Introduction

The bug bounty program ("Program") permits independent security researchers to report discovered security issues, bugs or vulnerabilities in OrbitRemit ("Bug") for a chance to earn rewards in the amount determined solely by OrbitRemit for being the first one to discover a Bug, subject to compliance with eligibility and participation requirements ("Bounty").

Before reporting a Bug, please review these Bug Bounty Program Terms and Conditions ("Terms"). These Terms are concluded between You and OrbitRemit ("OrbitRemit"). By submitting any Bug to OrbitRemit or otherwise participating in the Program, You agree to comply with these Terms. All matters not covered by these Terms shall be governed by the provisions of the Terms of Service. In case of any inconsistency or discrepancy between the Terms of Service and these Terms with regard to the Program, the Terms shall prevail.

If You do not agree with these Terms, please do not send any Submission (as defined below) to OrbitRemit or otherwise participate in this Program. Your eligibility for a reward is based on the rules described in these Terms, and it remains entirely at OrbitRemit's discretion.

Eligibility Requirements

To be eligible to participate in the Program You shall comply with all of the following requirements:

1. You are at least 18 years of age or older.
2. You are an individual researcher participating in the Program in Your own capacity; if You work for an organization, it is Your responsibility to comply with Your employer's rules and policies that would affect Your eligibility to participate in the Program;
3. You are or were involved in any part of the development, administration, and/or execution of this Program;
4. You are not an employee or an external staff member of OrbitRemit or its affiliate;
5. You are not an immediate family member of an employee or an external staff member of OrbitRemit or its affiliate;
6. You act in compliance with the national, state and local laws and regulations;
7. You are neither residing in a country which is in the NZ, AU, EU or the USA trade or economic sanctions list, nor are you a person subjected to sanctions or restrictions imposed by New Zealand, Australia, the EU or the USA.

If you do not meet the eligibility requirements above or any other requirements in these terms (including any submission-specific requirements set out in the following section); or you breach any of these Program Terms or any other agreements you have with Orbitremit or its subsidiaries or affiliates; or we determine that your participation in the Program could adversely impact us, our affiliates or any of our customers, employees or agents, we, in our sole discretion, may remove you from the Program and disqualify you from receiving any benefit of the Bug Bounty Program.

Submissions

Bugs must be submitted to [email protected] and use "Bug Bounty Submission" in the subject line. The submission must contain the researcher's legal name as well as a thorough description of the Bug and supporting evidence as outlined below. By making any submission pursuant to the Program, you acknowledge that you are not guaranteed any Bounty or other compensation for the use of your Bug Bounty Submission.

Within the body of the email, please provide the following information:

• Describe in detail the nature of the Bug.
• Detailed steps to reproduce the Bug with appropriate screenshots if applicable.
• Estimated severity and/or impact of the issue, if any.
• Pertinent applications, programs or tools used to discover the Vulnerability.
• Date and time testing took place.
• IP address at time of testing.

Failure to comply with the reporting requirements may lead to a decrease in the amount of remuneration. If the report is not enough data to check for vulnerabilities, the payment of compensation is not carried out.

Bugs must be new discoveries in order to be eligible for a Bounty. Bounties will be provided only to the first eligible researcher to submit a particular Bug. Multiple vulnerabilities caused by one underlying issue will be eligible for only one Bounty except as determined otherwise by OrbitRemit in our sole discretion. You can earn Bounties for additional Bug Bounty Submission unlimited number of times, subject to the limitations in these Program Terms.

We are not responsible for submissions that we do not receive regardless of the reason.

Program Scope and Exclusions

Bug Bounty Submissions pertaining to the following domains are deemed "in scope" and potentially eligible for payouts pursuant to the Program, subject to the additional requirements set forth in these Program Terms:

• www.orbitremit.com
• secure.orbitremit.com
• api.orbitremit.com

Bug Bounty Submissions relating to the following domains are deemed not "in scope" and are not eligible for payouts pursuant to the Program:

• Any domain or subdomain not listed in the In Scope section is considered out of scope
• All domains hosted by a third-party service provider like Zendesk
• All staging/development environments unless explicitly mentioned in the In Scope section.
• The following are explicitly prohibited:
  • Attempts to access private customer information
  • Any social engineering attempts (this includes phishing attacks against OrbitRemit employees)
  • Attempts to take over social media pages (Twitter, Facebook, LinkedIn, etc)
  • Any attempts to access the OrbitRemit offices or employee devices and endpoints or the testing of any physical security controls.
  • Any volumetric testing, denial of service or similar.

Bug Bounty Submissions pertaining to the following issues are not eligible for payouts pursuant to the Program:

• HTML injection and Self-XSS
• Password complexity related vulnerabilities
• Pre-authentication open redirects
• Unchained open redirects
• Missing cookie flags
• SSL/TLS best practices
• Mixed content warnings
• Denial of Service attacks and Distributed Denial of Service attacks
• Host header and banner grabbing issues
• Clickjacking or UI Redressing attack with no sensitive actions
• Cross-Origin Resource Sharing (CORS) without a specific, demonstrable impact
• Missing CSRF token
• Missing best practices in Content Security Policy
• Missing security-related HTTP headers which do not lead directly to a vulnerability
• Attacks requiring MITM or physical access to a user's device
• Comma Separated Values (CSV) injection without demonstrating a vulnerability
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Email/Username enumeration without a specific, demonstrable impact
• Tabnabbing without a specific, demonstrable impact
• Exposed configuration files without a specific, demonstrable impact
• Reflected file download attacks
• Incomplete or missing SPF/DKIM/DMARC records
• Physical or social engineering attacks
• Results of automated tools or scanners (such as Acunetix, Core Impact or Nessus)
• Recently disclosed 0-day vulnerabilities – please give us two weeks to patch our systems before reporting these types of issues.
• Login/logout/unauthenticated/low-impact CSRF
• Presence of autocomplete attribute on web forms
• CVE's affecting outdated browsers or platforms
• Using unreported vulnerabilities to find other bugs
• Self-exploitation (i.e. password reset links or cookie reuse)
• Use of a known-vulnerable library (without proof of exploitability)
• Descriptive/verbose/unique error pages (without proof of exploitability)
• HTTP 404 codes/pages or other HTTP non-200 codes/pages
• Disclosure of known public files or directories, (e.g. robots.txt)
• Any vulnerabilities requiring significant and unlikely interaction by the victim, such as disabling browser controls
• Configuration issues in public websites without user information
• OPTIONS / TRACE HTTP method enabled
• SSL Attacks such as BEAST, BREACH, Renegotiation attack
• SSL Forward secrecy not enabled
• SSL Insecure cipher suites
• The Anti-MIME-Sniffing header X-Content-Type-Options
• Login or Forgot Password page brute force and account lockout not enforced
• Vulnerabilities involving stolen credentials or physical access to a device
• Weak Captcha / Captcha Bypass
• Content spoofing without embedding an external link or JavaScript
• Infrastructure vulnerabilities, including:
  • Issues related to SSL certificates
  • DNS configuration issues
  • Server configuration issues (e.g. open ports, TLS versions, etc.)
• Phishing / Spam (including issues related to SPF/DKIM/DMARC)
• Vulnerabilities found in third party services
• Vulnerabilities for which there are existing, documented controls
• Exposed credentials that are either no longer valid, or do not pose a risk to an in scope asset

The foregoing lists of ineligible submissions are not necessarily comprehensive and are not intended to suggest that any Bug Bounty Submission that fails in OrbitRemits sole discretion to meet the express eligibility requirements of these Program Terms is eligible for a Bounty pursuant to the Program.

Bounty Payments

A Bounty to the Program participant is paid in proportion to the severity of the identified Bug. Only Bugs acknowledged by OrbitRemit are rewarded.

You may be eligible to receive a Bounty payment if:

1. You are the first person to submit a Bug;
2. The Bug You've submitted is determined to be a valid security issue by OrbitRemit; and
3. You have complied with all Program Terms.

The amount of Bounty payment, if any, will be determined by OrbitRemit, in OrbitRemit's sole discretion, depending on the sensitivity of the data impacted, ease of exploit and overall risk to OrbitRemit services. The decisions made by OrbitRemit regarding the Bounty payment are final and binding.

If OrbitRemit determines that Your Submission is eligible for a Bounty payment, OrbitRemit will notify You of the Bounty amount and will request You to provide certain information including identification to be able to process Your Bounty payment in compliance with applicable legal requirements.

OrbitRemit will not be liable for the delay in payments due to inaccuracy of the provided data. OrbitRemit will not be able to process the payment until the requested information is provided by You. You may waive the Bounty payment if You do not wish to receive a Bounty or do not want to provide the requested information. You agree that OrbitRemit will process the provided information in order to make a Bounty payment under the Program in accordance with the Terms. OrbitRemit ensures the security of the data obtained through Your participation in the Program. The personal data shall be used to the extent it is required in order to implement the present Terms.

You will be responsible for any tax implications related to Bounty payments You receive, as determined by the laws of Your jurisdiction of residence or citizenship

Changes to the program and terms

OrbitRemit may at its sole discretion change or cancel the Program at any time for any reason, without notice to You.

OrbitRemit may at its sole discretion amend the Program Terms at any time by posting the amended version of Terms on www.orbitremit.com. By continuing to participate in the Program after OrbitRemit posts any such changes, You accept the Program Terms, as modified.

Confidentiality

Confidential Information must be kept confidential and only used in connection with the Program. You may not use, disclose or distribute any such Confidential Information, including without limitation any information regarding your Bug Bounty Submission without OrbitRemit's prior written consent.

Information you receive or collect about OrbitRemit or its affiliates or employees through the Program, whether in oral, visual, written or electronic format, may be deemed proprietary and confidential ("Confidential Information"). For purposes of the Program, information and/or material shall be deemed "Confidential Information" if such information and/or material is otherwise not generally available to the public, or given the nature of the information or material, a reasonable person would consider such information and/or material "confidential" or "proprietary."

Bugs or potential bugs you discover constitute "Confidential Information" and may not be disclosed publicly or to a third-party without our written permission, except that you may make high-level general descriptions of your relevant research available after the applicable bug or vulnerability is fixed. Disclosing Bugs or potential bugs, or any other content of a Bug Bounty Submission, in violation of the foregoing provisions will disqualify you from receiving a Bounty and from participating in the Program in the future.

Your Personal Information

Our collection and use of your information, including personal information, in connection with your use of the Program is subject to our Privacy Policy.

Prohibited Conduct

You must not knowingly or intentionally access or acquire the personal information of any OrbitRemit customer or employee. In the event it is determined you knowingly or intentionally accessed the personal information of any OrbitRemit customer or employee, you will become immediately ineligible to participate in this program. In the event you inadvertently access or acquire the personal or other sensitive information of any OrbitRemit customer or employee, you must immediately cease all activity and notify us.

In connection with your participation in the Program, you agree that you will not:

• Make any threats, attempts at harassment, coercion, or extortion of OrbitRemit employees or customers.
• Do anything that violates applicable law.
• Infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
• Send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
• Share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
• Engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
• Help others break these rules.

Safe Harbour

Activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you for research and vulnerability disclosure activities conducted in accordance with these Program Terms, or for accidental violations committed in a good-faith attempt to comply with these Program Terms. If legal action is initiated by a third party against you in connection with activities validly conducted under these Program Terms, we will take reasonable steps to make it known that your actions were conducted in compliance with these Program Terms. You are required, at all times, to comply with all applicable laws and not to disrupt any systems or data beyond activities expressly authorized by these Program Terms.

Please note, however, that we cannot bind third parties with these safe harbour provisions, and if your security research involves systems, networks, products, or services of a third party, that party could pursue legal action against you. We do not authorize research activities in the name of any other entities, and we do not offer to defend, indemnify, or otherwise protect against any third-party actions based on such activities.

If you submit a Bug Bounty Submission that affects or relates to a service provided by a third party, we may share non-identifying content from your Bug Bounty Submission with the affected third party, provided that before doing so, we will obtain confirmation from the third party that the third party will not initiate legal action against you based on the contents of your Bug Bounty Submission. We reserve the right to determine in our sole discretion whether any conduct violates these Program Terms and whether any violations were accidental. If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please email us at [email protected] with your questions.

No Warranties

ORBITREMIT AND OUR RESELLERS, DISTRIBUTORS, AGENTS, AND AFFILIATES MAKE NO WARRANTIES, EXPRESS OR IMPLIED, OR GUARANTEES WITH RESPECT TO THE PROGRAM. YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER APPLICABLE LOCAL LAW, WE EXCLUDE ALL IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW LIMITING THE FOREGOING EXCLUSIONS. NOTHING IN THESE PROGRAM TERMS IS INTENDED TO AFFECT THOSE RIGHTS TO THE EXTENT APPLICABLE.

Indemnification

YOU SHALL INDEMNIFY AND HOLD ORBITREMIT AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, AGENTS, AND EMPLOYEES, HARMLESS FROM ALL CLAIMS, ACTIONS, PROCEEDINGS, DEMANDS, DAMAGES, LOSSES, COSTS, AND EXPENSES (INCLUDING REASONABLE ATTORNEYS' FEES), INCURRED IN CONNECTION WITH ANY MATERIALS SUBMITTED, POSTED, TRANSMITTED OR MADE AVAILABLE BY YOU THROUGH PARTICIPATION IN THE PROGRAM (INCLUDING ANY BUG BOUNTY SUBMISSIONS YOU MAKE) AND/OR ANY VIOLATION BY YOU OF THESE PROGRAM TERMS, THE RIGHTS OF ANY THIRD PARTY, OR ANY APPLICABLE LAW OR REGULATION. This provision does not require you to indemnify OrbitRemit for any unconscionable commercial practice by OrbitRemit or for OrbitRemit's fraud, deception, false promise, misrepresentation or concealment, suppression or omission of any material fact in connection with the Program.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL ORBITREMIT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY OR OTHER DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, ANY DAMAGES THAT RESULT FROM (I) YOUR USE OF OR YOUR INABILITY TO USE THIS WEBSITE, APP OR THE SERVICE, (II) THE COST OF PROCUREMENT OF SUBSTITUTE GOODS, DATA, INFORMATION OR SERVICES, (III) ERRORS, MISTAKES, OR INACCURACIES IN THE MATERIALS ON THE WEBSITE, OR (IV) ANY ERRORS OR OMISSIONS IN ANY MATERIAL ON THE WEBSITE, OR ANY OTHER LOSS OR DAMAGE OF ANY KIND ARISING FROM OR RELATING TO YOUR USE OF THE WEBSITE. THESE LIMITATIONS SHALL APPLY EVEN IF ORBITREMIT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, ORBITREMIT'S LIABILITY TO YOU FOR ANY DAMAGES ARISING FROM OR RELATED TO THESE PROGRAM TERMS (FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION), WILL AT ALL TIMES BE LIMITED TO THE GREATER OF (A) ONE HUNDRED DOLLARS ($100) OR (B) THE AGGREGATE AMOUNT OF ANY BOUNTIES YOU HAVE RECEIVED PURSUANT TO THE PROGRAM IN THE PRIOR 12 MONTHS (IF ANY). THE FOREGOING LIMITATIONS SHALL APPLY TO THE FULLEST EXTENSION PERMITTED BY LAW IN THE APPLICABLE JURISDICTION.