The ntrustlabs Code of Conduct outlines the behaviour required of all ntrustlabs community members participating in crowdsourced security programs, ntrustlabs online community offerings such as the ntrustlabs Community Forum and IRC channel # ntrustlabs, the ntrustlabs Researcher slack channel, Bug Matches, as well as any other programs that may be offered by ntrustlabs.

This Code of Conduct applies to all interactions you have with ntrustlabs team members, customers, and researchers. The ntrustlabs community is intended for everyone, from all walks of life, and following this Code of Conduct will help ensures that we have a safe and welcoming place for all. Please read through this information to understand the required behaviour of all ntrustlabs participants. We look forward to having you in our community.

WHAT WE REQUIRE

1. Be Kind.
2. Be Respectful and Professional in your communications and behaviour.
3. Be Helpful and help us all improve ourselves. We do this through honest and insightful discussion with our peers and partners.
4. Be prompt in reporting vulnerabilities you have identified.
5. Be Ethical. Don’t intentionally mislead customers or ntrustlabs. It is your job to try and break both technology and business logic flaws, but when you find a weakness it is also your job to report it to be fixed –  not exploit it .
6. Disclosure Guidelines: Don’t share confidential vulnerability or customer information. Private program customers are private, and no submitted vulnerability (including duplicates, Out of Scope, Not Applicable, etc.) may be disclosed without explicit customer permission. Please read each Bounty guide for specific program disclosure policies which supersede (overrule) this policy. We expect everyone to use the proper channels to disclose or communicate about vulnerability submissions.  Email us at support if you have any questions about disclosure .
7. If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating the vulnerability; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information. In the event you access PII or other sensitive data, please note that you are required to follow all laws and regulations applicable to the access and processing of such personally identifiable information and/or data, such as the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020 once it becomes effective, and the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679), including the European Commission’s  Standard Contractual Clauses  regarding the transfer of personal data to processors.

8. Read and abide by  ntrustlabs’s Standard Disclosure Terms and each program’s Bounty guide. We expect you to follow any guidelines and rules that a particular crowdsourced security program or company may have regarding scope of testing and disclosure.

9. Report bad behaviour. As a member of this community you have the ability to impact the quality and reputation of the Crowd. If you see something that violates our guidelines, please notify our operations team immediately at support

PROHIBITED BEHAVIOR

1. Unauthorized Disclosure: Disclosing vulnerability information without explicit approval (see individual bounty guides for expectations) is prohibited.
2. Program Disclosure: Disclosing any information about private bounties including customer names or dates of programs is strictly forbidden.
3. Unprofessional Conduct, including but not limited to any of the following, is forbidden:

• Aggressive language aimed at any ntrustlabs team member or customer at any time.
• Attempt to abuse or game any reward system in place with ntrustlabs or programs run on ntrustlabs.
• Disruptive testing which affects other Researcher’s access to the testing environment, or adversely impacts a customer’s systems and/or accounts.
• Engaging in extortion
• Interacting or accessing any accounts and systems without the explicit permission from the account holder

1. Out of Scope testing: Intentional testing outside the specified program guide, and/or not following the program bounty guide instructions is forbidden. If you want alert to ntrustlabs to an Out of Scope vulnerability, please reach out to support.
2. Creating placeholder submissions that are used to “squat” on findings (e.g. reports that are rapidly submitted a vague title and no detailed replication steps in the initial report, etc); all valid findings  must  be submitted with a full description, proof of concept, and complete replication steps in the  original  report. In cases where the initial report is lacking a description, proof of concept, and replication steps, those reports will be closed, and must be re-submitted with the required information to be considered for the program. Please always submit complete, fully populated, and articulate reports.

• This rule is intended to prevent scenarios where researchers rapidly submit reports with a vague titles and/or vague details to “squat” on any potential reward.

1. Harassment, including but not limited to the following, is unacceptable and prohibited:

• Offensive user-generated or submitted content (for example, related to gender, sexual orientation, race, religion, disability, etc. (including offensive user names))
• Use of nudity and/or sexual images (including presentation slides).
• Abusive or threatening language.
• Deliberate intimidation, stalking or following including seeking out uninvited personal contact with ntrustlabs employees or customers via personal phone or email, harassing materials, photography or recording.
• Inappropriate physical contact (at any ntrustlabs or industry events), and/or unwelcome sexual attention.
• Making unjustified accusations against other user(s).
• Personal attacks, including hurtful, insulting or hostile comments.

CONSEQUENCES

Violations of this Code of Conduct, the Standard Disclosure Terms, or customer program guides can result in a warning and/or removal of access to elements of the ntrustlabs platform on a temporary or permanent basis depending on the severity of the violation. In some instances, an offender will be removed from ntrustlabs bounties or from the ntrustlabs community entirely. All policy enforcement and eligibility decisions are made entirely at the discretion of ntrustlabs. Decisions are final and considered private matters between ntrustlabs’s team members and the individuals(s) involved. If you have any questions about a recent action taken on your account, please contact  ntrustlabs Support for details.

TERMS & CONDITIONS AND STANDARD DISCLOSURE POLICY

We have a Terms and Conditions document describing your (and our) behaviour and rights related to content, privacy, and laws. To participate in ntrustlabs programs and offerings you must agree to abide by our Terms and Conditions and the Standard Disclosure Terms.

 

REVISION HISTORY: Version 1.0 Released on 1st September 2021