or infringe them in any other way.

6.2.Assignment of IPR on Compromise Reports

The Nybbler undertakes to transfer, free of charge, its IPR on the Compromise Reports to the Client concerned for all countries where they are protected, in all languages, for the entire duration of the legal IPR of the authors or their successors, according to all applicable laws, current and future, including extensions that may be made to this duration and in all forms, presentations and by all current and future processes.

6.3.Nybbler IPR Guarantee on Compromise Reports

The Nybbler warrants being the sole and exclusive author of the entire Compromise Report. Consequently, to the fullest extent permitted by applicable law, the Nybbler will be held responsible, under the conditions provided for in the T&Cs, by the Client in the event of violation of this stipulation and in particular regarding the legislation on intellectual property rights or copyright infringement.

7.Confidentiality

Users have the obligation to keep confidential all information (i) to which they have access, (ii) brought to their attention, or (iii) which they possess within the framework of the Services, whether in oral or written form. and whatever the medium, whether expressly indicated as confidential or not. Users undertake not to disclose or make available this information to any third party for any reason whatsoever and regardless of the legal and/or economic links that a User may have with this third party.

At the end of a Threat Bounty campaign, Nybblers will delete from their systems all Customer information and data of any kind, including Personal Data and Compromise Reports that they have created. The Nybblers will produce, at any time and at the Client's first request, any certificate attesting to the deletion of said information.

8.Personal data

To provide access to the Platform, the Company processes Users' Personal Data, in its capacity as Data Controller or Joint Data Controller with its payment service provider. Details of these processing operations are available in the Platform's Privacy Policy: https://docs.nybble-security.io/nybble-hub/privacy-policy

As part of the alert processing and Threat Bounty services, Nybblers may have access to Personal Data processed by the Client. The Nybblers will ensure the security and confidentiality of such Personal Data and will take all necessary technical and organizational measures to prevent destruction, loss, alteration, disclosure, or unauthorized access to Personal Data, whether accidental or illicit. Nybblers must not use or process this Personal Data and must comply with any data privacy policy set out in the Threat Bounty program (if applicable) or failing that, in the privacy policy.

A User can exercise their rights regarding personal data by writing to the following address: contact@nybble.bzh

9.Responsibility

9.1.Responsibility of the Company

The Company will under no circumstances be responsible for:

The use or misuse of the Platform and/or Services by a User;
Non-execution, failure, malfunction or unavailability of the Platform and/or Services resulting from the action or omission of a third party or User (with the exception of those responsible the processing of Company data, where applicable);
Failure of the Client User to fulfill its obligations (for example, inaccuracy, error, omission) in the definition and management of a Threat Bounty campaign or, in the context of the alert processing service, non-access to resources necessary to carry out the qualification (SIEM, EDR or other)
Non-compliance with these T&Cs, violation of the rules of the Program or any other agreement by the Nybblers
The suspension of access to the Platform and/or the Services under the conditions defined in article 4.6; And
Incidents due to Internet use (e.g. loss of connectivity, etc.).

Any reputation, classification, or description of a Nybbler's skills within the Threat Bounty Service is for informational purposes only.

The Company supports the drafting of Threat Bounty campaigns and Compromise Reports and only intervenes, within the framework of a Threat Bounty campaign, as an intermediary to present Nybblers to Clients and Users. Clients linked to it. The Company cannot therefore be held responsible for any damage caused by the failure of a Client, a User, or a Nybbler to fulfill its obligations, whether partially or totally.

The Company does not propose or make any modification/adaptation to the Compromise Reports. Accordingly, the Company assumes no responsibility for the contents of any Report of Compromise, including, without limitation, (i) any errors or omissions, or (ii) any loss or damage of any kind. nature whatsoever resulting from the use of a Compromise Report.

9.2.Responsibility of Nybblers

The Nybbler is responsible for all damages caused to the Company and/or other Users. The Nybbler undertakes to compensate the Company and/or the Users, in the event of a conviction for damages that the Company or the Users could incur due to non-compliance with these T&Cs or damage caused to others or to themselves. -even. Any action taken outside the limits set either by a Threat Bounty campaign or by the Platform regarding the Alert Processing Service may result in civil and/or criminal liability.

9.3.Responsibility of Client Users (Threat Bounty)

The Client User is solely responsible for designating the Client's systems and must regularly review and maintain the list of systems excluded from the search scope. He is also solely responsible for the availability of the SIEM or EDR at the research source. The Client User is also responsible for whether to accept compromises submitted by Nybblers.

9.4.Responsibility of Client Users (Alert Processing)

The Client User is solely responsible for the quality and freshness of the context data present in the alerts displayed on the Platform. It is also solely responsible for the availability of the SIEM or EDR at the source of the alert and used by the Nybblers to process the alert.

10.Compliance

Users may not use the Services if they are subject to or are the target of economic or financial sanctions imposed, administered, or enforced by the United States government (including the Office of Foreign Assets Control of the Department of Commerce). United States Treasury or the United States Department of State), the European Union or one of its member states, the United Nations Security Council or the United Kingdom (including by the Office of Financial Sanctions Implementation of Her Majesty's Treasury).

11.Applicable law and competent jurisdiction

These T&Cs are governed by French law. If a dispute arises between a User and the Company and/or between Users in relation to the use of the Platform, each will endeavor to resolve any dispute amicably and, to that extent, to work in good faith with the Company to resolve the dispute to the satisfaction of all parties. Any dispute or claim arising from these T&Cs, their subject matter, or their formation (including any non-contractual dispute or claim) will be subject to the exclusive jurisdiction of the competent courts of Rennes, and the parties irrevocably submit to the exclusive jurisdiction of these courts for these purposes.

12.General provisions

12.1.Force Majeure

Neither party will be liable to the other for any delay or non-performance of its obligations under these T&Cs resulting from a Force Majeure event. The affected party must immediately notify the other party and endeavor to reduce the harmful effects resulting from this situation as much as possible. Each party will bear all costs incurred by it resulting from the occurrence of the Force Majeure event.

12.2.Survival

In the event of termination or early termination of these T&Cs for any reason whatsoever, or interruption or deletion of the Services, the Platform or a User account, any provision or condition of these T&Cs intended to survive such termination will survive and will not affect the validity of the rights and obligations set forth in the sections entitled "Personal Data", "Privacy", "Intellectual Property", "Liability", "Governing Law and Jurisdiction", as well as any other provision herein T&Cs which, by their nature or by virtue of specific provisions, extend beyond the end or expiration of these T&Cs.

12.3.Proof Convention

In the event of a dispute, Users and the Company agree that data such as clicks and double clicks, timestamp tokens and digitally certified dates, login data relating to actions performed from the account and certificates and signatures electronic documents transmitted are admissible in court and provide proof of the data and facts they contain as well as the signatures and authentication procedures they express.

12.4.Hyperlinks

The T&Cs may contain hypertext links to third party legal documents over which the Company has no control. The User acknowledges and accepts that the documents to which reference may be made through these links may be modified, amended and/or altered and that these modifications, amendments and/or alterations are enforceable and enforceable against the User.

12.5.Notifications

Any notification required under the T&Cs, including any notification of a claim or event that may give rise to liability, must be made in writing, by registered letter with acknowledgment of receipt (LRAR), by email with acknowledgment of receipt or by any other means whose receipt can be proven to the address indicated in the User's account.

Appendix 1: Definitions

Security Alert

Refers to a notification produced by a monitoring tool or detection system. The alert occurs when an event that could reveal malicious activity or a security violation has been identified. Security alerts are typically generated following automated analysis of security events. Human intervention makes it possible to assess their seriousness and confirm whether they are malicious.

Threat Bounty Campaign

means the program created by Customer to invite Nybblers to search for Compromises on its systems, and which contains a full description of the terms, conditions and requirements to which Nybblers must consent, including the scope of searches authorized by Customer (designation of systems, eligibility, periodicity, exclusions, etc.) and the Rewards, if any, that the Customer grants to Nybblers who are invited and participate in this Program. The Client may choose to run the campaign (i) in private mode, where only Nybblers invited by the Client are informed of the existence of such a campaign and are entitled to participate in it ("Private Campaign"), or ( ii) in public mode, where the Campaign is published on the Platform and any Nybbler meeting the conditions provided for by the Program can participate ("Public Campaign").

Compromise

Refers to any event or anomaly noted in the logs of the Client's monitoring tool. It is characterized by a severity, an impact, an exploited fault and can be the result of a single event or a cascade of events. The Nybbler will detail all these characteristics in a Compromise report that the Customer can reread, validate, and reuse to correct this compromise on the systems concerned.

Personal data

Personal Data, as well as the terms "Data Subject", "Processing", "Controller", "Subcontractor", "Recipient", and "Personal Data Violation" refer to the definitions in Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of Personal Data.

Intellectual Property Rights (IPR)

means all intellectual property rights, including but not limited to copyright, software rights, computer program rights, database rights, patent rights, invention rights, rights to trademarks, distinctive marks, design rights, commercial secrets and know-how, all other intellectual property rights registered or not, including all registrations (or right to register with any national office or competent foreigner), renewals or extensions of these rights as well as all similar or equivalent rights or forms of protection existing or to come into existence anywhere in the world.

Force Majeure

means an event or circumstance beyond the reasonable control of the affected party, which could not reasonably have been foreseen when accepting the TOS and the effects of which cannot be avoided by appropriate measures, including, but not limited to, cases of natural disasters, fires, explosions, bad weather conditions, floods, earthquakes, acts of terrorism, riots, civil unrest, wars, hostilities, strikes, accidents, acts of government, lack of energy and supplier delays or shortages of transportation, facilities, fuel, energy, labor or materials.

Nybbler

designates an independent natural or legal person, computer security analyst who may act in a professional capacity or not depending on the context of the Services. As part of (i) the Threat Bounty Service, the Nybbler registers on the Platform and submits Compromise Reports for a Reward; (ii) of the Security Alert Processing Service, the Nybbler registers on the Platform and qualifies alerts on behalf of the Client for a Reward.

Compromise report

means the report(s) describing the compromise discovered and provided by a Nybbler and submitted to the Client on the Platform.

Awards

means the sum of money granted to the Nybbler by the Client, as part of a Campaign, when the Nybbler reports a Compromise recognized as valid according to the rules of the Campaign in the Platform. For each Compromise, only the Nybbler who submitted the first valid report is rewarded.

Customer User

means the Client's employee or any third party as designated by and representing the Client, who uses the Platform and the Services in the name and on behalf of the Client.

Wallet

designates a virtual monetary space without official value allowing the Rewards to be traced for each Nybbler. This is not a bank account.

Appendix 2: invoicing mandate

For French Nybblers

In accordance with the provisions of article 289-I of the General Tax Code (CGI) and the extract from the Official Public Finance Bulletin (BOFIP) "VAT - Tax regimes and reporting and accounting obligations - Rules relating to establishment of invoices - Issuance of invoices", BOI-TVA-DECLA-30-20-10-20140113:

By checking the box "I have read and accept the conditions of this billing mandate", the Nybbler expressly mandates Nybble to invoice in his name and on his behalf the rewards due to him within the framework of the "Threat Bounty" Services » and "Alert Processing".

The Nybbler certifies on his honor that he has read and complies with the social, tax and accounting requirements imposed on him in France. Nybble cannot be held responsible in the event of Nybbler's failure to carry out this verification.

The agent (Nybble):

undertakes to archive or have archived in a secure manner this invoicing mandate in order to demonstrate its existence to the tax administration if it so requests.
undertakes to perform all acts necessary for the issuance and provision of invoices to the Nybbler in his personal account.
undertakes to archive or have archived in a secure manner electronic invoices and data contributing to the establishment of the invoice in such a way that the principal can access them as quickly as possible.

The principal (Nybbler):

undertakes to archive or have archived in a secure manner this invoicing mandate to demonstrate its existence to the tax administration if it so requests.
undertakes to archive or have securely archived its electronic invoices and data contributing to the establishment of the invoice.
undertakes to notify Nybble of information concerning its identification and those relating to the content of invoices issued in its name and on its behalf and undertakes to transmit the supporting documents as quickly as possible, electronically.
undertakes to bring to the attention of the agent, in the event of a dispute regarding an invoice, the information necessary for modification of the invoice, as quickly as possible.
undertakes to pay to the Public Treasury the tax mentioned on the invoices drawn up in its name and on its behalf.
undertakes to request as soon as possible the duplicate of an invoice if the latter has not reached him.
undertakes to accept any invoice that Nybble has issued in its name and on its behalf. This acceptance is materialized by clicking on the invoice when reading it. For evidentiary purposes, Nybble retains proof of the click and ensures its reliable timestamp during the invoice archiving period. The Nybbler acknowledges having a period of fourteen (14) days from reading the invoice to modify its content. After this period without any actions, the Nybbler acknowledges accepting it fully.
acknowledges being fully responsible for the obligations and its consequences in terms of invoicing regarding VAT.
acknowledges that he cannot use Nybble's failure or delay in preparing invoices to avoid the obligation to declare the tax collected when it becomes due.
acknowledges that it remains liable for the VAT due, where applicable pursuant to 3 of article 283 of the CGI, when this is wrongly invoiced.

The invoice drawn up by Nybble expressly mentions:

That it is issued by Nybble in the name and on behalf of the Nybbler expressly identified.
The exchange rate applied for the conversion into the EUR currency.
Mandatory invoicing information such as the identity of the Nybbler, the invoice number, the date of the invoice, the period (month and year) concerned by the Alert Processing and/or Threat Bounty Services carried out, the identifications for value added tax (VAT), the legally applicable VAT rate, the date or deadline for payment, where applicable, for Nybblers not subject to VAT the mention "VAT not applicable - article 293 B of the CGI ".
More specifically, for the Alert Processing service: the number of alerts processed and the current price of a processed alert. For Threat Bounty: program concerned, number of reports by severity and their associated Reward.

For non-French Nybblers

By checking the box "I have read and accept the conditions of this billing mandate", the Nybbler expressly mandates Nybble to invoice in his name and on his behalf the rewards due to him within the framework of the "Threat Bounty" Services » and "Alert Processing".

The Nybbler certifies on his honor that he has read and complies with the social, tax and accounting requirements imposed on him in France. Nybble cannot be held responsible in the event of Nybbler's failure to carry out this verification.

The agent (Nybble):

undertakes to archive or have archived in a secure manner this invoicing mandate in order to demonstrate its existence to the tax administration if it so requests.
undertakes to perform all acts necessary for the issuance and provision of invoices to the Nybbler in his personal account.
undertakes to archive or have archived in a secure manner electronic invoices and data contributing to the establishment of the invoice in such a way that the principal can access them as quickly as possible.

The principal (Nybbler):

undertakes to archive or have archived in a secure manner this invoicing mandate in order to demonstrate its existence to the tax administration if it so requests.
undertakes to archive or have securely archived its electronic invoices and data contributing to the establishment of the invoice.
undertakes to notify Nybble of information concerning its identification and those relating to the content of invoices issued in its name and on its behalf and undertakes to transmit the supporting documents as quickly as possible, electronically.
undertakes to bring to the attention of the agent, in the event of a dispute regarding an invoice, the information necessary for modification of the invoice, as quickly as possible.
undertakes to pay to the tax administration on which it depends the sums due to it in respect of the invoice.
undertakes to request as soon as possible the duplicate of an invoice if the latter has not reached him.
undertakes to accept any invoice that Nybble has issued in its name and on its behalf. This acceptance is materialized by clicking on the invoice when reading it. For evidentiary purposes, Nybble retains proof of the click and ensures its reliable timestamp during the invoice archiving period. The Nybbler acknowledges having a period of fourteen (14) days from reading the invoice to modify its content. After this period, without any actions, the Nybbler acknowledges having accepted it fully.
acknowledges being fully responsible for the obligations and its consequences in terms of invoicing with regard to the amounts owed to the tax administration on which it depends.
recognizes that he will not be able to cite Nybble's failure or delay in preparing invoices to avoid the obligation to declare the sums due to the tax administration on which he depends at the time of the intervention of his due.
recognizes that he remains liable for the sums owed to the tax administration on which he depends.

The invoice drawn up by Nybble expressly mentions:

That it is issued by Nybble in the name and on behalf of the Nybbler expressly identified.
The exchange rate applied for the conversion into the EUR currency.
Mandatory invoicing information such as the identity of the Nybbler, the invoice number, the date of the invoice, the period (month and year) concerned by the Alert Processing and/or Threat Bounty Services carried out, the payment date or deadline, where applicable, for Nybblers not subject to VAT if applicable.
More specifically, for the Alert Processing service: the number of alerts processed and the current price of a processed alert. For Threat Bounty: program concerned, number of reports by severity and their associated Reward.