logo
Marketing, Program and Community Terms

Oyster Responsible Disclosure Program Terms

Revised July 26, 2024

Table of Contents

These Responsible Disclosure Program Terms and Conditions (“RDP Terms”) govern your participation in Oyster HR, Inc.’s (“Oyster”) Responsible Disclosure Program (“Program”). The RDP Terms incorporate by reference the Oyster Website Terms of Use and Website Visitor Privacy Notice. The RDP Terms are between you and Oyster. By reporting any Vulnerabilities to Oyster or otherwise participating in the Program in any manner, you accept these RDP Terms.

Program Overview

The Program allows users to submit security vulnerabilities and exploitation techniques (“Vulnerability” or “Vulnerabilities") to Oyster related to eligible Oyster systems and services for a chance to earn rewards in an amount determined by Oyster in its sole discretion (each reward, a “Bounty”). Oyster uses the following as a guide to determine the amount of any Bounty payments, if any and where applicable:

  • Low Risk: Vulnerabilities that do not functionally alter normal systems behavior but may aid or enable further attacks against the system under other circumstances are eligible for a Bounty between $250 and $750 USD as determined by Oyster in its sole discretion.
  • Medium Risk: Vulnerabilities that could have a material adverse effect on organizational operations, organizational assets, or individuals are eligible for a Bounty between $750 and $1,500 USD as determined by Oyster in its sole discretion.
  • High Risk: Vulnerabilities that could have a severe adverse effect on organizational operations, organizational assets, or individuals are eligible for a Bounty between $1,500 and $3,000 USD as determined by Oyster in its sole discretion.
  • Critical Risk: Vulnerabilities that are expected to have a very high threat to Oyster or Oyster Customer data and could allow a bad actor to compromise the Oyster environment, causing a catastrophic adverse impact on Oyster’s operations, assets, employees, or customers are eligible for a Bounty between $3,000 and $7,500 USD as determined by Oyster in its sole discretion.

Oyster reserves the right, in its sole discretion, to determine the risk level of any Vulnerability and to determine the amount of any Bounty (if any).

Reports that identify potential vulnerabilities or security concerns but do not meet the criteria for a functional or exploitable security vulnerability are categorized as "Informational Only." These submissions do not materially impact the security or integrity of Oyster systems, services, or data and may include observations such as best practice recommendations, configuration suggestions, vulnerabilities that are otherwise mitigated by other existing controls, or reports of issues that cannot be reproduced. Reports categorized as "Informational Only" are not eligible for a Bounty payment. Oyster reserves the right to determine whether a submission qualifies as "Informational Only" in its sole discretion.

Oyster may change or cancel the Program at any time, for any reason. Your participation in the Program after any such change means that you agree to the updated RDP Terms. 

If you do not agree to such updated RDP Terms, you cannot participate in the Program. 

Program Scope

Only the following Oyster systems and services (“Targets”) are subject to the RDP Terms and eligible for research, testing, and submissions:

  • *.oysterhr.com 

except the following subdomains, which are registered to Oyster but hosted by a third party:

  • trust.oysterhr.com
  • support.oysterhr.com

If you aren’t sure whether a particular Oyster system or service is included in the Program, or if you believe another system or service should be included, please contact us at infosec@oysterhr.com before starting any research or and testing. 

Good Faith Violations

We will not pursue civil or criminal action, or send notice to law enforcement, for accidental or good faith violations of the RDP Terms. We consider security research activities  consistent with the RDP Terms to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws. We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the Targets.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party that is not owned and operated by Oyster, we cannot bind that third party to these RDP Terms, and they may pursue legal action against you or report you to law enforcement. We cannot and do not authorize security research in the name of other entities and cannot in any way offer to defend, indemnify, or otherwise protect you from any third-party action based on your actions.

You are expected, as always, to comply with all applicable laws and not to disrupt or compromise any data beyond what the Program permits.

Please contact us at infosec@oysterhr.com before engaging in conduct that may be inconsistent with or unaddressed by the RDP Terms. We reserve the sole right to make the determination of whether a violation of the RDP Terms is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. 

Eligibility

To participate in the Program, you must meet all the following criteria:

  • You are 18 years of age or older and have reached the age of majority in your jurisdiction of primary residence and citizenship; and
  • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.

If you are a public sector employee (government and education), any Bounty payment must be awarded directly to your public sector organization and is subject to receipt of a gift letter signed by your organization's ethics officer, attorney, or designated executive/officer responsible for your organization's gifts and/or ethics policy, whichever is applicable, or both. We seek to ensure that by offering Bounties under this Program, it does not create any violation of the letter or spirit of a participant's applicable gifts and ethics rules. If this applies to you, please let us know by emailing us at infosec@oysterhr.com before submitting a Vulnerability.

You ARE NOT eligible to participate in the Program if you meet any of the following criteria:

  • You are a resident of any countries under U.S. sanctions or any other country that does not allow participation in this type of program;
  • You are an individual or an individual employed by or associated with an entity identified on the U.S. Department of Commerce’s Denied Persons or Entity List, the U.S. Department of Treasury’s Specially Designated Nationals and Blocked Persons List, or the Department of State’s Debarred Parties List.
  • You are under the age of 18;
  • Your organization does not allow you to participate in these types of programs;
  • You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program;
  • You are currently an Oyster Staff Member, Contractor, Vendor, or Partner or an immediate family member (parent, sibling, spouse, or child) or household member of such Staff Member, Contractor, Vendor, or Partner; or
  • Within the six months before providing your submission, you were an Oyster Staff Member, Contractor, Vendor, or Partner. 

It is your responsibility to comply with any of your employer’s policies that may affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty. All Bounty payments will be made—if at all, in Oyster’s sole discretion—in compliance with local laws, regulations, ethics rules, and internal Oyster policies including but not limited to our status as a public benefit corporation. Oyster disclaims all liability or responsibility for disputes arising between an employee and their employer related to this matter.

There may be additional restrictions on your ability to participate in the Program depending upon your local law. It is your responsibility to comply with local law.

Submission Process

If you believe you have identified a Vulnerability that meets the requirements in these RDP Terms, you may submit it as follows:

Each Vulnerability submitted to Oyster (a "Submission") must be submitted using the Oyster Vulnerability Submission form, available at https://www.oysterhr.com/trust/rdp-program. You must include the following information to be eligible for a Bounty:

  • Your Name
  • Your Email Address
  • The Risk Level of the Vulnerability
  • A Description of the Vulnerability
  • The Vulnerability Category, selected from the following list:
    • Authentication/Session Management
    • Authorization/Permissions
    • Brute Force
    • Content Injection
    • Cross-Site Request Forgery
    • Cross-Site Scripting
    • Cryptography
    • Functional/Business Logic
    • Information Disclosure
    • Insufficient Transport Layer Protection/SSL
    • Remote Execution
    • Server/Application Misconfiguration
    • Other
  • The Location of the Vulnerability
  • Steps on how to validate or reproduce the Vulnerability
  • The Impact of the Vulnerability
  • Any other relevant information

If you do not provide all the information above, you may not be eligible for a Bounty. You also acknowledge that providing all the information above does not guarantee that you will receive a Bounty. Oyster will choose, in its sole discretion, whether to award you a Bounty. But please note that the more detailed and accurate information you provide, the more likely it is that Oyster will be able to confirm your submission and, as a result, award you a Bounty.

Oyster is not responsible for Submissions that we do not receive for any reason.

Submission License

Oyster does not claim any ownership rights to your Submission. But by providing any Submission to Oyster, you:

  • grant Oyster a non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission to: (i) use, review, assess, test, and otherwise analyze your Submission; (ii) reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);
  • agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
  • understand and acknowledge that Oyster may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
  • understand that you are not guaranteed any compensation or credit for use of your Submission;
  • acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against Oyster related to your Submission; and
  • represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Oyster.  

Your right to receive payment for any Bounty is subject to your compliance with the obligation set forth in this section, including but not limited to your agreement to sign any document required by Oyster in connection with your identification of an eligible Vulnerability. 

Submission Review Process and Payment Information

After Oyster receives your Submission, we will preliminarily review the Submission and validate its eligibility. This includes but is not limited to determining (a) whether the information submitted is complete and relevant to the Target systems and (b) whether Oyster has already received a report of the same or a similar Vulnerability, either through the Program or from another source. Following preliminary eligibility analysis, if eligible, Oyster will conduct a reproducibility test and severity assessment. 

The review times for these stages will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive. Oyster retains sole discretion in determining which Submissions qualify for and merit a Bounty. Whether your submission is accepted or rejected during these review stages, you will be notified of our decision via email at the address provided. If your submission is accepted and you are awarded a Bounty, you will be asked to provide identification and payment-related information, including:

  • A W8 or W9 Tax Document
  • An Invoice for your Services, including:
    • Name
    • Email     
    • Invoice Number
    • Payment Information
    • Services Rendered (e.g. "Security Disclosure Reward")
    • Total Amount Owed (based on risk level)

If you do not complete and send us the required forms as instructed, we may not provide payment. We cannot process payment until you have completed and submitted the fully executed required documentation. If you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s).

Please note that Bounty payments will not be made until after the Vulnerability is closed by Oyster’s Information Security team. At this time, Oyster will confirm the appropriate risk level, notify you of the status, and may ask you to resubmit your invoice for the verified risk level, if applicable. All decisions regarding the payment of Bounties are final and binding. 

Oyster, at our sole discretion, may publicly or internally recognize individuals who have been awarded a Bounty. We may choose to recognize you on our website or elsewhere unless you ask us not to include your name.

Confidentiality Obligations

As part of your research and participation in the Program, you may have accessed Confidential Information in the Target systems. For purposes of these RDP Terms, "Confidential Information" means all non-public information, data, or material of Oyster, Oyster’s Employees, or Oyster’s Customers, in any form, to which you may have gained access before, during, or after identifying the Vulnerability, including but is not limited to intellectual property, employee information, and/or methods for doing business. 

You agree: 

  • not to disclose, directly or indirectly, any Confidential Information to any third party without Oyster’s prior written consent. 
  • to use the same degree of care you would use to protect your own Confidential Information, but not less than a reasonable degree of care, to prevent the unauthorized disclosure, dissemination, or publication of the Confidential Information. 
  • that if you are required by applicable law or legal process to disclose any Confidential Information, you must, before making such disclosure, use commercially reasonable efforts to notify us of such requirements, to afford us the opportunity to seek, at our sole cost and expense, a protective order or other remedy;
  • to immediately destroy all Confidential Information currently in your possession or under your control, unless such information is necessary as part of your Submission, in which case you will destroy all such Confidential Information immediately following your Submission; and
  • that any breach of your confidentiality obligations may cause injury to Oyster for which money damages might not be a sufficient remedy and that, in addition to remedies at law, Oyster is entitled to seek equitable relief as a remedy for any such breach.

Privacy

See the Oyster Website Visitor Privacy Notice for disclosures relating to the collection and use of your information in connection with the Program.

Excluded Submission Types (and Testing Methods)

Some Submission types are excluded, primarily because they are dangerous to assess or because they have low security impact to Oyster. The following Submission types (and testing methods) are excluded from the scope of the RDP Terms and the Program:

  • Findings derived primarily from social engineering (e.g., phishing, vishing);
  • Findings derived primarily from any other non-technical vulnerability testing;
  • Findings from systems, services, websites, or applications not listed as Targets in these RDP Terms;
  • Functional, UI and UX bugs and spelling mistakes;
  • Network level Denial of Service (DoS/DDoS) Vulnerabilities; and
  • Findings derived from tests that impair access to (or damage) a Target.  

Code of Conduct

By participating in the Program, you will follow these rules:

  • Don’t do anything illegal.
  • Don’t compromise the integrity, availability, or confidentiality of non-public information in Oyster’s possession.
  • Don’t use an exploit to compromise or exfiltrate data, establish persistent access, or use the exploit to pivot to other systems.
  • Don’t publicly disclose any (potential or confirmed) Vulnerability without Oyster’s express written consent.
  • Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
  • Don't share inappropriate content or material (involving, for example, nudity, pornography, graphic violence, or criminal activity).
  • Don't engage in activity that is false or misleading.
  • Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, or advocating violence against others).
  • Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
  • Don't help others break these rules.
  • Don’t submit a high volume of low-quality or low-risk Submissions.
  • Do notify us as soon as possible after you discover a (potential) Vulnerability.
  • Do make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Do use exploits only to the extent necessary to confirm a Vulnerability’s presence.

If you violate these RDP Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed ineligible for Bounty payments.

No Warranties

OYSTER, AND OUR AFFILIATES, SUBSIDIARIES, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE RDP TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

Limitation of Liability

If you have any basis for recovering damages in connection with the Program (including breach of these RDP Terms), you agree that your exclusive remedy is to recover, from Oyster, direct damages up to $100.00. You can't recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive damages. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses, or fails in its essential purpose, or if Oyster knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these RDP Terms and the Program.

Choice of Law and Place to Resolve Disputes

You agree that you and Oyster will attempt to resolve any disputed matters in good faith. If any such attempts to resolve a dispute are unsuccessful, You agree:

  • That any dispute, claim, or controversy arising out of or relating to the Program will be governed by and construed in accordance with, the substantive law of the State of New York;
  • to irrevocably submit to the sole and exclusive jurisdiction of the courts of New York State and the Federal courts of the Southern District of New York, situated in the City, County and State of New York;
  • to irrevocably consent to the exercise of personal jurisdiction by such courts and waive any right to plead, claim or allege that New York is an inconvenient forum, venue, or jurisdiction; and
  • to irrevocably consent that the Commercial Division, New York State Supreme Court’s accelerated procedures will apply. The United Nations Convention on Contracts for the International Sale of Goods does not apply to this Agreement.  

Miscellaneous

These RDP Terms (including Oyster’s Website Terms of Use, Website Visitor Privacy Notice, which these RDP Terms incorporate by reference), are the entire agreement between you and Oyster for your participation in the Program. These RDP Terms supersede any prior agreements between you and Oyster regarding your participation in the Program. All parts of these RDP Terms apply to the maximum extent permitted by relevant law. If a court holds that we can't enforce a part of these RDP Terms as written, we may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these RDP Terms won't change.

 

Back to Top